2015-06-05 15:58:00 +02:00
.TH WG 8 "2015 August 13" ZX2C4 "WireGuard"
.SH NAME
wg - set and retrieve configuration of WireGuard interfaces
.SH SYNOPSIS
.B wg
[
.I COMMAND
] [
.I OPTIONS
]... [
.I ARGS
]...
.SH DESCRIPTION
.B wg
is the configuration utility for getting and setting the configuration of
WireGuard tunnel interfaces. The interfaces themselves can be added and removed
using
.BR ip-link (8)
and their IP addresses and routing tables can be set using
.BR ip-address (8)
and
.BR ip-route (8).
The
.B wg
utility provides a series of sub-commands for changing WireGuard-specific
aspects of WireGuard interfaces.
If no COMMAND is specified, COMMAND defaults to
.BR show .
Sub-commands that take an INTERFACE must be passed a WireGuard interface.
.SH COMMANDS
.TP
2017-02-22 21:53:55 +01:00
\fB show\fP { \fI <interface>\fP | \fI all\fP | \fI interfaces\fP } [\fI public-key\fP | \fI private-key\fP | \fI preshared-key\fP | \fI listen-port\fP | \fI fwmark\fP | \fI peers\fP | \fI endpoints\fP | \fI allowed-ips\fP | \fI latest-handshakes\fP | \fI persistent-keepalive\fP | \fI transfer\fP | \fI dump\fP ]
2015-06-05 15:58:00 +02:00
Shows current WireGuard configuration of specified \fI <interface>\fP .
If no \fI <interface>\fP is specified, \fI <interface>\fP defaults to \fI all\fP .
If \fI interfaces\fP is specified, prints a list of all WireGuard interfaces,
one per line, and quit. If no options are given after the interface
specification, then prints a list of all attributes in a visually pleasing way
meant for the terminal. Otherwise, prints specified information grouped by
2017-02-22 21:53:55 +01:00
newlines and tabs, meant to be used in scripts. For this script-friendly display,
if \fI all\fP is specified, then the first field for all categories of information
is the interface name. If \fP dump\fP is specified, then several lines are printed;
the first contains in order separated by tab: private-key, public-key, preshared-key,
listen-port, fwmark. Subsequent lines are printed for each peer and contain in order
separated by tab: public-key, endpoint, allowed-ips, latest-handshake, transfer-rx,
transfer-tx, persistent-keepalive.
2015-06-05 15:58:00 +02:00
.TP
\fB showconf\fP \fI <interface>\fP
Shows the current configuration of \fI <interface>\fP in the format described
by \fI CONFIGURATION FILE FORMAT\fP below.
.TP
2017-01-24 17:43:35 +01:00
\fB set\fP \fI <interface>\fP [\fI listen-port\fP \fI <port>\fP ] [\fI fwmark\fP \fI <fwmark>\fP ] [\fI private-key\fP \fI <file-path>\fP ] [\fI preshared-key\fP \fI <file-path>\fP ] [\fI peer\fP \fI <base64-public-key>\fP [\fI remove\fP ] [\fI endpoint\fP \fI <ip>:<port>\fP ] [\fI persistent-keepalive\fP \fI <interval seconds>\fP ] [\fI allowed-ips\fP \fI <ip1>/<cidr1>\fP [,\fI <ip2>/<cidr2>\fP ]...] ]...
2015-06-05 15:58:00 +02:00
Sets configuration values for the specified \fI <interface>\fP . Multiple
\fI peer\fP s may be specified, and if the \fI remove\fP argument is given
for a peer, that peer is removed, not configured. If \fI listen-port\fP
2017-01-24 05:59:17 +01:00
is not specified, the port will be chosen randomly when the
2015-06-05 15:58:00 +02:00
interface comes up. Both \fI private-key\fP and \fI preshared-key\fP must
2016-07-01 04:08:29 +02:00
be a files, because command line arguments are not considered private on
most systems but if you are using
2015-06-05 15:58:00 +02:00
.BR bash (1),
you may safely pass in a string by specifying as \fI private-key\fP or
\fI preshared-key\fP the expression: <(echo PRIVATEKEYSTRING). If
2017-01-24 04:20:05 +01:00
\fI /dev/null\fP or another empty file is specified as the filename for
either \fI private-key\fP or \fI preshared-key\fP , the key is removed from
the device. The use of \fI preshared-key\fP is optional, and may be omitted;
it adds an additional layer of symmetric-key cryptography to be mixed into
the already existing public-key cryptography, for post-quantum resistance.
