141 lines
4.7 KiB
Plaintext
141 lines
4.7 KiB
Plaintext
== Installation ==
|
|
|
|
# make install
|
|
|
|
== Usage ==
|
|
|
|
wg-config is a very simple utility for adding and configuring WireGuard
|
|
interfaces using ip(8) and wg(8).
|
|
|
|
Usage: wg-config [ add | del ] INTERFACE [arguments...]
|
|
|
|
wg-config add INTERFACE --config=CONFIG_FILE [--address=ADDRESS/CIDR...]
|
|
[--route=ROUTE/CIDR...] [--no-auto-route-from-allowed-ips]
|
|
[--env-file=ENV_FILE]
|
|
|
|
The add subcommand adds a new WireGuard interface, INTERFACE, replacing
|
|
any existing interfaces of the same name. The --config argument is
|
|
required, and its argument is passed to wg(8)'s setconf subcommand. The
|
|
--address argument(s) is recommended for this utility to be useful. The
|
|
--route argument is purely optional, as by default this utility will
|
|
automatically add routes implied by --address and as implied by the
|
|
allowed-ip entries inside the --config file. To disable this automatic
|
|
route adding, you may use the option entitled --no-auto-route-from-allowed-ips.
|
|
|
|
wg-config del INTERFACE [--config=CONFIG_FILE_TO_SAVE] [--env-file=ENV_FILE]
|
|
|
|
The del subcommand removes an existing WireGuard interface. If the
|
|
optional --config is specified, then the existing configuration is
|
|
written out to the file specified, via wg(8)'s showconf subcommand.
|
|
|
|
Both `add' and del' take the --env-file=ENV_FILE option. If specified,
|
|
the contents of ENV_FILE are imported into wg-config. This can be used to
|
|
set variables in a file, instead of needing to pass them on the command
|
|
line. The following table shows the relation between the command line
|
|
options described above, and variables that may be declared in ENV_FILE:
|
|
|
|
--address=A, --address=B, --address=C ADDRESSES=( "A" "B" "C" )
|
|
--route=A, --route=B, --route=C ADDITIONAL_ROUTES=( "A" "B" "C" )
|
|
--config-file=F CONFIG_FILE="F"
|
|
echo C > /tmp/F, --config-file=/tmp/F CONFIG_FILE_CONTENTS="C"
|
|
--no-auto-route-from-allowed-ips AUTO_ROUTE=0
|
|
|
|
Additionally, ENV_FILE may define the bash functions pre_add, post_add,
|
|
pre_del, and post_del, which will be called at their respective times.
|
|
|
|
== Basic Example ==
|
|
|
|
This basic example might be used by a server.
|
|
|
|
/etc/wireguard/wg-server.conf:
|
|
|
|
[Interface]
|
|
PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
|
|
ListenPort = 41414
|
|
|
|
[Peer]
|
|
PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
|
|
AllowedIPs = 10.192.122.3/32, 10.192.124.1/24
|
|
|
|
[Peer]
|
|
PublicKey = TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0=
|
|
AllowedIPs = 10.192.122.4/32, 192.168.0.0/16
|
|
|
|
[Peer]
|
|
PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA=
|
|
AllowedIPs = 10.10.10.230/32
|
|
|
|
/etc/wireguard/wg-server.env:
|
|
|
|
CONFIG_FILE="$(dirname "${BASH_SOURCE[0]}")/wg-server.conf"
|
|
ADDRESSES=( 10.192.122.1/34 10.10.0.1/16 )
|
|
|
|
Run at startup:
|
|
# wg-config add wgserver0 --env-file=/etc/wireguard/wg-server.env
|
|
Run at shutdown:
|
|
# wg-config del wgserver0 --env-file=/etc/wireguard/wg-server.env
|
|
|
|
== Single File Advanced Example ==
|
|
|
|
This type of configuration might be desirable for a personal access gateway
|
|
VPN, connecting to a server like in the example above.
|
|
|
|
/etc/wireguard/wg-vpn-gateway.env:
|
|
|
|
CONFIG_FILE_CONTENTS="
|
|
[Interface]
|
|
PrivateKey = 6JiA3fa+NG+x5m6aq7+lxlVaVqVf1mxK6/pDOZdNuXc=
|
|
|
|
[Peer]
|
|
PublicKey = 6NagfTu+s8+TkEKpxX7pNjJuTf4zYtoJme7iQFYIw0A=
|
|
AllowedIPs = 0.0.0.0/0
|
|
Endpoint = demo.wireguard.io:29912
|
|
"
|
|
|
|
ADDRESSES=( 10.200.100.2/32 )
|
|
|
|
post_add() {
|
|
printf 'nameserver 10.200.100.1' | cmd resolvconf -a "$INTERFACE" -m 0
|
|
}
|
|
post_del() {
|
|
cmd resolvconf -d "$INTERFACE"
|
|
}
|
|
|
|
Run to flip on the VPN:
|
|
# wg-config add wgvpn0 --env-file=/etc/wireguard/wg-vpn-gateway.env
|
|
Run to flip off the VPN:
|
|
# wg-config del wgvpn0 --env-file=/etc/wireguard/wg-vpn-gateway.env
|
|
|
|
== Advanced Example ==
|
|
|
|
This achieves the same as the above, but with an external file. It only sets the
|
|
configuration file when the subcommand is add, to prevent it from being overwritten.
|
|
The above is much simpler and probably preferred, but this example shows how powerful
|
|
the tool can be.
|
|
|
|
/etc/wireguard/wg-vpn-gateway.conf:
|
|
|
|
[Interface]
|
|
PrivateKey = 6JiA3fa+NG+x5m6aq7+lxlVaVqVf1mxK6/pDOZdNuXc=
|
|
|
|
[Peer]
|
|
PublicKey = 6NagfTu+s8+TkEKpxX7pNjJuTf4zYtoJme7iQFYIw0A=
|
|
AllowedIPs = 0.0.0.0/0
|
|
Endpoint = demo.wireguard.io:29912
|
|
|
|
/etc/wireguard/wg-vpn-gateway.env:
|
|
|
|
[[ $SUBCOMMAND == add ]] && CONFIG_FILE="$(dirname "${BASH_SOURCE[0]}")/demo-vpn.conf" || true
|
|
ADDRESSES=( 10.200.100.2/32 )
|
|
post_add() {
|
|
printf 'nameserver 10.200.100.1' | cmd resolvconf -a "$INTERFACE" -m 0
|
|
}
|
|
post_del() {
|
|
cmd resolvconf -d "$INTERFACE"
|
|
}
|
|
|
|
Run to flip on the VPN:
|
|
# wg-config add wgvpn0 --env-file=/etc/wireguard/wg-vpn-gateway.env
|
|
The config file is not overwritten on shutdown, due to the conditional in the env file:
|
|
# wg-config del wgvpn0 --env-file=/etc/wireguard/wg-vpn-gateway.env
|