wgtool (WireGuard helper CLI)

wgtool streamlines creating and validating WireGuard configs, and generating a ready-to-paste Zion peer block.

Features

• Generate WireGuard configs with sensible defaults
• Validate single configs or all .conf files in a directory
• Print a Zion-ready [Peer] snippet for adding new nodes
• Generate private keys (derive public key with wg pubkey)

Commands

• generate: Create a config and write keys
• validate: Lint a config file or all .conf files in a directory
• zion-peer: Print a [Peer] block for Zion’s wg0.conf
• keys: Print a private key
• version: Show tool version

Defaults and endpoints

• Adds one default peer in generated configs:
  • Zion (central server)
    • PublicKey: 2ztJbrN1x1NWanzPGLiKL19ZkdOhm5Y7WeKEWBT5cyg=
    • Endpoint: ugh.im:51820
    • AllowedIPs:
      • wg_only: 10.8.0.0/24
      • full_tunnel: 0.0.0.0/0, ::/0
    • PersistentKeepalive: 25

generate

Create a config into wireguard_configs/ and output keys alongside it. Missing flags are prompted interactively unless --yes is used.

Flags:

• --hostname Node name (e.g., aza)
• --ip Node IP in 10.8.0.x
• --interface Interface name (default wg0)
• --routing wg_only | full_tunnel (default wg_only)
• --out Output directory (default wireguard_configs)
• --force Overwrite without prompt
• --yes Non-interactive (assume yes)

Examples:

./wgtool generate
./wgtool generate --hostname aza --ip 10.8.0.30 --interface wg0 --routing wg_only --out wireguard_configs --yes
./wgtool generate --hostname aza --ip 10.8.0.30 --routing full_tunnel --yes

Outputs:

• wireguard_configs/wg0.conf
• wireguard_configs/<hostname>_private.key
• Derive public key: echo "<PrivateKey>" | wg pubkey

validate

Validate a config file or every .conf in a directory.

Flags:

• --target Path to a file or directory

Examples:

./wgtool validate --target wireguard_configs/wg0.conf
./wgtool validate --target wireguard_configs

Checks include:

• Presence of [Interface]
• PrivateKey and CIDR Address
• Peer PublicKey format
• AllowedIPs as valid CIDRs

zion-peer

Print a [Peer] block to add into Zion’s /etc/wireguard/wg0.conf for a new node.

Flags:

• --name Node name
• --pub Node public key (44-char base64 ending with =)
• --ip Node IP in 10.8.0.x (host address)

Example:

./wgtool zion-peer --name aza --pub ABCDEFG...= --ip 10.8.0.30

keys

Generate and print a private key.

Example:

./wgtool keys
# derive pub
echo "<PrivateKey>" | wg pubkey

Quick start

1. Create a config and keys

./wgtool generate --hostname mynode --ip 10.8.0.30 --yes

2. Validate the config

./wgtool validate --target wireguard_configs/wg0.conf

3. Give Zion your peer details

./wgtool zion-peer --name mynode --pub $(echo "<PrivateKey>" | wg pubkey) --ip 10.8.0.30

4. Install and enable (on your node)

sudo cp wireguard_configs/wg0.conf /etc/wireguard/
sudo chmod 600 /etc/wireguard/wg0.conf
sudo systemctl enable --now wg-quick@wg0

Notes:

• IPs are enforced in the 10.8.0.x range.
• In full_tunnel mode DNS is set to 1.1.1.1, 8.8.8.8.
• Overwrites are blocked unless --force or confirmed interactively.