If \fI allowed-ips\fP is specified, but the value is the empty string, all
allowed ips are removed from the peer. The use of \fI persistent-keepalive\fP
2017-02-22 21:45:03 +01:00
is optional and is by default off; setting it to 0 or "off" disables it.
2017-01-24 04:20:05 +01:00
Otherwise it represents, in seconds, between 1 and 65535 inclusive, how often
to send an authenticated empty packet to the peer, for the purpose of keeping
a stateful firewall or NAT mapping valid persistently. For example, if the
interface very rarely sends traffic, but it might at anytime receive traffic
from a peer, and it is behind NAT, the interface might benefit from having a
persistent keepalive interval of 25 seconds; however, most users will not need
2017-02-22 21:45:03 +01:00
this. The use of \fI fwmark\fP is optional and is by default off; setting it to
0 or "off" disables it. Otherwise it is a 32-bit fwmark for outgoing packets
and may be specified in hexadecimal by prepending "0x".
2015-06-05 15:58:00 +02:00
.TP
\fB setconf\fP \fI <interface>\fP \fI <configuration-filename>\fP
Sets the current configuration of \fI <interface>\fP to the contents of
\fI <configuration-filename>\fP , which must be in the format described
by \fI CONFIGURATION FILE FORMAT\fP below.
.TP
\fB addconf\fP \fI <interface>\fP \fI <configuration-filename>\fP
Appends the contents of \fI <configuration-filename>\fP , which must
be in the format described by \fI CONFIGURATION FILE FORMAT\fP below,
to the current configuration of \fI <interface>\fP .
.TP
\fB genkey\fP
Generates a random \fI private\fP key in base64 and prints it to
standard output.
.TP
\fB genpsk\fP
Generates a random \fI preshared\fP key in base64 and prints it to
standard output.
.TP
\fB pubkey\fP
Calculates a \fI public\fP key and prints it in base64 to standard
output from a corresponding \fI private\fP key (generated with
\fI genkey\fP ) given in base64 on standard input.
A private key and a corresponding public key may be generated at once by calling:
.br
$ umask 077
.br
$ wg genkey | tee private.key | wg pubkey > public.key
.TP
\fB help\fP
Show usage message.
.SH CONFIGURATION FILE FORMAT
The configuration file format is based on \fI INI\fP . There are two top level sections
-- \fI Interface\fP and \fI Peer\fP . Multiple \fI Peer\fP sections may be specified, but
only one \fI Interface\fP section may be specified.
.P
2016-07-11 12:49:47 +02:00
The \fI Interface\fP section may contain the following fields:
2015-06-05 15:58:00 +02:00
.IP \(bu
PrivateKey \(em a base64 private key generated by \fI wg genkey\fP . Required.
.IP \(bu
PresharedKey \(em a base64 preshared key generated by \fI wg genpsk\fP . Optional,
and may be omitted. This option adds an additional layer of symmetric-key
cryptography to be mixed into the already existing public-key cryptography,
for post-quantum resistance.
.IP \(bu
2017-01-24 05:59:17 +01:00
ListenPort \(em a 16-bit port for listening. Optional; if not specified, chosen
randomly.
2017-01-24 17:43:35 +01:00
.IP \(bu
2017-02-22 21:45:03 +01:00
FwMark \(em a 32-bit fwmark for outgoing packets. If set to 0 or "off", this
option is disabled. May be specified in hexadecimal by prepending "0x". Optional.
