wg
Manage WireGuard VPN tunnels
TLDR
Check status of currently active interfaces
Generate a new private key
Generate a public key from a private key
Generate a public and private key
Show the current configuration of a wireguard interface
SYNOPSIS
wg [ options ] show [ interface ]
wg [ options ] showconf interface
wg [ options ] set interface [ key value ]
wg [ options ] addconf interface filename
wg [ options ] syncconf interface filename
wg [ options ] genkey
wg [ options ] genpsk
wg [ options ] pubkey
PARAMETERS
show [interface]
Displays the current configuration and state of the specified WireGuard interface (or all interfaces if none specified). Shows the private key hash.
showconf interface
Outputs the configuration of the specified interface in a format suitable for use in a configuration file. This includes all peers, keys, and settings.
set interface [key value]
Sets configuration options for the specified interface. Allows setting of private key, listen port, firewall mark and peer configurations.
addconf interface filename
Appends the configuration from the specified file to an existing WireGuard interface.
syncconf interface filename
Synchronizes the configuration of the interface with the contents of the file, replacing the interface’s current configuration. This is useful for applying changes to the interface configuration.
genkey
Generates a new private key. The output is suitable for use with the `set` command.
genpsk
Generates a new pre-shared key for use with peers. Pre-shared keys add an additional layer of security.
pubkey
Calculates the public key corresponding to a private key read from standard input. This allows generating a public key from a private key without modifying the interface.
-f, --force
Force operation. Useful for ignoring certain error conditions.
-v, --verbose
Enable verbose output for debugging purposes.
-h, --help
Display help text and exit.
-k, --key private_key
Specifies a private key file to use for signing operations.
DESCRIPTION
The `wg` command is a command-line interface for configuring and managing the WireGuard VPN. It allows you to create, modify, and inspect WireGuard interfaces, set up peers, and manage cryptographic keys. `wg` is a powerful tool for establishing secure and efficient VPN connections. It uses modern cryptography and aims for high performance while maintaining a simple and easy-to-use interface.
Using `wg`, you can:
-Create new WireGuard interfaces.
-Set the private key and listen port.
-Add, remove, and modify peers.
-Specify allowed IPs for each peer.
-Retrieve interface and peer information.
-Manage the WireGuard tunnel.
The command provides several options to tailor its behavior to specific needs, allowing fine-grained control over the VPN configuration. Understanding these options is essential for effective WireGuard VPN management.
SECURITY CONSIDERATIONS
Storing private keys securely is critical. Ensure proper file permissions are set to prevent unauthorized access. Use pre-shared keys (PSK) for enhanced security. Regularly rotate keys as a best practice.
Incorrect settings can lead to security vulnerabilities.
CONFIGURATION FILES
While `wg` can be used to directly configure interfaces, it is often preferred to manage configurations through files (e.g. /etc/wireguard/wg0.conf). The 'addconf' and 'syncconf' subcommands are then used to apply them.
KERNEL MODULE REQUIREMENT
WireGuard requires the Kernel module to be installed in the system, without the kernel module wireguard will not be able to establish any tunnel or connection.
HISTORY
WireGuard was created by Jason A. Donenfeld. Development began around 2015, with the goal of creating a more secure, simpler, and faster VPN solution compared to existing technologies like IPsec and OpenVPN. It was designed to be easily auditable and implemented with modern cryptography practices. WireGuard gained significant traction for its speed and simplicity, and was eventually integrated into the Linux kernel in version 5.6 in 2020. The `wg` command is the primary tool for managing WireGuard interfaces.