aka "wg-cmd" — TUI for managing WireGuard configuration files

• no need for a browser or HTTP port - works in the terminal, over SSH too
• has a nice Setup Wizard
• text-based user interface for managing peers
• view QR code in the terminal
• automatically configures sysctl, systemd, NAT

• supports only simple client-server WireGuard setup
• mostly for Linux (assumes iptables, systemd, sysctl are available) — see Other OS section
• can't manage existing WireGuard configuration (but you can create new WireGuard interfaces on the same host)

Make sure you have WireGuard and iptables installed (apt install wireguard-tools in Ubuntu / Debian, dnf install wireguard-tools iptables in Rocky/Alma 9).

To download using curl run:

# for x86_64 
curl -SL https://github.com/andrianbdn/wg-cmd/releases/download/v0.1.5/wg-cmd-0.1.5-linux-amd64 -o /usr/local/bin/wg-cmd

# for arm64 
curl -SL https://github.com/andrianbdn/wg-cmd/releases/download/v0.1.5/wg-cmd-0.1.5-linux-arm64 -o /usr/local/bin/wg-cmd

Set proper permissions and run the tool:

chmod 755 /usr/local/bin/wg-cmd
wg-cmd

If you don't have /usr/local/bin in $PATH you will have to run /usr/local/bin/wg-cmd command using the full path.

WG Commander requires root permissions to automatically tune sysctl, to create systemd units and to write to /etc/wireguard.

On first run WG Commander will show the setup wizard, that allows to configure new WireGuard interface interactively.

On subsequent runs (if wizard was successful) it will just display management TUI.

Note regarding the QR code: some devices (Android?) may require a higher quality QR code. WG Commander will automatically increase quality when you make Terminal window resolution larger (smaller font, larger window).

You can run WG Commander as a non-root user if you change permissions on /etc/wireguard and configure sysctl/systemd manually.

WG Commander keeps its own UI config in ~/.config/wg-cmd/wg-cmd.toml

The most important options are:

WireguardDir = "/etc/wireguard"
# directory for WireGuard configuration files 

DatabaseDir = "/etc/wireguard"
# directory for WG Commander database files (wgc-<interface-name>

You can change these options to point to directories that you have write access to.

Run wg-cmd new to start the wizard for new interface configuration.

Run wg-cmd <wg-interface> to switch to specific interface (must be created before with wg-cmd).

Run wg-cmd <wg-interface> make to generate Wireguard configuration without showing UI.

WG Commander uses directories as its "database". It stores the interface configuration in /etc/wireguard/wgc- directory.

The configuration is stored using TOML file format.

Most configuration keys are similar to WireGuard ones.

Some keys in this configuration file will actually be used for generating client configuration files.

ClientRoute - AllowedIPs for client config

ClientDNS - DNS configuration value for all clients

ClientServerEndpoint - Endpoint for client config

ClientPersistentKeepalive - PersistentKeepalive for client config

MTU - MTU for the server and client (0 — make WireGuard choose)

ClientRoute - completely overrides the ClientRoute from the server config

AddServerRoute - adds additional network to AllowedIPs for the client on the server side (useful when you want to route traffic to one client to another client's network through the server)

MTU - Override server MTU with a different value for this client. Set to -1 to omit MTU from this WireGuard client config.

DNS - Override server ClientDNS setting for all clients. Specify a comma separated IP list. Set to no or none to omit DNS from this WireGuard client config.

Client configuration files contain PrivateKey field. If you find it unacceptable, you can remove it from the file after you exported configuration (or QR code) to the client.

WG Commander is designed to work on Linux, because it uses procfs, systemd, iptables, sysctl. However, it is written in plain Go, so it should work on any OS that Go supports.

• You will need to compile binary yourself.
• Set the environment variable WG_CMD_NO_DEPS to 1 to disable any Linux-specific checks on start.
• Edit 0001-server.toml and set your OS commands in PostUp4/PostUp6/PostDown4/PostDown6 fields.
• You will need to reload WireGuard configuration: manually when you change something or monitor /etc/wireguard/wg*.conf files for changes and reload WireGuard automatically.

PRs are welcome to add support for other OSes.

Although it is possible, it is not recommended to run WG Commander in Docker.

The Setup Wizard will not work properly, because it needs to create systemd units and modify sysctl.

To uninstall WG Commander, just remove the binary from /usr/local/bin/wg-cmd. You can also remove directories /etc/wireguard/wgc-* and ~/.config/wg-cmd

If you have created systemd units, you will need to remove them manually.

Below is an example of how to remove WG Commander managed interface wg7 (change it to whatever interface you need to delete):

systemctl stop wgc-wg7.{path,service}
systemctl disable wgc-wg7.{path,service}
rm /etc/systemd/system/wgc-wg7.{path,service}
systemctl stop [email protected]
systemctl disable [email protected]
rm /etc/wireguard/wg7.conf
rm -Rf /etc/wireguard/wgc-wg7

WG Commander should work well on any systemd-based Linux distribution with WireGuard, iptables, sysctl, procfs available.

It was tested on:

• Ubuntu 20.04
• Ubuntu 22.04
• Rocky Linux 9
• Debian 11
• Debian 12

There is no commercial purpose behind WG Commander. The project is licensed under the MIT License.

This project is NOT related to the creator of WireGuard®. WG Commander project is NOT approved, sponsored, or affiliated with WireGuard® or with the WireGuard® community.