Updated: 2021/Feb/13


WGCONFIG(8)                 System Manager's Manual                WGCONFIG(8)

NAME
     wgconfig - configure wg interface parameters

SYNOPSIS
     wgconfig wgN [show all]
     wgconfig wgN show peer name [--show-preshared-key]
     wgconfig wgN show private-key
     wgconfig wgN set private-key filename
     wgconfig wgN set listen-port port
     wgconfig wgN add peer name pubkey [--preshared-key=filename]
              [--endpoint=ip:port] [--allowed-ips=ip1/cidr1[,ip2/cidr2,...]]
     wgconfig wgN delete peer name

DESCRIPTION
     The wgconfig utility is used to configure or display a wg(4) interface's
     parameters and status.  Every wg(4) interface can be configured with an
     IP address using ifconfig(8), a private key generated with wg-keygen(8),
     an optional listen port, and a collection of peers.  Each peer has a
     public key and allowed IP addresses, and may optionally have a fixed
     endpoint IP address and a preshared secret key.

     The following commands are supported:

     show all
           Show all peers.  No secret keys are included in the output.

     show peer name [--show-preshared-key]
           Show the peer named name.  By default, no secret keys are included
           in the output.  With --show-preshared-key, also display the secret
           preshared key that the peer was configured to have with the
           --preshared-key option to wgconfig wgN add peer.

     show private-key
           Show the private key that was set with wgconfig wgN set
           private-key.

     set private-key filename
           Set the private key of wgN to the base64-encoded private key in the
           file at filename.

     set listen-port port
           Set the UDP port number that wgN listens for incoming sessions on.
           This allows a peer to start a new session without having a specific
           endpoint IP address configured.

     add peer name pubkey [options ...]
           Add a peer.  The argument name may be passed to wgconfig wgN show
           peer and wgconfig wgN delete peer.  The argument pubkey is the
           peer's base64-encoded public key, as printed by wg-keygen --pub.

           The following options may be specified:

           --preshared-key-file=filename
                 Set a secret preshared key generated by wg-keygen --psk.

                 If the preshared key can be arranged in advance on a medium
                 not subject to eavesdropping, then it defends against
                 possible future quantum cryptanalysis of the X25519 key
                 agreement.  wgconfig still uses X25519 key agreements in
                 order to erase past session keys so that past session
                 transcripts remain secret should one of the endpoints be
                 compromised in the future; the preshared key is an additional
                 measure on top.

           --endpoint=ip:port
                 Set the peer's endpoint address outside the tunnel.  This is
                 optional for a VPN server if the wgconfig interface is
                 configured to listen on a port number.

           --allowed-ips=ip1/cidr1[,ip2/cidr2,...]
                 Set the IP address ranges that the peer is allowed to select
                 inside the tunnel.

     delete peer name
           Delete the peer name previously added with wgconfig wgN add peer
           name.

EXAMPLES
     See wg(4) for an example network topology and wgconfig usage.

SEE ALSO
     wg(4), wg-keygen(8)

HISTORY
     The wgconfig command first appeared in NetBSD 10.0.

AUTHORS
     The wgconfig command was written by Ryota Ozaki <ozaki.ryota@gmail.com>.

NetBSD 9.99                     August 20, 2020                    NetBSD 9.99