WireGuard configuration directives reference
Complete reference for WireGuard wg0.conf directives including Interface, Peer, and AllowedIPs settings.
WireGuard configuration directives reference
Complete reference for WireGuard wg0.conf directives including Interface, Peer, and AllowedIPs settings.
WireGuard [Interface] Directives
| Directive | Description | Example |
|---|---|---|
PrivateKey | The local peer's private key (generated with
wg genkey). Required. | PrivateKey = yAnz5TF+lXXJte14... |
Address | IP address and subnet for the WireGuard interface. | Address = 10.0.0.1/24 |
ListenPort | UDP port for incoming WireGuard connections. Required on the server. | ListenPort = 51820 |
DNS | DNS server(s) for the tunnel.
wg-quick updates
/etc/resolv.conf. | DNS = 1.1.1.1, 8.8.8.8 |
MTU | Maximum transmission unit for the interface. WireGuard defaults to auto-detection. | MTU = 1420 |
PostUp | Command(s) to run after the interface comes up. Used for NAT/firewall rules. | PostUp = iptables -A FORWARD -i wg0 -j ACCEPT |
PostDown | Command(s) to run after the interface goes down. Used to clean up rules. | PostDown = iptables -D FORWARD -i wg0 -j ACCEPT |
SaveConfig | If
true,
wg-quick saves the runtime configuration on shutdown. | SaveConfig = true |
WireGuard [Peer] Directives
| Directive | Description | Example |
|---|---|---|
PublicKey | The remote peer's public key. Required. | PublicKey = xTIBA5rboUvnH4hto... |
AllowedIPs | IP ranges this peer is allowed to send traffic from. Acts as both routing table and ACL. | AllowedIPs = 10.0.0.2/32 or
0.0.0.0/0 |
Endpoint | The remote peer's public IP and port. Required on at least one side. | Endpoint = 203.0.113.1:51820 |
PersistentKeepalive | Seconds between keepalive packets. Set to 25 for peers behind NAT. | PersistentKeepalive = 25 |
PresharedKey | Optional pre-shared key for additional symmetric encryption layer. | PresharedKey = 6JcAhSBHnZN... |