A simple WireGuard user management script for use on the VPN server. It can generate client configuration files and QR codes (with
Pull requests are welcome. So many of these forks are stale, and there's not much indication of whether PRs are encouraged. Some forks have deviated from the original quite a lot, making PRs an absolute hassle.
The script assumes the WireGuard directory is
Configuration is done in
wg.def.sample file is provided in this repository.
You can generate the public key and private key with command
wg genkey | tee > prikey | wg pubkey > pubkey.
|_INTERFACE||Name of the WireGuard interface|
|_OUTBOUND_INTERFACE||Network interface to send outbound traffic to (probably
|_VPN_NET||Network to be used by WireGuard in CIDR notation|
|_DNS_SERVERS||DNS servers clients will use|
|_KEEPALIVE||Keepalive duration (seconds)|
|_SERVER_PORT||Post WireGuard will listen on|
|_SERVER_LISTEN||Where clients will connect to|
|_SERVER_PUBLIC_KEY||Public key of the WireGuard interface|
|_SERVER_PRIVATE_KEY||Private key of the WireGuard interface|
|_USE_COMMON_PEERS_CONF||If not set to
All commands must be run as root (use
sudo is logged in as a non-root user).
This script does not automatically start WireGuard on first run, you must do that yourself.
wg-quick up wg0
Add a user
Generates a new client configuration using the next available IP address, and adds it to the server.
./user.sh -a alice
Delete a user
Deletes a client from the server.
./user.sh -d alice
View a previously generated user
Shows the client's configuration and prints the QR code to the terminal.
./user.sh -v alice
Clear everything to start again
Install server configuration
Generates the server's configuration and copies it to
/etc/wireguard. Does not change anything on the running WireGuard interface itself, it only copies the configuration.
Generate available IPs
.available_ip file. You do not need to run this yourself.
I'm mostly writing this as I (s-thom) figure it out for myself. When I started I already had manually set up an interface, and wanted to preserve all of that. Hopefully these notes will help someone else if they need to do the same.
The users directory contains directories for each of the configured clients. Each directory contains:
client.all.config: Client WireGuard config with
AllowedIPs = 0.0.0.0/0
client.config: Client WireGuard config with
AllowedIPs = <your-vpn-only>
privatekey: Private key of the client, ends with newline
publickey: Public key of the client, ends with newline
<client-name>.all.png: QR code for
<client-name>.png: QR code for
Each line is an address in your VPN in CIDR notation. When a client is added, the first line of this file will be used for the address. This can be used to manually set the IP for the next user (just make sure to remove it from the generated list).
.saved is an important file, as it is used when generating the server configuration to be applied. Each line is of the format:
<client-name> <client-ip>/<subnet-size> <client-public-key>
This is a temporary file that is generated during modifications, then immediately copied into
/etc/wireguard. Modifications made directly to the file do not persist.