diff --git a/modules/wireguard.nix b/modules/wireguard.nix
index 8a5669c..4cffe87 100644
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@@ -219,8 +219,10 @@
               wireguardPeerConfig = {
                 PublicKey = builtins.readFile (peerPublicKeyPath wgCfg.client.via);
                 PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName wgCfg.client.via}.path;
-                # TODO this should be 0.0.0.0 if the client wants to route all traffic
-                AllowedIPs = serverAllowedIPs wgCfg.client.via;
+                # Access to the whole network is routed through our entry node.
+                # TODO this should add any routedAddresses on ANY server in the network, right?
+                # if A entries via B and only C can route 0.0.0.0/0, does that work?
+                AllowedIPs = networkCidrs;
               };
             }
           ];
diff --git a/nix/lib.nix b/nix/lib.nix
index 783f7ab..edae4fd 100644
--- a/nix/lib.nix
+++ b/nix/lib.nix
@@ -213,6 +213,10 @@ in rec {
       net.cidr.merge (usedAddresses
         ++ concatMap (n: (wgCfgOf n).server.reservedAddresses) associatedServerNodes);
 
+    # The network spanning cidr addresses. The respective cidrv4 and cirdv6 are only
+    # included if they exist.
+    networkCidrs = filter (x: x != null) (attrValues networkAddresses);
+
     # Appends / replaces the correct cidr length to the argument,
     # so that the resulting address is in the cidr.
     toNetworkAddr = addr: let
@@ -245,7 +249,7 @@ in rec {
         [Peer]
         PublicKey = ${removeSuffix "\n" (builtins.readFile (peerPublicKeyPath serverNode))}
         PresharedKey = $serverPsk
-        AllowedIPs = ${concatStringsSep ", " snCfg.addresses}
+        AllowedIPs = ${concatStringsSep ", " networkCidrs}
         Endpoint = ${snCfg.server.host}:${toString snCfg.server.port}
         EOF
       '';