wgconfig —
configure wg interface parameters
  
    | wgconfig | wgNshow
      peername
      [--show-preshared-key] | 
  
    | wgconfig | wgNshow
      private-key | 
  
    | wgconfig | wgNset
      private-keyfilename | 
  
    | wgconfig | wgNset
      listen-portport | 
  
    | wgconfig | wgNadd
      peername pubkey
      [--preshared-key=filename]
      [--endpoint=ip:port]
      [--allowed-ips=ip1/cidr1[,ip2/cidr2,...]] | 
  
    | wgconfig | wgNdelete peername | 
The wgconfig utility is used to configure or display a
  wg(4) interface's parameters and
  status. Every wg(4) interface can be
  configured with an IP address using
  ifconfig(8), a private key
  generated with wg-keygen(8),
  an optional listen port, and a collection of peers. Each peer has a public key
  and allowed IP addresses, and may optionally have a fixed endpoint IP address
  and a preshared secret key.
The following commands are supported:
  - show
    all
- Show all peers. No secret keys are included in the output.
- show
    peername
    [- -- -show-preshared-key]
- Show the peer named name. By default, no secret keys
      are included in the output. With
      --show-preshared-key, also
      display the secret preshared key that the peer was configured to have with
      the--preshared-keyoption
      towgconfigwgNadd
      peer.
- show
    private-key
- Show the private key that was set with wgconfigwgNset
      private-key.
- set
    private-keyfilename
- Set the private key of wgN
      to the base64-encoded private key in the file at
      filename.
- set
    listen-portport
- Set the UDP port number that
      wgN listens for incoming
      sessions on. This allows a peer to start a new session without having a
      specific endpoint IP address configured.
- add
    peername pubkey
    [options ...]
- Add a peer. The argument name may be passed to
      wgconfigwgNshow
      peerandwgconfigwgNdelete
      peer. The argument pubkey is the peer's
      base64-encoded public key, as printed bywg-keygen--pub.The following options may be specified: 
      - -- -preshared-key- =filename
- Set a secret preshared key generated by
          wg-keygen--psk.If the preshared key can be arranged in advance on a
            medium not subject to eavesdropping, then it defends against
            possible future quantum cryptanalysis of the X25519 key agreement.
            wgconfigstill uses X25519 key agreements in
            order to erase past session keys so that past session transcripts
            remain secret should one of the endpoints be compromised in the
            future; the preshared key is an additional measure on top.
 
- -- -endpoint- =ip- :port
- Set the peer's endpoint address outside the tunnel. This is optional
          for a VPN server if the wgconfiginterface is
          configured to listen on a port number.
- -- -allowed-ips- =ip1- /cidr1[- ,ip2- /cidr2- ,...]
- Set the IP address ranges that the peer is allowed to select inside
          the tunnel.
 
- delete
    peername
- Delete the peer name previously added with
      wgconfigwgNadd
      peername.
See wg(4) for an example network
  topology andwgconfig usage.
The wgconfig command first appeared in
  NetBSD 10.0.
The wgconfig command was written by
  Ryota Ozaki ⟨ozaki.ryota@gmail.com⟩.