wg

Check status of currently active interfaces

$ sudo wg

$ wg genkey

$ wg pubkey < [path/to/private_key] > [path/to/public_key]

$ wg genkey | tee [path/to/private_key] | wg pubkey > [path/to/public_key]

$ sudo wg showconf [wg0]

The wg command generally follows a pattern of specifying an action, an interface, and then optional parameters. Below are common usage patterns:

Displaying Configuration:
wg show [interface]
wg showall
wg showconf [interface]

Setting Configuration:
wg set [interface] [parameters...]
wg addconf [interface] [config_file]
wg strip [interface]

Key Generation:
wg genkey
wg pubkey
wg genpsk

show
    Displays the current configuration and status of a specific WireGuard interface.

showall
    Shows the configuration and status of all active WireGuard interfaces on the system.

showconf
    Prints the configuration of a specified interface in a format compatible with wg-quick(8) configuration files.

set
    Modifies the parameters of an existing WireGuard interface. This command is followed by specific configuration options.

addconf
    Adds or updates interface and peer configurations from a specified configuration file.

strip
    Removes all peers from a specified WireGuard interface, leaving only the interface's own settings.

genkey
    Generates a new WireGuard private key and prints it to standard output.

pubkey
    Derives the public key from a private key read from standard input and prints it.

genpsk
    Generates a new WireGuard pre-shared key (PSK) and prints it to standard output.

listen-port
    Sets the UDP listening port for the WireGuard interface.

private-key
    Sets the private key for the WireGuard interface. The key can be provided directly or read from a file.

peer
    Initiates the configuration block for a specific peer, identified by its public key.

remove
    Used within a peer configuration block to remove that specific peer from the interface.

endpoint
    Sets the public IP address and port of a peer. Useful for static peer configurations.

persistent-keepalive
    Sets a persistent keepalive interval in seconds for a peer. Keeps the NAT mapping alive.

allowed-ips
    Specifies a comma-separated list of IP addresses (CIDR format) that will be routed through this peer.

preshared-key
    Sets a pre-shared key for the current peer, adding an optional layer of symmetric encryption.

txqueue-len
    Sets the transmit queue length for the WireGuard interface.

wg is the command-line utility for configuring and managing WireGuard network interfaces. It allows administrators to set up secure VPN tunnels by defining parameters such as private and public keys, listening ports, and peer configurations. Through wg, users can add, remove, and modify peers, specify allowed IP addresses for routing, and configure persistent keepalives to maintain connections through NATs. The command interacts directly with the WireGuard kernel module (or userspace implementation) to apply these settings, establishing a highly performant and cryptographically strong VPN. While wg handles the WireGuard-specific cryptographic and peer settings, network interface creation and IP address assignment are typically managed by other standard Linux networking tools like ip.

Its design prioritizes simplicity and ease of configuration, reflecting WireGuard's goal of being a lean and efficient VPN solution.

The wg command typically requires root privileges (or equivalent capabilities like CAP_NET_ADMIN) to modify system-wide network configurations.

It exclusively handles the WireGuard-specific protocol parameters. The creation and deletion of the WireGuard network interface itself (e.g., wg0) and its IP address assignment are performed using the separate ip command (e.g., ip link add wg0 type wireguard and ip addr add 10.0.0.1/24 dev wg0).

For wg to function, the WireGuard kernel module must be loaded, or a userspace implementation like wireguard-go must be running and available.

It's crucial to understand that wg configures the WireGuard protocol's parameters (keys, peers, ports), but the network interface itself and its IP addressing are managed by the ip command. For example, you first create the interface with ip link add type wireguard, then configure it with wg set, and finally assign an IP address and bring it up with ip addr add and ip link set up.

The security of your WireGuard setup heavily relies on the proper management of private and public keys. wg genkey and wg pubkey are provided to facilitate secure key generation. Private keys should always be kept strictly confidential and never shared, while public keys are safely exchanged with peers to establish encrypted tunnels. Additionally, pre-shared keys (generated with wg genpsk) can be used for an extra layer of symmetric cryptography.

WireGuard was initially developed by Jason A. Donenfeld, with its first public release around 2016. The project gained significant attention for its modern cryptographic design, simplicity, and high performance. The wg command-line utility has been integral to its ecosystem since its early days, providing the primary interface for users to configure WireGuard tunnels directly. A major milestone was its inclusion into the Linux kernel mainline in 2020, solidifying its status as a robust and native VPN solution for Linux systems.

ip(8), wg-quick(8), systemctl(1), ss(8), netstat(8)