Best way to set up WireGuard interface using CLI/script

I'm able to get WireGuard working well by setting it up via the Web UI. I'd love some advice on the best way to configure/set up a new connection via the command line, in order to automate this across a number of devices. Although my question is in the context of a WireGuard connection, I suppose it could apply to any new virtual network connection.

In Ubuntu for example I would generate a wg0.conf file and just run that through wg-quick, which takes care of the rest. I'm wondering what the closest equivalent is in OpenWrt (and yes, I'm a bit of an OpenWrt noob). The three options I've come across seem to be:

  1. Have my script directly modify /etc/config/network and /etc/config/firewall. This doesn't feel right to me and I assume isn't the preferred approach.
  2. Use a set of uci commands, like those listed in https://openwrt.org/docs/guide-user/services/vpn/wireguard/client. This seems ok, though relatively verbose; ideally, I'd like to issue the minimal necessary set of instructions. Also I can see that the configuration via the Web UI actually does something different to what's shown in that guide, for example with respect to firewall rules.
  3. Invoke /lib/netifd/proto/wireguard.sh with my desired configuration. I can see that this script is run when I set up WireGuard via the Web UI – but I'm not really sure whether invoking it directly is the correct way to set up/configure a new connection, or whether it's simply something that gets run in the process of bringing up the connection.

Any pointers welcome!

UPDATE: Based on my reading of https://openwrt.org/docs/guide-user/base-system/uci, I gather that Option #2 is probably better than Option #1. But I still don't know what to make of #2 vs #3.

I am not sure if you have seen this already.

Thanks @trendy - yes I did; I suppose I see it as a more specific case of https://openwrt.org/docs/guide-user/services/vpn/wireguard/client (in my case the server is already set up; I just need to provision clients).

Either way, I guess that's a vote for approach #2? And running /lib/netifd/proto/wireguard.sh (approach #3) isn't something I should look to do directly?

There you are:

Yes, the guide was written by an esteemed member of the forum and it is tested to work reliably.

1 Like

Cool, thanks @trendy. Again, while this doesn't explicitly answer my actual question, the fact that these guides involve running scripts based on uci commands imply that approach #2 is the correct one to take.

And the /lib/netifd/proto/wireguard.sh file is a helper script used by netifd, rather than something I should be running (even though the command wireguard.sh wireguard setup wg0 {"proto":"wireguard","private_key":"xxx",...} does do something relevant - which is what was confusing me).

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.