Updated: 2022/Sep/29
Please read Privacy Policy. It's for your privacy.
WGCONFIG(8) System Manager's Manual WGCONFIG(8) NAME wgconfig - configure wg interface parameters SYNOPSIS wgconfig wgN [show all] wgconfig wgN show peer name [--show-preshared-key] wgconfig wgN show private-key wgconfig wgN set private-key filename wgconfig wgN set listen-port port wgconfig wgN add peer name pubkey [--preshared-key=filename] [--endpoint=ip:port] [--allowed-ips=ip1/cidr1[,ip2/cidr2,...]] wgconfig wgN delete peer name DESCRIPTION The wgconfig utility is used to configure or display a wg(4) interface's parameters and status. Every wg(4) interface can be configured with an IP address using ifconfig(8), a private key generated with wg-keygen(8), an optional listen port, and a collection of peers. Each peer has a public key and allowed IP addresses, and may optionally have a fixed endpoint IP address and a preshared secret key. The following commands are supported: show all Show all peers. No secret keys are included in the output. show peer name [--show-preshared-key] Show the peer named name. By default, no secret keys are included in the output. With --show-preshared-key, also display the secret preshared key that the peer was configured to have with the --preshared-key option to wgconfig wgN add peer. show private-key Show the private key that was set with wgconfig wgN set private-key. set private-key filename Set the private key of wgN to the base64-encoded private key in the file at filename. set listen-port port Set the UDP port number that wgN listens for incoming sessions on. This allows a peer to start a new session without having a specific endpoint IP address configured. add peer name pubkey [options ...] Add a peer. The argument name may be passed to wgconfig wgN show peer and wgconfig wgN delete peer. The argument pubkey is the peer's base64-encoded public key, as printed by wg-keygen --pub. The following options may be specified: --preshared-key-file=filename Set a secret preshared key generated by wg-keygen --psk. If the preshared key can be arranged in advance on a medium not subject to eavesdropping, then it defends against possible future quantum cryptanalysis of the X25519 key agreement. wgconfig still uses X25519 key agreements in order to erase past session keys so that past session transcripts remain secret should one of the endpoints be compromised in the future; the preshared key is an additional measure on top. --endpoint=ip:port Set the peer's endpoint address outside the tunnel. This is optional for a VPN server if the wgconfig interface is configured to listen on a port number. --allowed-ips=ip1/cidr1[,ip2/cidr2,...] Set the IP address ranges that the peer is allowed to select inside the tunnel. delete peer name Delete the peer name previously added with wgconfig wgN add peer name. EXAMPLES See wg(4) for an example network topology and wgconfig usage. SEE ALSO wg(4), wg-keygen(8) HISTORY The wgconfig command first appeared in NetBSD 10.0. AUTHORS The wgconfig command was written by Ryota Ozaki <ozaki.ryota@gmail.com>. NetBSD 10.99 August 20, 2020 NetBSD 10.99