wg show / wg showconf
Show tunnel status/config
wg show
sudo wg showconf wg0
wireguard
wg-quick up/down
Bring tunnel up/down
sudo wg-quick down wg0 && sudo wg-quick up wg0
wireguard
PersistentKeepalive
Keep NAT paths fresh (seconds)
# in peer section
PersistentKeepalive = 25
nat
AllowedIPs & routing
Split vs full-tunnel routes
# split tunnel peer example
AllowedIPs = 10.0.0.0/24
# full tunnel
AllowedIPs = 0.0.0.0/0, ::/0
routing
nftables pass-through
Permit WG and forward traffic
nft add rule inet filter input udp dport 51820 accept
nft add rule inet filter forward iifname 'wg0' accept
nftables
tcpdump to debug WG
Check handshake/data
sudo tcpdump -ni any udp port 51820
debug
resolvectl, DNS split
Per-link DNS for WG interface
resolvectl dns wg0 10.0.0.53
resolvectl domain wg0 corp.example
resolvectl status wg0
dns
PreUp/PostUp hooks
Apply routes/iptables when up
[Interface]
PostUp = ip rule add from 10.0.0.2 table 200
PostDown = ip rule del from 10.0.0.2 table 200
advanced