1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
|
.TH WG-CONNECT 1 "2026-06-23" "wg-connect 1.1" "User Commands"
.SH NAME
wg-connect \- bring a WireGuard tunnel up or down
.SH SYNOPSIS
.B wg-connect up
.I config
.br
.B wg-connect down
.RI [ name ]
.SH DESCRIPTION
.B wg-connect
manages a WireGuard tunnel on systems that lack
.BR wg-quick (8),
systemd, or bash - typically BusyBox-based distributions.
.PP
The
.B up
command parses a WireGuard configuration file, creates the tunnel
interface, applies keys and peers, assigns the address, installs
routes, and optionally updates
.IR /etc/resolv.conf .
State is saved to
.I /tmp/wg-connect.<iface>.state
so that
.B down
can cleanly tear everything down.
.PP
The
.B down
command reverses every action: restores the original DNS configuration,
removes endpoint-specific routes, deletes the interface, and restores
the previous default route.
.SH OPTIONS
.TP
.B up
.I config
Bring the tunnel up.
.I config
is required and is resolved as follows:
.RS
.IP \[bu]
If it contains a
.BR / ,
it is used as a file path directly.
.IP \[bu]
If it ends in
.BR .conf ,
it is tried in the current directory, then in
.IR /etc/wireguard/ .
.IP \[bu]
Otherwise it is treated as a name and looked up as
.IR /etc/wireguard/ <name> .conf .
.RE
.TP
.B down
.RI [ name ]
Tear a tunnel down. If
.I name
is given, the state file
.I /tmp/wg-connect.<name>.state
is used and the interface
.I <name>
is torn down. If omitted, the interface defaults to
.BR wg0 .
.RS
.IP
If the expected state file is missing but the interface still exists,
it is cleaned up as a leftover from a failed
.B up
attempt.
.RE
.SH CONFIGURATION FORMAT
The configuration file follows standard WireGuard syntax with an
.B [Interface]
section and one or more
.B [Peer]
sections. The
.BR wg-quick (8)
extensions
.BR Address ,
.BR DNS ,
.BR MTU ,
.BR Table ,
.BR PreUp ,
.BR PostUp ,
.BR PreDown ,
.BR PostDown ,
and
.B SaveConfig
are tolerated in the file but are handled by
.B wg-connect
itself rather than passed to
.BR "wg setconf" .
.PP
.BR Address ,
.BR DNS ,
.BR Endpoint ,
and
.B AllowedIPs
are the fields that drive the script's own setup logic. All other
fields are forwarded to the kernel through
.BR "wg setconf" .
.PP
The interface name is derived from the configuration file's basename
(minus the
.I .conf
extension), matching
.BR wg-quick (8)
behaviour.
.PP
Multiple
.B [Peer]
sections are supported.
.B AllowedIPs
values are accumulated across all peers, and an explicit route to each
.BR Endpoint 's
IP address is added through the original default gateway before the
default route is replaced.
.SH FILES
.TP
.I /etc/wireguard/*.conf
Configuration files, looked up by name.
.TP
.I /tmp/wg-connect.<iface>.state
Runtime state written by
.B up
and consumed by
.BR down .
.TP
.I /tmp/resolv.conf.wg.bak
Backup of
.I /etc/resolv.conf
taken before the VPN DNS is installed.
.TP
.I /tmp/wg-connect.<pid>.conf
Temporary filtered configuration passed to
.BR "wg setconf" .
.SH EXIT STATUS
.TP
0
Success.
.TP
1
An error occurred (missing arguments, configuration file not found,
interface already up, state file missing on
.BR down ,
or usage error).
.SH NOTES
.B wg-connect
must be run as root. It manipulates network interfaces, the routing
table, and
.IR /etc/resolv.conf .
.PP
IPv6 addresses in
.B AllowedIPs
and
.B Endpoint
are silently skipped. BusyBox
.B ip
often lacks reliable IPv6 support.
.SH SEE ALSO
.BR wg (8),
.BR wg-quick (8),
.BR ip (8)
|
