diff --git a/feature/conn25/conn25.go b/feature/conn25/conn25.go
index c9ce1ad81..98af443d4 100644
--- a/feature/conn25/conn25.go
+++ b/feature/conn25/conn25.go
@@ -127,6 +127,7 @@ func (e *extension) Init(host ipnext.Host) error {
 
 	host.Hooks().OnSelfChange.Add(e.onSelfChange)
 	host.Hooks().ExtraRouterConfigRoutes.Set(e.getMagicRange)
+	host.Hooks().ExtraWireGuardAllowedIPs.Set(e.extraWireGuardAllowedIPs)
 	ctx, cancel := context.WithCancelCause(context.Background())
 	e.ctxCancel = cancel
 	go e.sendLoop(ctx)
@@ -187,6 +188,10 @@ func (e *extension) onSelfChange(selfNode tailcfg.NodeView) {
 	}
 }
 
+func (e *extension) extraWireGuardAllowedIPs(k key.NodePublic) views.Slice[netip.Prefix] {
+	return e.conn25.client.extraWireGuardAllowedIPs(k)
+}
+
 func (e *extension) registerDNSHook() error {
 	e.mu.Lock()
 	defer e.mu.Unlock()
@@ -660,6 +665,16 @@ func (c *client) enqueueAddressAssignment(addrs addrs) error {
 	}
 }
 
+func (c *client) extraWireGuardAllowedIPs(k key.NodePublic) views.Slice[netip.Prefix] {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	tips, ok := c.assignments.lookupTransitIPsByConnKey(k)
+	if !ok {
+		return views.Slice[netip.Prefix]{}
+	}
+	return views.SliceOf(tips)
+}
+
 func makePeerAPIReq(ctx context.Context, httpClient *http.Client, urlBase string, as addrs) error {
 	url := urlBase + "/v0/connector/transit-ip"