wireguard-configure
is a command-line utility to help manage wireguard configurations. It assumes a basic setup with one node acting as a, "Router," and several clients which connect and route traffic between the central router node. It allows you to generate and dump wireguard configurations, and bash scripts which also configure interfaces and routes.
You must have the commandline tool wg
accessible through your path. This is used to automatically generate private/public wireguard keys.
Configurations are stored in yaml, and can be modified from the command line, or directly in the yaml file.
wireguard-configure 0.2.5
Alex Eubanks <endeavor@rainbowsandpwnies.com>, Giulio De Pasquale <depasquale+github@giugl.io>
USAGE:
wireguard-configure [OPTIONS] <SUBCOMMAND>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-c <configuration-file> Configuration file to use
SUBCOMMANDS:
add-client Add a client to the configuration
client-config Print the client configuration
generate-example Generate an example configuration file
help Prints this message or the help of the given subcommand(s)
list List clients in this configuration
remove-client Remove a client from the configuration
router-config Print the router configuration
- Generate an example configuration file by running
wireguard-configure generate-example
. - Save the configuration file generated by
wireguard-configure
- Edit the router configuration by editing the configuration file as needed
- Add new clients with the
add-client
command - Print the {router/client[s]} wireguard configuration with
router-config <config>
and save it under/etc/wireguard/<config>.conf
- Run
wg-quick up <config>
on the hosts
Some configuration fields are not editable through the command-line, yet. It is recommended to generate an example configuration to modify all the supported fields.
The generated configuration file should look like this:
---
router:
name: vpn-router
internal_address: 10.0.1.1/24
external_address:
address: vpn.com
port: 31337
private_key: MB/DmnzL121iCuMqHJQo0dMfSwh0gpWcm3immT2jOE4=
public_key: os7mzFUnwULeXHBS49k8/yVh06s+xidgS7n0Q4PbcEY=
mtu: ~
table: ~
preup: ~
postup: ~
predown: ~
postdown: ~
clients:
- name: client-a
internal_address: 10.0.1.2
allowed_ips:
- 0.0.0.0/0
dns: 10.0.1.1
persistent_keepalive: 25
private_key: MMSJGtzxrqnaTWQMeltmxgHhSKEAQF/6ohzMSQSUmFo=
public_key: U5n1qprDaMC7FJ3rsnMi906nY2OP9nWDIA278zdf0DQ=
mtu: ~
table: ~
preup: ~
postup: ~
predown: ~
postdown: ~
- name: client-b
internal_address: 10.0.1.3
allowed_ips:
- 10.0.1.0/24
dns: ~
persistent_keepalive: 25
private_key: EMuzMFiJwq0NleRbw0qg5Bie+5TfyP2eNQLUGS5uFlY=
public_key: ideBHvZpgUiTzDOnA7MVHmeyFINjFHDNIqBgvdgYEgo=
mtu: ~
table: ~
preup: ~
postup: ~
predown: ~
postdown: ~
To add a client named client-c
with address 10.0.1.4
that should route only the remote subnet through the VPN:
wireguard-configure add-client -c <config> client-c -a 10.0.1.0/24 -i 10.0.1.4
To route all the traffic generated by a client, just specify allowed_ips
to be 0.0.0.0/0
.
wireguard-configure add-client -c <config> client-c -a 0.0.0.0/0 -i 10.0.1.4
Invoking
wireguard-configure router-config -c <config>
prints out the router configuration.
# vpn-router
[Interface]
Address = 10.0.1.1/24
PrivateKey = wPbMYTCgGzfkg3vlt3xoVLhbozRpvVmM8mkm6PFB1Us=
ListenPort = 31337
# client-a
[Peer]
PublicKey = a8LCjRe7oLdxLdHS1CmGqG9L813TAnMnnEzRTBXkHzM=
PersistentKeepalive = 25
AllowedIPs = 10.0.1.2/32
# client-b
[Peer]
PublicKey = rCMWJp3RMXgx/cgWAohhSYJBG3+SQD2hhFcBd0eVwmg=
PersistentKeepalive = 25
AllowedIPs = 10.0.1.3/32
To print a specific client's configuration, invoke
wireguard-configure client-config -c <config> <client>
# client-a
[Interface]
PrivateKey = aJQEvc6VUDhGjFr5kHqJaSDMHcVaRFniKHxShx3JiV4=
Address = 10.0.1.2
DNS = 10.0.1.1
# vpn-router
[Peer]
PublicKey = a8LCjRe7oLdxLdHS1CmGqG9L813TAnMnnEzRTBXkHzM=
Endpoint = vpn.com:31337
AllowedIPs = 0.0.0.0/0