LinuxCommandLibrary

wg-quick

Configure WireGuard interfaces quickly

TLDR

Set up a VPN tunnel

$ wg-quick up [interface_name]
copy

Delete a VPN tunnel
$ wg-quick down [interface_name]
copy

SYNOPSIS

wg-quick up <interface> | down <interface> | strip <interface>

PARAMETERS

up <interface>
    Brings up the specified WireGuard interface. It reads the configuration file for the interface (e.g., /etc/wireguard/interface.conf) and applies the configuration to create and configure the WireGuard tunnel.

down <interface>
    Brings down the specified WireGuard interface. It removes the interface, deletes any associated routes, and restores the system to its previous state.

strip <interface>
    Strips all WireGuard configuration from the specified interface. It does not bring the interface down or modify the routing table.

DESCRIPTION

wg-quick is a tool that simplifies the process of configuring WireGuard interfaces on Linux systems. It reads a configuration file, typically located in /etc/wireguard, and automatically sets up the necessary network interfaces, IP addresses, routing rules, and firewall rules to establish a WireGuard VPN tunnel.

The tool aims to abstract away the complexity of directly using wg, ip, and other networking utilities. It handles tasks such as creating the WireGuard interface, setting its private key, assigning IP addresses to the interface, adding routes to the routing table, and configuring firewall rules to allow traffic through the tunnel.

wg-quick supports both client and server configurations. It automatically detects the tunnel's endpoints and negotiates connections when initiated from either side.

This tool is invaluable to simplify the WireGuard configuration process and reduce the chances for errors.

CAVEATS

Requires root privileges to run.

CONFIGURATION FILE FORMAT

The configuration file uses a simple INI-like format.
The [Interface] section defines parameters related to the local WireGuard interface, such as the private key, listen port, and IP addresses. The [Peer] sections define the parameters of each peer, such as public key, allowed IPs, endpoint, and persistent keepalive.
Example:
[Interface]
PrivateKey = ...
Address = 10.0.0.1/24

[Peer]
PublicKey = ...
AllowedIPs = 0.0.0.0/0
Endpoint = example.com:51820

SECURITY CONSIDERATIONS

It's crucial to keep the private key secure. Do not share it with unauthorized parties. Use strong random numbers to generate private keys. Ensure the configuration files are only readable by the root user. The `AllowedIPs` parameter in the [Peer] section defines which IP addresses are allowed to be routed through the tunnel. Ensure that only the necessary IPs are allowed to prevent unintended traffic from being routed through the VPN.

HISTORY

wg-quick was developed alongside WireGuard to provide a user-friendly way to manage WireGuard tunnels. Before wg-quick, users had to manually configure the interface using `wg` and `ip` commands, which was a more complex and error-prone process. The tool has evolved alongside the WireGuard protocol, adding new features and capabilities to support the latest WireGuard features.

SEE ALSO

wg(1), ip(8), route(8), iptables(8)

Copied to clipboard