A Python script to manage WireGuard configurations using a single YAML file. It handles key generation, IP validation, and produces both server and client configurations.
- Automatic Key Generation: Generates
private_key,public_key, andpreshared_keyautomatically if they are missing or empty in the YAML file. - Format Preservation: Uses
ruamel.yamlto save generated keys back to your YAML while keeping comments and formatting intact. - IP Validation:
- Ensures no duplicate IPs across server and clients.
- Verifies all IPs belong to the defined
allowed_ipsnetwork.
- Simplified Configuration: Centralizes server settings and client lists in one place.
- Python 3.x
- WireGuard Tools: The
wgcommand must be available in your PATH for key generation. - Dependencies:
pip install -r requirements.txt
Create a YAML file (e.g., wg0.yml) based on the following structure:
server:
address: 10.0.0.1/24
listen_port: 51820
endpoint: 1.2.3.4 # Public IP or Domain
post_up: "iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE"
post_down: "iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE"
common:
persistent_keepalive: 25
allowed_ips: 10.0.0.0/24
clients:
- name: alice
address: 10.0.0.2/24
- name: bob
address: 10.0.0.3/24Note: Keys will be automatically added to this file upon first run.
python3 wireguard.py wg0.yml server > /etc/wireguard/wg0.confpython3 wireguard.py wg0.yml alice > alice.confwg-quick up wg0
wg-quick down wg0systemctl enable wg-quick@wg0wg show- File Permissions: Keep your YAML and generated
.conffiles secure.chmod 600 wg0.yml /etc/wireguard/wg0.conf
- Preshared Keys: This script generates PresharedKeys by default for each client to provide post-quantum resistance.
- Firewall: Ensure the
ListenPort(UDP) is open on your server's firewall.