Here are some common tasks and other useful tips that can help you in your WireGuard deployment.
Controlling the WireGuard interface with systemd
The wg-quick tool is a simple way to bring the WireGuard interface up and down. That control is also exposed via a systemd service, which means the standard systemctl tool can be used.
Probably the greatest benefit of this is that it gives you the ability to configure the interface to be brought up automatically on system boot. For example, to configure the wg0 interface to be brought up at boot, run the following command:
$ sudo systemctl enable wg-quick@wg0The name of the systemd service follows the WireGuard interface name, and multiple such services can be enabled/started at the same time. You can also use the systemctl status, start, stop, reload and restart commands to control the WireGuard interface and query its status:
$ sudo systemctl reload wg-quick@wg0The reload action does exactly what we expect: it reloads the configuration of the interface without disrupting existing WireGuard tunnels. To add or remove peers, reload is sufficient, but if wg-quick options, such as PostUp, Address, or similar are changed, then a restart is needed.
DNS resolving
Let’s say when you are inside the home network (literally – at home), you can connect to your other systems via DNS names, because your router at 10.10.10.1 can act as an internal DNS server. It would be nice to have this capability also when connected via the WireGuard VPN.
To do that, we can add a PostUp command to the WireGuard configuration to run a command for us right after the VPN is established. This command can be anything you would run in a shell (as root). We can use that to adjust the DNS resolver configuration of the laptop that is remotely connected to the home network.
For example, if we have a WireGuard setup as follows:
home0WireGuard interface..homeDNS domain for the remote network.10.10.10.1/24is the DNS server for the.homedomain, reachable after the VPN is established.
We can add this PostUp command to the home0.conf configuration file to have our systemd-based resolver use 10.10.10.1 as the DNS server for any queries for the .home domain:
[Interface]...PostUp = resolvectl dns %i 10.10.10.1; resolvectl domain %i \~homeFor PostUp (and PostDown – see the wg-quick(8) manpage for details), the %i text is replaced with the WireGuard interface name. In this case, that would be home0.
These two resolvectl commands tell the local systemd-resolved resolver to:
- associate the DNS server at
10.10.10.1to thehome0interface, and - associate the
homedomain to thehome0interface.
When you bring the home0 WireGuard interface up again, it will run the resolvectl commands:
$ sudo wg-quick up home0[#] ip link add home0 type wireguard[#] wg setconf home0 /dev/fd/63[#] ip -4 address add 10.10.11.2/24 dev home0[#] ip link set mtu 1420 up dev home0[#] ip -4 route add 10.10.10.0/24 dev home0[#] resolvectl dns home0 10.10.10.1; resolvectl domain home0 \~homeYou can verify that it worked by pinging some hostname in your home network, or checking the DNS resolution status for the home0 interface:
$ resolvectl status home0Link 26 (home0) Current Scopes: DNS Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupportedCurrent DNS Server: 10.10.10.1 DNS Servers: 10.10.10.1 DNS Domain: ~homeIf you are using systemctl to control the WireGuard interface, this is the type of change (adding or changing PostUp) where the reload action won’t be enough, and you actually need to issue a restart.
Note:
The wg-quick(8) manpage documents the DNS setting of the WireGuard interface which has the same purpose, but only works if you haveresolveconfinstalled. Ubuntu systems by default don’t, and rely onsystemd-resolvedinstead.
Adding another peer
To add another peer to an existing WireGuard setup, we have to:
- Generate a new keypair for the new peer
- Create a new
[Peer]section on the “other side” of the WireGuard setup - Pick a new IP for the new peer
Let’s call the new system ontheroad, and generate the keys for it:
$ umask 077$ wg genkey > ontheroad-private.key$ wg pubkey < ontheroad-private.key > ontheroad-public.key$ ls -la ontheroad.*-rw------- 1 ubuntu ubuntu 45 Aug 22 20:12 ontheroad-private.key-rw------- 1 ubuntu ubuntu 45 Aug 22 20:13 ontheroad-public.keyAs for its IP address, let’s pick 10.10.11.3/24 for it, which is the next one in the sequence from one of the previous examples in our WireGuard guide:
[Interface]PrivateKey = <contents-of-ontheroad-private.key>ListenPort = 51000Address = 10.10.11.3/24[Peer]PublicKey = <contents-of-router-public.key>Endpoint = <home-ppp0-IP-or-hostname>:51000AllowedIPs = 10.10.11.0/24,10.10.10.0/24The only difference between this config and one for an existing system in this same WireGuard setup will be PrivateKey and Address.
On the “other side”, we add the new [Peer] section to the existing config:
[Interface]PrivateKey = <contents-of-router-private.key>ListenPort = 51000Address = 10.10.11.1/24[Peer]# laptopPublicKey = <contents-of-laptop-public.key>AllowedIPs = 10.10.11.2[Peer]# ontheroadPublicKey = <contents-of-ontheroad-public.key>AllowedIPs = 10.10.11.3To update the interface with the new peer without disrupting existing connections, we use the reload action of the systemd unit:
$ systemctl reload wg-quick@wg0Note:
For this case of a “server” or “VPN gateway”, where we are just adding another peer to an existing config, thesystemctl reloadaction will work well enough to insert the new peer into the WireGuard configuration. However, it won’t create new routes, or do any of the other steps thatwg-quickdoes. Depending on your setup, you might need a full restart so thatwg-quickcan fully do its job.
Adding a smartphone peer
WireGuard can be installed on many different platforms, and smartphones are included. The upstream installation page has links for Android and for iOS apps.
Such a mobile client can be configured more easily with the use of QR codes.
We start by creating the new peer’s config normally, as if it were any other system (generate keys, pick an IP address, etc). Then, to convert that configuration file to a QR code, install the qrencode package:
$ sudo apt install qrencodeNext, run the following command (assuming the config was written to phone.conf):
$ cat phone.conf | qrencode -t ansiutf8 That will generate a QR code in the terminal, ready for scanning with the smartphone app. Note that there is no need for a graphical environment, and this command can be run remotely over SSH for example.
Note that you need to put the private key contents directly into that configuration file, and not use PostUp to load it from a separate file.
Important
Treat this QR code as a secret, as it contains the private key for the WireGuard interface!
Previous Default gateway Next Security tips
This page was last modified 7 days ago. Help improve this document in the forum.
