wg-quick

Set up a VPN tunnel

$ wg-quick up [interface_name]

$ wg-quick down [interface_name]

wg-quick command interface [conf_file]
wg-quick strip conf_file
wg-quick add-peer interface public_key [endpoint] [allowed_ips]
wg-quick remove-peer interface public_key

up
    Brings up the specified WireGuard interface using its configuration file (e.g., /etc/wireguard/.conf). This command configures the interface, IP addresses, routes, and DNS.

down
    Brings down the specified WireGuard interface, removing its configuration, IP addresses, and routes.

save
    Saves the current WireGuard interface configuration (including dynamically added peers) to its default configuration file, typically /etc/wireguard/.conf.

strip
    Reads a WireGuard configuration file and prints a version of it to standard output with all private keys removed. Useful for sharing public configurations.

add-peer [] []
    Dynamically adds a new peer to a currently active WireGuard interface. It takes the peer's public key, an optional endpoint, and optional allowed IPs.

remove-peer
    Dynamically removes an existing peer from a currently active WireGuard interface identified by its public key.

wg-quick is a high-level command-line utility designed to simplify the setup and management of WireGuard VPN interfaces. It acts as a convenient wrapper around the lower-level wg command and other network configuration tools like ip(8). Its primary purpose is to quickly bring up, bring down, and manage WireGuard tunnels using simple INI-style configuration files, typically located in /etc/wireguard/.

Rather than requiring users to manually configure network interfaces, IP addresses, routing rules, and DNS settings, wg-quick automates these steps based on the contents of a specified configuration file. This makes deploying WireGuard incredibly straightforward, whether setting up a client connection, a VPN server, or a peer-to-peer link. It handles the details of adding and removing wg interfaces, assigning IP addresses, setting up routes for AllowedIPs, and even configuring DNS resolvers if specified in the configuration. It is an essential tool for practical WireGuard deployment.

wg-quick requires root privileges to operate, as it modifies network interfaces and routing tables.
It primarily relies on configuration files located in /etc/wireguard/. If no explicit file is provided, it assumes .conf in this directory.
The up command can overwrite existing network configurations (like DNS servers via resolvconf) and might interfere with network managers if not used carefully.
By default, wg-quick up only configures an interface until the next reboot; persistence requires enabling the associated systemd service (e.g., wg-quick@.service).

WireGuard configuration files for wg-quick use an INI-style format, typically named .conf and placed in /etc/wireguard/. They consist of two main sections:
1. [Interface]: Defines parameters for the local WireGuard interface. Common parameters include: PrivateKey, ListenPort, Address, DNS, MTU, Table, PreUp, PostUp, PreDown, PostDown. These are used to set up the local side of the VPN tunnel.
2. [Peer]: Defines parameters for a remote WireGuard peer. Multiple [Peer] sections can exist. Common parameters include: PublicKey, Endpoint, AllowedIPs, PersistentKeepalive. These specify how to connect to and route traffic for remote peers.

To make wg-quick configurations persistent across reboots on systemd-based systems, a service unit wg-quick@.service is provided. You can enable and start a WireGuard interface at boot by running:
sudo systemctl enable wg-quick@.service
sudo systemctl start wg-quick@.service
Replace with the name of your WireGuard interface (e.g., wg0). This automatically brings up the interface using its configuration file, ensuring your VPN is active after system startup.

wg-quick was developed by Jason A. Donenfeld, the creator of WireGuard, specifically to address the need for a user-friendly and robust interface to the WireGuard kernel module. It was designed from the outset to simplify the complex network configurations required for VPNs, making WireGuard more accessible for general users and system administrators. Its development closely paralleled that of the WireGuard protocol itself, aiming to provide a 'quick' setup experience as implied by its name. It became an integral part of the WireGuard suite upon its initial release and subsequent inclusion in the Linux kernel.

wg(8), ip(8), systemctl(1), resolvconf(8), openresolv(8)