• Wireguard
  • private-key – Private key
  • public-key – Public key
  • listen-port – Listen port
  • fwmark – Firewall mark
  • peers – Peer configurations
    • endpoint – Peer endpoint
    • public-key – Peer public key
    • preshared-key – Preshared key
    • persistent-keepalive – Persistent keepalive
    • allowed-ips – Allowed IPs
    • protocol-version – Protocol version
    • last-handshake – Last handshake time
    • rx-bytes – Received bytes
    • tx-bytes – Transmitted bytes

Wireguard

Example YAML of WireGuard interface configuration:

version: 1
interfaces:
- name: wg0
  type: wireguard
  state: up
  wireguard:
    private-key: xH4dTz3dN3LzP2gE2kR8pA7sV9cF0bN1mQ5wY6uJ8k=
    listen-port: 51820
    fwmark: 0
    peers:
    - endpoint: 192.0.2.1:51820
      public-key: r3V5cF0bN1mQ5wY6uJ8k=xH4dTz3dN3LzP2gE2kR8pA7sV9=
      preshared-key: p7sV9cF0bN1mQ5wY6uJ8k=xH4dTz3dN3LzP2gE2kR8pA=
      persistent-keepalive: 25
      allowed-ips:
      - ip: 10.0.0.0
        prefix-length: 24
      - ip: 192.168.0.0
        prefix-length: 16

private-key – Private key

Base64 encoded private key. Required when creating a new WireGuard interface. Will be displayed as <_hidden_> in debug/display output.

Set to <_hidden_> when applying to an existing interface to keep the current private key unchanged.

public-key – Public key

Base64 encoded public key. Query only property, ignored when applying.

listen-port – Listen port

The UDP port to listen on for incoming connections. If not defined, the kernel will choose a random port.

fwmark – Firewall mark

The firewall mark (fwmark) value for outgoing packets.

peers – Peer configurations

List of peer configurations. If defined, overrides the existing peer list. If undefined, preserves current peers.

endpoint – Peer endpoint

The endpoint address and port of the peer in ip:port format, e.g. 192.0.2.1:51820. Mandatory for each peer configuration.

public-key – Peer public key

Base64 encoded public key of the peer. Used to identify the peer.

preshared-key – Preshared key

Base64 encoded preshared key for additional security via symmetric key encryption. Displayed as <_hidden_> in debug/display output.

Set to <_hidden_> when applying to an existing interface to keep the current preshared key unchanged.

persistent-keepalive – Persistent keepalive

The interval in seconds between keepalive packets. Used to maintain NAT/bridge mappings.

allowed-ips – Allowed IPs

List of IP prefixes allowed for this peer. Each entry contains:

• ip: The IP address.
• prefix-length: The prefix length (CIDR mask).

protocol-version – Protocol version

The WireGuard protocol version.

last-handshake – Last handshake time

Query only property. Shows the time since the last handshake (e.g. 32 seconds ago).

rx-bytes – Received bytes

Query only property. Total bytes received from this peer.

tx-bytes – Transmitted bytes

Query only property. Total bytes transmitted to this peer.