Provided by: wireguard-tools_0.0.20190913-1ubuntu1_amd64 bug

NAME

       wg - set and retrieve configuration of WireGuard interfaces

SYNOPSIS

       wg [ COMMAND ] [ OPTIONS ]... [ ARGS ]...

DESCRIPTION

       wg  is  the  configuration  utility for getting and setting the configuration of WireGuard
       tunnel interfaces. The interfaces themselves can be added and removed using ip-link(8) and
       their IP addresses and routing tables can be set using ip-address(8) and ip-route(8).  The
       wg utility provides a series of sub-commands for changing  WireGuard-specific  aspects  of
       WireGuard interfaces.

       If no COMMAND is specified, COMMAND defaults to show.  Sub-commands that take an INTERFACE
       must be passed a WireGuard interface.

COMMANDS

       show { <interface> | all | interfaces } [public-key | private-key | listen-port | fwmark |
       peers  |  preshared-keys  |  endpoints  |  allowed-ips  |  latest-handshakes | persistent-
       keepalive | transfer | dump]
              Shows  current  WireGuard  configuration  and  runtime  information  of   specified
              <interface>.   If  no  <interface>  is  specified, <interface> defaults to all.  If
              interfaces is specified, prints a list of all WireGuard interfaces, one  per  line,
              and  quit. If no options are given after the interface specification, then prints a
              list of all  attributes  in  a  visually  pleasing  way  meant  for  the  terminal.
              Otherwise,  prints  specified information grouped by newlines and tabs, meant to be
              used in scripts. For this script-friendly display, if all is  specified,  then  the
              first  field  for  all  categories of information is the interface name. If dump is
              specified, then several lines are printed; the first contains in order separated by
              tab: private-key, public-key, listen-port, fwmark. Subsequent lines are printed for
              each peer and  contain  in  order  separated  by  tab:  public-key,  preshared-key,
              endpoint,  allowed-ips,  latest-handshake,  transfer-rx,  transfer-tx,  persistent-
              keepalive.

       showconf <interface>
              Shows  the  current  configuration  of  <interface>  in  the  format  described  by
              CONFIGURATION FILE FORMAT below.

       set  <interface>  [listen-port  <port>]  [fwmark <fwmark>] [private-key <file-path>] [peer
       <base64-public-key>   [remove]   [preshared-key   <file-path>]   [endpoint    <ip>:<port>]
       [persistent-keepalive  <interval  seconds>] [allowed-ips <ip1>/<cidr1>[,<ip2>/<cidr2>]...]
       ]...
              Sets configuration values for the specified  <interface>.  Multiple  peers  may  be
              specified,  and  if  the remove argument is given for a peer, that peer is removed,
              not configured. If listen-port is not specified, the port will be  chosen  randomly
              when  the  interface  comes up. Both private-key and preshared-key must be a files,
              because command line arguments are not considered private on most  systems  but  if
              you are using bash(1), you may safely pass in a string by specifying as private-key
              or preshared-key the expression: <(echo PRIVATEKEYSTRING). If /dev/null or  another
              empty  file  is  specified as the filename for either private-key or preshared-key,
              the key is removed from the device. The use of preshared-key is optional,  and  may
              be  omitted;  it adds an additional layer of symmetric-key cryptography to be mixed
              into the already existing public-key cryptography, for post-quantum resistance.  If
              allowed-ips  is  specified,  but the value is the empty string, all allowed ips are
              removed from the peer. The use  of  persistent-keepalive  is  optional  and  is  by
              default  off;  setting  it  to 0 or "off" disables it.  Otherwise it represents, in
              seconds, between 1 and 65535 inclusive, how often to send  an  authenticated  empty
              packet  to  the peer, for the purpose of keeping a stateful firewall or NAT mapping
              valid persistently. For example, if the interface very rarely sends traffic, but it
              might  at  anytime receive traffic from a peer, and it is behind NAT, the interface
              might benefit from having a persistent keepalive interval of 25  seconds;  however,
              most users will not need this. The use of fwmark is optional and is by default off;
              setting it to 0 or "off" disables it. Otherwise it is a 32-bit fwmark for  outgoing
              packets and may be specified in hexadecimal by prepending "0x".

       setconf <interface> <configuration-filename>
              Sets  the  current  configuration of <interface> to the contents of <configuration-
              filename>, which must be in the  format  described  by  CONFIGURATION  FILE  FORMAT
              below.

       addconf <interface> <configuration-filename>
              Appends  the  contents  of  <configuration-filename>,  which  must be in the format
              described by CONFIGURATION FILE FORMAT  below,  to  the  current  configuration  of
              <interface>.

       genkey Generates a random private key in base64 and prints it to standard output.

       genpsk Generates a random preshared key in base64 and prints it to standard output.

       pubkey Calculates  a  public  key  and  prints  it  in  base64  to  standard output from a
              corresponding private key (generated with  genkey)  given  in  base64  on  standard
              input.

