diff --git a/tests/sys/net/if_wg.sh b/tests/sys/net/if_wg.sh
--- a/tests/sys/net/if_wg.sh
+++ b/tests/sys/net/if_wg.sh
@@ -424,6 +424,66 @@
 	vnet_cleanup
 }
 
+# The kernel should now allow removing a single allowed-ip without having to
+# replace the whole list.  We can't really test the atomicity of it all that
+# easily, but we'll trust that it worked right if just that addr/mask is gone.
+atf_test_case "wg_allowedip_incremental" "cleanup"
+wg_allowedip_incremental_head()
+{
+	atf_set descr "Add/remove allowed-ips from a peer with the +/- incremental syntax"
+	atf_set require.user root
+}
+
+wg_allowedip_incremental_body()
+{
+	local pri1 pri2 pub2 wg1
+        local tunnel1 tunnel2
+
+	kldload -n if_wg || atf_skip "This test requires if_wg and could not load it"
+
+	pri1=$(wg genkey)
+	pri2=$(wg genkey)
+	pub2=$(echo "$pri2" | wg pubkey)
+
+	tunnel1=169.254.0.1
+	tunnel2=169.254.0.2
+
+	vnet_mkjail wgtest1
+
+	wg1=$(jexec wgtest1 ifconfig wg create)
+	echo "$pri1" | jexec wgtest1 wg set $wg1 private-key /dev/stdin
+	pub1=$(jexec wgtest1 wg show $wg1 public-key)
+
+	atf_check -s exit:0 \
+	    jexec wgtest1 wg set $wg1 peer $pub2 \
+	    allowed-ips "${tunnel1}/32,${tunnel2}/32"
+
+	atf_check -o save:wg.allowed jexec wgtest1 wg show $wg1 allowed-ips
+	atf_check grep -q "${tunnel1}/32" wg.allowed
+	atf_check grep -q "${tunnel2}/32" wg.allowed
+
+	atf_check -s exit:0 \
+	    jexec wgtest1 wg set $wg1 peer $pub2 \
+	    allowed-ips "-${tunnel2}/32"
+
+	atf_check -o save:wg-2.allowed jexec wgtest1 wg show $wg1 allowed-ips
+	atf_check grep -q "${tunnel1}/32" wg-2.allowed
+	atf_check -s not-exit:0 grep -q "${tunnel2}/32" wg-2.allowed
+
+	atf_check -s exit:0 \
+	    jexec wgtest1 wg set $wg1 peer $pub2 \
+	    allowed-ips "+${tunnel2}/32"
+
+	atf_check -o save:wg-3.allowed jexec wgtest1 wg show $wg1 allowed-ips
+	atf_check grep -q "${tunnel1}/32" wg-3.allowed
+	atf_check grep -q "${tunnel2}/32" wg-3.allowed
+}
+
+wg_allowedip_incremental_cleanup()
+{
+	vnet_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case "wg_basic"
@@ -432,4 +492,5 @@
 	atf_add_test_case "wg_key_peerdev_shared"
 	atf_add_test_case "wg_key_peerdev_makeshared"
 	atf_add_test_case "wg_vnet_parent_routing"
+	atf_add_test_case "wg_allowedip_incremental"
 }