How to use the command 'wg' (with examples)
- Linux
- December 17, 2024
wg
is a command-line tool used for managing WireGuard, a modern and simplistic VPN solution. WireGuard is known for its ease of configuration and high performance, and wg
allows users to configure and manage WireGuard interfaces, keys, and other settings. The wg
command can be used for a variety of tasks, from generating cryptographic keys to displaying the status and configuration of the VPN interfaces. Below are several use cases of the wg
command, highlighting its versatile functionality.
Use case 1: Check status of currently active interfaces
Code:
sudo wg
Motivation:
Checking the status of currently active interfaces is an essential task for administrators who need to monitor the VPN setup. This command provides a snapshot of all active WireGuard interfaces, allowing administrators to verify their statuses quickly. This is particularly useful for ensuring that all the expected interfaces are running and that they are configured correctly.
Explanation:
sudo
: This command is run with superuser privileges because managing network interfaces typically requires elevated permissions. By usingsudo
, the user is executing thewg
command with the necessary high-level access.wg
: This is the command to manage WireGuard interfaces. When run without additional arguments, it will display the status of all active interfaces, showing details like interface name, addresses, peers, and connectivity status.
Example output:
interface: wg0
public key: ABcDEfgHIJKLmNOPqrStuVWXyz1234567890=
private key: (hidden)
listening port: 51820
peer: xyZabcdefgHIJklmnopqRSTuvwxyz/ABc=
endpoint: 192.168.1.1:51820
allowed ips: 10.0.0.0/24
latest handshake: 1 minute, 20 seconds ago
transfer: 123.45 KiB received, 234.56 KiB sent
Use case 2: Generate a new private key
Code:
wg genkey
Motivation:
Generating a new private key is a critical step when setting up a WireGuard VPN. Private keys are an integral part of the cryptographic systems that secure communication over the VPN, ensuring that data is encrypted and integrity is maintained. A new private key is essential whenever a new WireGuard peer is added or security credentials need to be rotated for privacy reasons.
Explanation:
wg genkey
: Thegenkey
subcommand generates a random private key. This command does not require any additional arguments and outputs the generated key directly to the terminal.
Example output:
nlkjs3odsdfjisdkjfew27fe328fj3232=@
(Note: The actual output will differ each time the command is run due to the randomness of the key generation.)
Use case 3: Generate a public key from a private key
Code:
wg pubkey < path/to/private_key > path/to/public_key
Motivation:
Public keys are derived from private keys and are used by other peers on the network to encrypt data sent to the owner of the private key. Generating a public key from an existing private key is a necessary step in setting up a secure communication channel within a WireGuard VPN. This allows the WireGuard peer to communicate securely with others in the network.
Explanation:
wg pubkey
: Thepubkey
subcommand generates a public key from a private key.< path/to/private_key
: This is a shell redirection operator that takes the contents of the specified private key file as input for thewg pubkey
command.> path/to/public_key
: This redirection operator directs the output (the generated public key) from thewg pubkey
command into a specified file, allowing you to save the public key for later use.
Example output (stored in the file specified):
zaXBylmNOPqrstuvWXYz890abcdefghijklmnop789012=
Use case 4: Generate a public and private key
Code:
wg genkey | tee path/to/private_key | wg pubkey > path/to/public_key
Motivation:
Setting up a new WireGuard peer often requires generating both a private and a corresponding public key. By doing this in one seamless command, administrators can create the key pair efficiently. This process is useful for reducing errors and ensuring that the key pair generated is securely stored in specified files for later configuration.
Explanation:
wg genkey
: Generates a new private key.|
: A pipe operator that allows the output of the first command to be used as input for the subsequent command.tee path/to/private_key
: Thetee
command reads the standard input and writes it to both standard output and one or more files. In this case, the generated private key is both displayed and written to a file, ensuring that the private key is saved securely.wg pubkey
: Generates a public key from the output of thewee
command (which is the private key).> path/to/public_key
: Directs the generated public key into a specified file.
Example output (stored in specified files):
path/to/private_key
: Contains the generated private key.path/to/public_key
: Contains the generated public key.
(Note: Actual key values will differ each time the command is executed.)
Use case 5: Show the current configuration of a wireguard interface
Code:
sudo wg showconf wg0
Motivation:
Reviewing the current configuration of a WireGuard interface is essential for troubleshooting and verification purposes. This command allows administrators to check their setups, confirming that all settings are applied as intended and facilitating any necessary adjustments. This is particularly important when diagnosing connectivity issues or confirming security configurations.
Explanation:
sudo
: The command requires superuser privileges to access and display the configuration details of the network interfaces, since these configurations are typically protected by the system.wg showconf
: This command shows the current configuration of a WireGuard interface, displaying all related settings such as keys, allowed IPs, and endpoints.wg0
: This is the name of the WireGuard interface for which the configuration will be shown. It is specified by the user and should match the actual name of the interface configured on the system.
Example output:
[Interface]
PrivateKey = nlkjs3odsdfjisdkjfew27fe328fj3232=
ListenPort = 51820
[Peer]
PublicKey = zaXBylmNOPqrstuvWXYz890abcdefghijklmnop789012=
AllowedIPs = 10.0.0.0/24
Endpoint = 192.168.1.1:51820
Conclusion:
The wg
command is a powerful tool for managing WireGuard VPN configurations. Whether inspecting active interfaces, generating secure keys, or displaying configuration settings, wg
proves indispensable for network administrators and users setting up secure, high-performance virtual private networks. By understanding and utilizing these various commands, users can ensure their WireGuard interfaces are both operational and secure.