              A private key and a corresponding public key may be generated at once by calling:
                  $ umask 077
                  $ wg genkey | tee private.key | wg pubkey > public.key

       help   Show usage message.

CONFIGURATION FILE FORMAT

       The  configuration  file  format  is  based  on  INI.  There are two top level sections --
       Interface and Peer. Multiple Peer sections  may  be  specified,  but  only  one  Interface
       section may be specified.

       The Interface section may contain the following fields:

       ·      PrivateKey — a base64 private key generated by wg genkey. Required.

       ·      ListenPort  —  a  16-bit  port  for  listening.  Optional; if not specified, chosen
              randomly.

       ·      FwMark — a 32-bit fwmark for outgoing packets. If set to 0 or "off", this option is
              disabled. May be specified in hexadecimal by prepending "0x". Optional.

       The Peer sections may contain the following fields:

       ·      PublicKey  —  a  base64  public key calculated by wg pubkey from a private key, and
              usually transmitted out of band to the author of the configuration file. Required.

       ·      PresharedKey — a base64 preshared key generated by wg genpsk. Optional, and may  be
              omitted.  This  option adds an additional layer of symmetric-key cryptography to be
              mixed  into  the  already  existing  public-key  cryptography,   for   post-quantum
              resistance.

       ·      AllowedIPs — a comma-separated list of IP (v4 or v6) addresses with CIDR masks from
              which incoming traffic for this peer is allowed and to which outgoing  traffic  for
              this  peer  is  directed. The catch-all 0.0.0.0/0 may be specified for matching all
              IPv4 addresses, and ::/0 may be specified for matching all IPv6 addresses.  May  be
              specified multiple times.

       ·      Endpoint — an endpoint IP or hostname, followed by a colon, and then a port number.
              This endpoint will be updated automatically to the most recent  source  IP  address
              and port of correctly authenticated packets from the peer.  Optional.

       ·      PersistentKeepalive  —  a  seconds  interval, between 1 and 65535 inclusive, of how
              often to send an authenticated empty packet to the peer for the purpose of  keeping
              a  stateful  firewall  or  NAT  mapping  valid  persistently.  For  example, if the
              interface very rarely sends traffic, but it might at anytime receive traffic from a
              peer,  and  it  is behind NAT, the interface might benefit from having a persistent
              keepalive interval of 25 seconds. If set to 0 or "off", this option is disabled. By
              default  or  when  unspecified,  this option is off. Most users will not need this.
              Optional.

CONFIGURATION FILE FORMAT EXAMPLE

       This example may be used as a model for writing configuration files, following an INI-like
       syntax. Characters after and including a '#' are considered comments and are thus ignored.

           [Interface]
           PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
           ListenPort = 51820

           [Peer]
           PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
           Endpoint = 192.95.5.67:1234
           AllowedIPs = 10.192.122.3/32, 10.192.124.1/24

           [Peer]
           PublicKey = TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0=
           Endpoint = [2607:5300:60:6b0::c05f:543]:2468
           AllowedIPs = 10.192.122.4/32, 192.168.0.0/16

           [Peer]
           PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA=
           Endpoint = test.wireguard.com:18981
           AllowedIPs = 10.10.10.230/32

ENVIRONMENT VARIABLES

       WG_COLOR_MODE
              If  set to always, always print ANSI colorized output. If set to never, never print
              ANSI colorized output. If set to auto, something invalid, or unset, then print ANSI
              colorized output only when writing to a TTY.

       WG_HIDE_KEYS
              If  set  to  never, then the pretty-printing show sub-command will show private and
              preshared keys in the output. If set to always, something invalid, or  unset,  then
              private and preshared keys will be printed as "(hidden)".

       WG_ENDPOINT_RESOLUTION_RETRIES
              If  set  to an integer or to infinity, DNS resolution for each peer's endpoint will
              be retried that many times for  non-permanent  errors,  with  an  increasing  delay
              between retries. If unset, the default is 15 retries.

SEE ALSO

       ip(8), ip-link(8), ip-address(8), ip-route(8).

AUTHOR

       wg was written by Jason A. Donenfeld ⟨Jason@zx2c4.com⟩.  For updates and more information,
       a project page is available on the World Wide Web ⟨https://www.wireguard.com/⟩.