wg

Check status of currently active interfaces

$ sudo wg

$ wg genkey

$ wg pubkey < [path/to/private_key] > [path/to/public_key]

$ wg genkey | tee [path/to/private_key] | wg pubkey > [path/to/public_key]

$ sudo wg showconf [wg0]

wg [ options ] show [ interface ]
wg [ options ] showconf interface
wg [ options ] set interface [ key value ]
wg [ options ] addconf interface filename
wg [ options ] syncconf interface filename
wg [ options ] genkey
wg [ options ] genpsk
wg [ options ] pubkey

show [interface]
    Displays the current configuration and state of the specified WireGuard interface (or all interfaces if none specified). Shows the private key hash.

showconf interface
    Outputs the configuration of the specified interface in a format suitable for use in a configuration file. This includes all peers, keys, and settings.

set interface [key value]
    Sets configuration options for the specified interface. Allows setting of private key, listen port, firewall mark and peer configurations.

addconf interface filename
    Appends the configuration from the specified file to an existing WireGuard interface.

syncconf interface filename
    Synchronizes the configuration of the interface with the contents of the file, replacing the interface’s current configuration. This is useful for applying changes to the interface configuration.

genkey
    Generates a new private key. The output is suitable for use with the `set` command.

genpsk
    Generates a new pre-shared key for use with peers. Pre-shared keys add an additional layer of security.

pubkey
    Calculates the public key corresponding to a private key read from standard input. This allows generating a public key from a private key without modifying the interface.

-f, --force
    Force operation. Useful for ignoring certain error conditions.

-v, --verbose
    Enable verbose output for debugging purposes.

-h, --help
    Display help text and exit.

-k, --key private_key
    Specifies a private key file to use for signing operations.

The `wg` command is a command-line interface for configuring and managing the WireGuard VPN. It allows you to create, modify, and inspect WireGuard interfaces, set up peers, and manage cryptographic keys. `wg` is a powerful tool for establishing secure and efficient VPN connections. It uses modern cryptography and aims for high performance while maintaining a simple and easy-to-use interface.

Using `wg`, you can:
-Create new WireGuard interfaces.
-Set the private key and listen port.
-Add, remove, and modify peers.
-Specify allowed IPs for each peer.
-Retrieve interface and peer information.
-Manage the WireGuard tunnel.

The command provides several options to tailor its behavior to specific needs, allowing fine-grained control over the VPN configuration. Understanding these options is essential for effective WireGuard VPN management.

Storing private keys securely is critical. Ensure proper file permissions are set to prevent unauthorized access. Use pre-shared keys (PSK) for enhanced security. Regularly rotate keys as a best practice.
Incorrect settings can lead to security vulnerabilities.

While `wg` can be used to directly configure interfaces, it is often preferred to manage configurations through files (e.g. /etc/wireguard/wg0.conf). The 'addconf' and 'syncconf' subcommands are then used to apply them.

WireGuard requires the Kernel module to be installed in the system, without the kernel module wireguard will not be able to establish any tunnel or connection.

WireGuard was created by Jason A. Donenfeld. Development began around 2015, with the goal of creating a more secure, simpler, and faster VPN solution compared to existing technologies like IPsec and OpenVPN. It was designed to be easily auditable and implemented with modern cryptography practices. WireGuard gained significant traction for its speed and simplicity, and was eventually integrated into the Linux kernel in version 5.6 in 2020. The `wg` command is the primary tool for managing WireGuard interfaces.

ip(8), ifconfig(8), route(8)