I'm guessing that "Additional private addresses" means that you'd need to designate 1 server as the Egress gateway (but all traffic for all nodes matching the AllowedIPs that you are routing will go out that node) - after that - generate the ExternalClient config and it might generate it correctly