2015-06-05 15:58:00 +02:00
.P
2016-07-11 12:49:47 +02:00
The \fI Peer\fP sections may contain the following fields:
2015-06-05 15:58:00 +02:00
.IP \(bu
PublicKey \(em a base64 public key calculated by \fI wg pubkey\fP from a
private key, and usually transmitted out of band to the author of the
configuration file. Required.
.IP \(bu
2017-01-02 05:33:43 +01:00
AllowedIPs \(em a comma-separated list of ip (v4 or v6) addresses with
2016-07-01 04:08:29 +02:00
CIDR masks from which this peer is allowed to send incoming traffic and
to which outgoing traffic for this peer is directed. The catch-all
\fI 0.0.0.0/0\fP may be specified for matching all IPv4 addresses, and
2017-01-02 05:33:43 +01:00
\fI ::/0\fP may be specified for matching all IPv6 addresses. May be specified
multiple times. Required.
2015-06-05 15:58:00 +02:00
.IP \(bu
2016-07-01 04:08:29 +02:00
Endpoint \(em an endpoint IP or hostname, followed by a colon, and then a
2016-07-01 23:36:59 +02:00
port number. This endpoint will be updated automatically to the most recent
source IP address and port of correctly authenticated packets from the peer.
Optional.
2016-07-08 02:52:41 +02:00
.IP \(bu
2016-08-08 13:53:00 +02:00
PersistentKeepalive \(em a seconds interval, between 1 and 65535 inclusive, of
2016-07-08 20:34:32 +02:00
how often to send an authenticated empty packet to the peer for the purpose of keeping a
2016-07-08 02:52:41 +02:00
stateful firewall or NAT mapping valid persistently. For example, if the interface
very rarely sends traffic, but it might at anytime receive traffic from a peer,
and it is behind NAT, the interface might benefit from having a persistent keepalive
interval of 25 seconds. If set to 0 or "off", this option is disabled. By default or
2016-07-08 20:34:32 +02:00
when unspecified, this option is off. Most users will not need this. Optional.
2015-06-05 15:58:00 +02:00
.SH CONFIGURATION FILE FORMAT EXAMPLE
This example may be used as a model for writing configuration files.
[Interface]
.br
PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
.br
2017-01-15 22:22:45 +01:00
ListenPort = 51820
2015-06-05 15:58:00 +02:00
.br
.br
[Peer]
.br
PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
.br
Endpoint = 192.95.5.67:1234
.br
AllowedIPs = 10.192.122.3/32, 10.192.124.1/24
.br
.br
[Peer]
.br
PublicKey = TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0=
.br
Endpoint = [2607:5300:60:6b0::c05f:543]:2468
.br
AllowedIPs = 10.192.122.4/32, 192.168.0.0/16
.br
.br
[Peer]
.br
PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA=
.br
Endpoint = test.wireguard.io:18981
.br
AllowedIPs = 10.10.10.230/32
.SH ENVIRONMENT VARIABLES
.TP
.I WG_COLOR_MODE
If set to \fI always\fP , always print ANSI colorized output. If set to \fI never\fP , never print ANSI colorized output. If set to \fI auto\fP , something invalid, or unset, then print ANSI colorized output only when writing to a TTY.
2016-07-28 17:18:17 +02:00
.TP
.I WG_HIDE_KEYS
If set to \fI never\fP , then the pretty-printing \fB show\fP sub-command will show private and pre-shared keys in the output. If set to \fI always\fP , something invalid, or unset, then private and pre-shared keys will be printed as "(hidden)".
2015-06-05 15:58:00 +02:00
.SH SEE ALSO
.BR ip (8),
.BR ip-link (8),
.BR ip-address (8),
.BR ip-route (8).
.SH AUTHOR
.B wg
was written by
.MT Jason@zx2c4.com
Jason A. Donenfeld
.ME .
For updates and more information, a project page is available on the
2016-06-30 20:47:09 +02:00
.UR https://\:www.wireguard.io/
2015-06-05 15:58:00 +02:00
World Wide Web
.UE .