wg-quick compatiable config generator with additional features supported.
-
Clone this repo with
git clone https://github.com/Kiritow/wg-ops
-
Run
install.sh
. (May prompt sudo) -
Write a valid WireGuard
wg-quick
config file, with supported extension tags. (see below) -
Run
python3 generate.py
to convert extension tags into config lines. -
Bring it up with
wg-quick up
Start as service: systemctl start wg-quick@wg0
Start service on system start-up: systemctl enable wg-quick@wg0
See wg-quick(8) for more information.
python3 generate.py [-h] [-k] [-o filename] source_filename
-h Display this help and quit.
-k Output generated config to standard output
-o filename Output generated config to filename
. Default write to source_filename.gen
enable-bbr
Enable TCP BBR. Most of the time it's useful on VPS.
enable-forward
Set net.ipv4.ip_forward
to 1. Enable ip packet forward.
enable-dns-reload
Enable DNS reloader for peers with endpoint. For each peer, a transient timer and service will be created and try resolving endpoint domain name every 30 seconds. If the dns record of a domain changes, wg-ops will try to update wireguard interface endpoint settings live.
enable-collect-metrics
Enable metrics collector for this interface.
iptables-forward
Add iptables rules to accept forward from this wireguard interface. Example: iptables -A FORWARD -i wg0 -j ACCEPT
iptables-gateway
Add iptables rules to masquerade source ip as a gateway. Example: iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
podman-user username
Run podman container as username
. Default to root
.
systemd-user username
Run systemd timers and services as username
. Default to root
. This does not affect services that require root permission.
udp2raw-server name port password
Setup a udp2raw server. Raw mode set to fake-tcp
. Expose & listen on port port
.
udp2raw-client name port remote password
Setup a udp2raw client. Listen on port port
.
udp2raw-client-mux name mux_size port remote password
Setup multiple (up to mux_size
) udp2raw clients. Listen on ports from port
to port + mux_size
gost-server name port
Setup a gost server. Forward mode set to relay+tls
. Expose & listen on port port
.
gost-client name port remote
Setup a gost client. Listen on port port
.
gost-client-mux name mux_size port remote
Setup multiple (up to mux_size
) gost clients. Listen on ports from port
to port + mux_size
trojan-server name port password cert_path key_path
Setup a trojan-go server. Expose & listen on port port
.
Requires a ssl certificate signed by trusted CA.
acme.sh is recommended for acquiring ssl certs. Make sure use fullchain.cer
as cert_path
trojan-client name port password remote_host target_port
Setup a trojan-go client. Listen on port port
.
trojan-client-mux name mux_size port password remote_host target_port
Setup multiple (up to mux_size
) trojan-go clients. Listen on ports from port
to port + mux_size
use-tunnel name
Use tunnel name
for this peer. wg-ops may add Endpoint=
or use wg set peer
to fullfill this requirement.
route-to ip_route_table
Used in chained WireGuard settings. Accept any traffic from ip_route_table
.
Interface marked with route-to
should have only one peer.
route-from ip_route_table
Used in chained WireGuard settings. Route traffic from all peers or a marked peer with ip_route_table
.
Example: The following config means all traffic from 10.44.0.2
will be forward to 10.33.0.1
wg0.conf (Should have only one peer)
[Interface]
Address=10.33.0.2
#route-to TABLE
[Peer]
AllowedIPs=10.33.0.1
wg1.conf
[Interface]
Address=10.44.0.1
[Peer]
AllowedIPs=10.44.0.2
#route-from TABLE
Make sure to setup firewall for better security. ufw is recommended for Ubuntu.