diff options
Diffstat (limited to 'wg-connect.1')
| -rw-r--r-- | wg-connect.1 | 164 |
1 files changed, 164 insertions, 0 deletions
diff --git a/wg-connect.1 b/wg-connect.1 new file mode 100644 index 0000000..dc8b356 --- /dev/null +++ b/wg-connect.1 @@ -0,0 +1,164 @@ +.TH WG-CONNECT 1 "2026-06-23" "wg-connect 1.1" "User Commands" +.SH NAME +wg-connect \- bring a WireGuard tunnel up or down +.SH SYNOPSIS +.B wg-connect up +.I config +.br +.B wg-connect down +.RI [ name ] +.SH DESCRIPTION +.B wg-connect +manages a WireGuard tunnel on systems that lack +.BR wg-quick (8), +systemd, or bash - typically BusyBox-based distributions. +.PP +The +.B up +command parses a WireGuard configuration file, creates the tunnel +interface, applies keys and peers, assigns the address, installs +routes, and optionally updates +.IR /etc/resolv.conf . +State is saved to +.I /tmp/wg-connect.<iface>.state +so that +.B down +can cleanly tear everything down. +.PP +The +.B down +command reverses every action: restores the original DNS configuration, +removes endpoint-specific routes, deletes the interface, and restores +the previous default route. +.SH OPTIONS +.TP +.B up +.I config +Bring the tunnel up. +.I config +is required and is resolved as follows: +.RS +.IP \[bu] +If it contains a +.BR / , +it is used as a file path directly. +.IP \[bu] +If it ends in +.BR .conf , +it is tried in the current directory, then in +.IR /etc/wireguard/ . +.IP \[bu] +Otherwise it is treated as a name and looked up as +.IR /etc/wireguard/ <name> .conf . +.RE +.TP +.B down +.RI [ name ] +Tear a tunnel down. If +.I name +is given, the state file +.I /tmp/wg-connect.<name>.state +is used and the interface +.I <name> +is torn down. If omitted, the interface defaults to +.BR wg0 . +.RS +.IP +If the expected state file is missing but the interface still exists, +it is cleaned up as a leftover from a failed +.B up +attempt. +.RE +.SH CONFIGURATION FORMAT +The configuration file follows standard WireGuard syntax with an +.B [Interface] +section and one or more +.B [Peer] +sections. The +.BR wg-quick (8) +extensions +.BR Address , +.BR DNS , +.BR MTU , +.BR Table , +.BR PreUp , +.BR PostUp , +.BR PreDown , +.BR PostDown , +and +.B SaveConfig +are tolerated in the file but are handled by +.B wg-connect +itself rather than passed to +.BR "wg setconf" . +.PP +.BR Address , +.BR DNS , +.BR Endpoint , +and +.B AllowedIPs +are the fields that drive the script's own setup logic. All other +fields are forwarded to the kernel through +.BR "wg setconf" . +.PP +The interface name is derived from the configuration file's basename +(minus the +.I .conf +extension), matching +.BR wg-quick (8) +behaviour. +.PP +Multiple +.B [Peer] +sections are supported. +.B AllowedIPs +values are accumulated across all peers, and an explicit route to each +.BR Endpoint 's +IP address is added through the original default gateway before the +default route is replaced. +.SH FILES +.TP +.I /etc/wireguard/*.conf +Configuration files, looked up by name. +.TP +.I /tmp/wg-connect.<iface>.state +Runtime state written by +.B up +and consumed by +.BR down . +.TP +.I /tmp/resolv.conf.wg.bak +Backup of +.I /etc/resolv.conf +taken before the VPN DNS is installed. +.TP +.I /tmp/wg-connect.<pid>.conf +Temporary filtered configuration passed to +.BR "wg setconf" . +.SH EXIT STATUS +.TP +0 +Success. +.TP +1 +An error occurred (missing arguments, configuration file not found, +interface already up, state file missing on +.BR down , +or usage error). +.SH NOTES +.B wg-connect +must be run as root. It manipulates network interfaces, the routing +table, and +.IR /etc/resolv.conf . +.PP +IPv6 addresses in +.B AllowedIPs +and +.B Endpoint +are silently skipped. BusyBox +.B ip +often lacks reliable IPv6 support. +.SH SEE ALSO +.BR wg (8), +.BR wg-quick (8), +.BR ip (8) |