Wireguard with Network Manager

Contents

• Requirements
• Note
• Version Check
• Wireguard Configs
• Import Wireguard Config
• Connecting / Disconnecting
• Deleting Connections
• Recommended: Automatically Setup Routing
• Connection Details
• Optional: Automatically Connect
• Optional: Rename the Connection
• Optional: Abbreviated Commands

Requirements

• Basic command-line knowledge.
• A Linux distribution with Network Manager 1.16 or newer.

Note

Network Manager treats Wireguard connections as native network connections. They will not show up in the list of VPN connections. If you prefer something that shows up in the VPN connection list, use OpenVPN or StrongSWAN instead.

Version Check

Let's double-check that we have Network Manager 1.16 or newer:

❯ nmcli -v
nmcli tool, version 1.22.10

Wireguard Configs

Download our wireguard_servers.zip.

Unzip the ZIP file:

❯ unzip wireguard-servers.zip 
Archive:  wireguard-servers.zip
  inflating: AT Vienna 2020-05-12.conf  
  inflating: AU Sydney 2020-05-12.conf  
  inflating: AU Sydney 3 2020-05-12.conf  
... etc.

Import Wireguard Config

Network Manager requires the filename to be a valid wireguard interface name. For example: wg0.conf, wg1.conf, .., wg1000.conf.

Let's import the AT Vienna wireguard config:

❯ mv AT\ Vienna\ 2020-05-12.conf vienna-wg0.conf

❯ nmcli connection import type wireguard file vienna-wg0.conf
Connection 'vienna-wg0' (5b56bced-f8cc-49d3-8537-207f279fd6dc) successfully added.

Important: do not import more than 1 config at this point. You'll understand why in the next step.

Connecting / Disconnecting

After you import the connection Network Manager immediately connects to the VPN.

To disconnect from the VPN:

❯ nmcli connection down vienna-wg0
Connection 'vienna-wg0' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/25)

To connect to the VPN again:

❯ nmcli connection up vienna-wg0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/27)

Deleting Connections

We recommend you delete unused, old or redundant wireguard interfaces:

❯ nmcli connection show
NAME                         UUID                                  TYPE       DEVICE     
Wired connection 1           dd530962-d349-353f-abaa-a81595677d23  ethernet   enp4s0     
vienna-wg0                   8d752c4d-a7f4-4def-bbb3-bad23e3c8bb8  wireguard  vienna-wg0 

❯ nmcli connection delete vienna-wg0
Connection 'vienna-wg0' (8d752c4d-a7f4-4def-bbb3-bad23e3c8bb8) successfully deleted.

❯ nmcli connection show
NAME                         UUID                                  TYPE       DEVICE     
Wired connection 1           dd530962-d349-353f-abaa-a81595677d23  ethernet   enp4s0

Recommended: Automatically Setup Routing

In most situations you'll want to route all your traffic to the VPN. You can let NetworkManager handle this automatically by enabling the auto-default-route option:

❯ nmcli connection modify vienna-wg0 wireguard.ip4-auto-default-route true

Then (re-)connect the to the VPN.

Connection Details

Optional.

There are a number of properties that you can change for each connection.

Let's see what we have:

❯ nmcli connection show vienna-wg0
connection.id:                          AT Vienna
connection.uuid:                        b6b3f8b2-5e4f-4adf-b95c-311b29c87fc1
connection.stable-id:                   --
connection.type:                        vpn
connection.interface-name:              --
connection.autoconnect:                 no
connection.autoconnect-priority:        0
connection.autoconnect-retries:         -1 (default)
...etc.

Optional: Automatically Connect

You may have noticed the connection.autoconnect option there. It does exactly what you think it does: automatically connect to the VPN when the computer starts.

To enable this option:

❯ nmcli connection modify vienna-wg0 connection.autoconnect yes

And to disable it again:

❯ nmcli connection modify vienna-wg0 connection.autoconnect no

Note: we recommend you do not use this on laptops. It doesn't play well with login screens (captive portals) used in hotels, starbucks, etc.

Optional: Rename the Connection

We prefer to give the connection a more meaningful name:

❯ nmcli connection modify vienna-wg0 connection.id "AT Vienna"

❯ nmcli connection show
NAME                         UUID                                  TYPE       DEVICE     
Wired connection 1           dd530962-d349-353f-abaa-a81595677d23  ethernet   enp4s0     
AT Vienna                    8d752c4d-a7f4-4def-bbb3-bad23e3c8bb8  wireguard  vienna-wg0 

This does mean you'll have to use "AT Vienna" instead of vienna-wg0 in your commands from now on.

Optional: Abbreviated Commands

We've been showing you the full nmcli commands for clarity. Most of them can be abbreviated for efficiency.

Some examples:

❯ nmcli c i type wireguard file vienna-wg0.conf
Connection 'vienna-wg0' (71639a6e-fe83-4003-986c-6aef946fd39b) successfully added.

❯ nmcli c d vienna-wg0
Connection 'vienna-wg0' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/29)

❯ nmcli c de vienna-wg0 
Connection 'vienna-wg0' (71639a6e-fe83-4003-986c-6aef946fd39b) successfully deleted.

Etc.