DragonFly On-Line Manual Pages

Search: Section:  

WG.CONF(5)               DragonFly File Formats Manual              WG.CONF(5)


wg.conf - WireGuard configuration file




The wg.conf file is used by the WireGuard rc(8) script to manage a wg(4) interface. The file format is very similar to that of the wg-quick(8) tool on Linux or FreeBSD, but has necessary differences and minor additions. The format is based on INI. Blank lines and comment lines (i.e., the first non-blank character is `#' or `;') are ignored; however, in-line comments are now allowed. Backslash continuation is supported, so a long line may be split into multiple lines by ending the lines with a backslash (`\'). The section and field names are case-insensitive. There must be one and only one Interface section, while there can be zero or more Peer sections. The Interface section may contain the following fields: Description A description string. PrivateKey (required) The base64-encoded private key of the interface. ListenPort The UDP port to listen on. If not specified, it will be chosen automatically. Address (required) A comma-separated list of IPv4 or IPv6 addresses (optionally with CIDR masks) to be assigned to the interface. May be specified multiple times. MTU The explicit MTU to specify for the interface to override the default value. PreUp The command to be executed by sh(1) before bringing up the interface. The special string "%i" will be expanded to the name of the interface. If the command execution fails (i.e., a non-zero return value), a warning message will be printed and the configuration procedure will continue. May be specified multiple times, in which case the commands are executed in the same order as specified. PostUp Similar to the PreUp above, but the commands will be executed after bringing up the interface. This is most commonly used to configure custom routes, DNS resolvers, or firewall rules. PreDown Similar to the PreUp above, but the commands will be executed before bringing down the interface. PostDown Similar to the PreUp above, but the commands will be executed after bringing down the interface. The Peer section may contain the following fields: Enabled If set to "false" or "no", the peer is disabled and will be ignored. Description A description string. PublicKey (required) The base64-encoded public key of the peer. PresharedKey The base64-encoded pre-shared key, which can strengthen the Diffie-Hellman exchange. Endpoint The endpoint address, which may be of formats "domain:port", "ipv4:port", or "[ipv6]:port". Note: At least one peer in each pair must specify the endpoint address. AllowedIPs (required) A comma-separated list of IPv4 or IPv6 addresses with CIDR masks, from which the incoming traffic to this peer is allowed, and to which the outgoing traffic from this peer is directed. May be specified multiple times. PersistentKeepalive The interval in seconds of keepalive packets to be sent to the peer, for the purpose of keeping a stateful firewall or NAT mapping valid persistently. If unspecified or set to "0" or "off", this function is disabled. Note: The WireGuard rc(8) script would not add/delete routes according to the peer's allowed IPs, because DragonFly currently doesn't support multiple routing tables (or FIBs), without which it is hard to reliably generate the correct routes, especially to override the default routes. Therefore, users should manually determine the routes and manage them with the PostUp and PreDown hooks.


/etc/wireguard/${ifname}.conf The configuration file for wg(4) interface named ${ifname}. /etc/rc.d/wg The WireGuard rc(8) script.


Server Configuration This example sets up a WireGuard peer as the server, to which the other peers (i.e., clients) can connect. The allowed peers are specified with their public keys. Note that we use "/24" and "/64" for the interface's addresses, but use "/32" and "/128" for the peers' allowed IPs. In this way, with IP forwarding enabled, the server peer acts like an LAN switch and then all peers can communicate with each other. [Interface] PrivateKey = <private-key> Address = Address = fc00:6:66::1/64 ListenPort = 6666 PostUp = sysctl net.inet.ip.forwarding=1 PostUp = sysctl net.inet6.ip6.forwarding=1 [Peer] Description = my peer #1 PublicKey = <public-key> AllowedIPs =, fc00:6:66::2/128 [Peer] Enabled = false Description = my peer #2 PublicKey = <public-key> AllowedIPs = Client Configuration The following example configures a WireGuard peer that connects to the above server, which is assumed to have an address of "wg.example.com". Note that the peer's allowed IPs must be the LAN networks (e.g., "") instead of the specific IP addresses of the server peer (e.g., ""); in this way, the system will auto-configure the routes for such directly connected networks. In addition, the persistent keepalive function is enabled to make this peer always try to keep the connection, so that other peers can connect to this peer anytime. [Interface] PrivateKey = <private-key> Address =, fc00:6:66::2/64 [Peer] PublicKey = <public-key> Endpoint = wg.example.com:6666 AllowedIPs = AllowedIPs = fc00:6:66::/64 PersistentKeepalive = 25 The following example configures a WireGuard peer that forwards all its IPv4 traffic to the other peer, which must have NAT configured, e.g., by using pf(4). The whole IPv4 network (i.e., "") is split into "" and "", so that the existing default route is kept intact. [Interface] PrivateKey = <private-key> Address = PostUp = route add -host <peer-addr> \ $(route get -inet default | awk '/gateway:/ { print $2 }') PostUp = route add -net -interface %i PostUp = route add -net -interface %i PreDown = route delete -host <peer-addr> PreDown = route delete -net PreDown = route delete -net [Peer] PublicKey = <public-key> Endpoint = <peer-addr>:<peer-port> AllowedIPs = PersistentKeepalive = 25 Command-line Usage Suppose the wg(4) interface is called mywg, and its wg.conf configuration file has been already prepared. To create and start the interface: $ /etc/rc.d/wg onestart mywg which is equivalent to `wg-quick up mywg'. To stop and destroy the interface: $ /etc/rc.d/wg onestop mywg which is equivalent to `wg-quick down mywg'.


wg(4), rc.conf(5), ifconfig(8)


The WireGuard rc(8) script was written by Aaron LI <aly@aaronly.me> and appeared in DragonFly 6.5.


This manual page was written by Aaron LI <aly@aaronly.me>. DragonFly 6.5-DEVELOPMENT February 14, 2024 DragonFly 6.5-DEVELOPMENT

Search: Section: