sapient/wgtool
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
wgtool/README.md
sapient f9529c6055 chore: initial commit of wgtool
2026-03-22 00:54:58 -07:00

122 lines
3.2 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
## wgtool (WireGuard helper CLI)
wgtool streamlines creating and validating WireGuard configs, and generating a ready-to-paste Zion peer block.
### Features
- Generate WireGuard configs with sensible defaults
- Validate single configs or all .conf files in a directory
- Print a Zion-ready [Peer] snippet for adding new nodes
- Generate private keys (derive public key with `wg pubkey`)
### Commands
- `generate`: Create a config and write keys
- `validate`: Lint a config file or all `.conf` files in a directory
- `zion-peer`: Print a `[Peer]` block for Zions `wg0.conf`
- `keys`: Print a private key
- `version`: Show tool version
### Defaults and endpoints
- Adds one default peer in generated configs:
- Zion (central server)
- PublicKey: `2ztJbrN1x1NWanzPGLiKL19ZkdOhm5Y7WeKEWBT5cyg=`
- Endpoint: `ugh.im:51820`
- AllowedIPs:
- `wg_only`: `10.8.0.0/24`
- `full_tunnel`: `0.0.0.0/0, ::/0`
- PersistentKeepalive: `25`
### generate
Create a config into `wireguard_configs/` and output keys alongside it. Missing flags are prompted interactively unless `--yes` is used.
Flags:
- `--hostname` Node name (e.g., `aza`)
- `--ip` Node IP in `10.8.0.x`
- `--interface` Interface name (default `wg0`)
- `--routing` `wg_only` | `full_tunnel` (default `wg_only`)
- `--out` Output directory (default `wireguard_configs`)
- `--force` Overwrite without prompt
- `--yes` Non-interactive (assume yes)
Examples:
```bash
./wgtool generate
./wgtool generate --hostname aza --ip 10.8.0.30 --interface wg0 --routing wg_only --out wireguard_configs --yes
./wgtool generate --hostname aza --ip 10.8.0.30 --routing full_tunnel --yes
```
Outputs:
- `wireguard_configs/wg0.conf`
- `wireguard_configs/<hostname>_private.key`
- Derive public key: `echo "<PrivateKey>" | wg pubkey`
### validate
Validate a config file or every `.conf` in a directory.
Flags:
- `--target` Path to a file or directory
Examples:
```bash
./wgtool validate --target wireguard_configs/wg0.conf
./wgtool validate --target wireguard_configs
```
Checks include:
- Presence of `[Interface]`
- `PrivateKey` and CIDR `Address`
- Peer `PublicKey` format
- `AllowedIPs` as valid CIDRs
### zion-peer
Print a `[Peer]` block to add into Zions `/etc/wireguard/wg0.conf` for a new node.
Flags:
- `--name` Node name
- `--pub` Node public key (44-char base64 ending with `=`)
- `--ip` Node IP in `10.8.0.x` (host address)
Example:
```bash
./wgtool zion-peer --name aza --pub ABCDEFG...= --ip 10.8.0.30
```
### keys
Generate and print a private key.
Example:
```bash
./wgtool keys
# derive pub
echo "<PrivateKey>" | wg pubkey
```
### Quick start
1) Create a config and keys
```bash
./wgtool generate --hostname mynode --ip 10.8.0.30 --yes
```
2) Validate the config
```bash
./wgtool validate --target wireguard_configs/wg0.conf
```
3) Give Zion your peer details
```bash
./wgtool zion-peer --name mynode --pub $(echo "<PrivateKey>" | wg pubkey) --ip 10.8.0.30
```
4) Install and enable (on your node)
```bash
sudo cp wireguard_configs/wg0.conf /etc/wireguard/
sudo chmod 600 /etc/wireguard/wg0.conf
sudo systemctl enable --now wg-quick@wg0
```
Notes:
- IPs are enforced in the `10.8.0.x` range.
- In `full_tunnel` mode DNS is set to `1.1.1.1, 8.8.8.8`.
- Overwrites are blocked unless `--force` or confirmed interactively.
Reference in New Issue View Git Blame Copy Permalink