.TH WG-CONNECT 1 "2026-06-23" "wg-connect 1.1" "User Commands" .SH NAME wg-connect \- bring a WireGuard tunnel up or down .SH SYNOPSIS .B wg-connect up .I config .br .B wg-connect down .RI [ name ] .SH DESCRIPTION .B wg-connect manages a WireGuard tunnel on systems that lack .BR wg-quick (8), systemd, or bash - typically BusyBox-based distributions. .PP The .B up command parses a WireGuard configuration file, creates the tunnel interface, applies keys and peers, assigns the address, installs routes, and optionally updates .IR /etc/resolv.conf . State is saved to .I /tmp/wg-connect..state so that .B down can cleanly tear everything down. .PP The .B down command reverses every action: restores the original DNS configuration, removes endpoint-specific routes, deletes the interface, and restores the previous default route. .SH OPTIONS .TP .B up .I config Bring the tunnel up. .I config is required and is resolved as follows: .RS .IP \[bu] If it contains a .BR / , it is used as a file path directly. .IP \[bu] If it ends in .BR .conf , it is tried in the current directory, then in .IR /etc/wireguard/ . .IP \[bu] Otherwise it is treated as a name and looked up as .IR /etc/wireguard/ .conf . .RE .TP .B down .RI [ name ] Tear a tunnel down. If .I name is given, the state file .I /tmp/wg-connect..state is used and the interface .I is torn down. If omitted, the interface defaults to .BR wg0 . .RS .IP If the expected state file is missing but the interface still exists, it is cleaned up as a leftover from a failed .B up attempt. .RE .SH CONFIGURATION FORMAT The configuration file follows standard WireGuard syntax with an .B [Interface] section and one or more .B [Peer] sections. The .BR wg-quick (8) extensions .BR Address , .BR DNS , .BR MTU , .BR Table , .BR PreUp , .BR PostUp , .BR PreDown , .BR PostDown , and .B SaveConfig are tolerated in the file but are handled by .B wg-connect itself rather than passed to .BR "wg setconf" . .PP .BR Address , .BR DNS , .BR Endpoint , and .B AllowedIPs are the fields that drive the script's own setup logic. All other fields are forwarded to the kernel through .BR "wg setconf" . .PP The interface name is derived from the configuration file's basename (minus the .I .conf extension), matching .BR wg-quick (8) behaviour. .PP Multiple .B [Peer] sections are supported. .B AllowedIPs values are accumulated across all peers, and an explicit route to each .BR Endpoint 's IP address is added through the original default gateway before the default route is replaced. .SH FILES .TP .I /etc/wireguard/*.conf Configuration files, looked up by name. .TP .I /tmp/wg-connect..state Runtime state written by .B up and consumed by .BR down . .TP .I /tmp/resolv.conf.wg.bak Backup of .I /etc/resolv.conf taken before the VPN DNS is installed. .TP .I /tmp/wg-connect..conf Temporary filtered configuration passed to .BR "wg setconf" . .SH EXIT STATUS .TP 0 Success. .TP 1 An error occurred (missing arguments, configuration file not found, interface already up, state file missing on .BR down , or usage error). .SH NOTES .B wg-connect must be run as root. It manipulates network interfaces, the routing table, and .IR /etc/resolv.conf . .PP IPv6 addresses in .B AllowedIPs and .B Endpoint are silently skipped. BusyBox .B ip often lacks reliable IPv6 support. .SH SEE ALSO .BR wg (8), .BR wg-quick (8), .BR ip (8)