WireGuard Configuration

show wireguard status

[Command] show wireguard statusid

[Purpose] Display wireguard status

[View] System view

[Use Cases]

sonic# show wireguard status 1
interface: Wg1
  Public Key: YvzvpPNpUu9hKC1yxh2OOpSQM1hF6NOt0GAYXSaJdmo=
  private key: (hidden)
  listening port: 51820

peer: Ey1F+q49I6hPXGBoqryuATqgCyg2cNJWPFzi3jYfnjY=
  endpoint: 20.0.0.153:51820->30.0.0.100:51820
  allowed ips: 10.0.0.0/24,90.0.0.0/24

show wireguard config

[Command] show wireguard configid

[Purpose] Display wireguard configuration

[View] System view

[Use Cases]

sonic# show wireguard config 1
 ip4 listen_port 51820 private_key UFnTg/3VsDmc6QGimqiSL66FZcBnV/4UiSOcot+gkGw= intf_addr 10.0.0.1/24
 peer ip4 public_key YZKmpdlJN+lFlsVFxy9zKdHsdzN8j5BpWjjEgoKucj8=
 peer public_key YZKmpdlJN+lFlsVFxy9zKdHsdzN8j5BpWjjEgoKucj8= allowed_ip 0.0.0.0/0

genkey

[Command] genkey

[Purpose] Generate WireGuard keys

[View] Wireguard configuration view

[Use Cases]

sonic(config-wireguard-1)# genkey
    Private Key: UFnTg/3VsDmc6QGimqiSL66FZcBnV/4UiSOcot+gkGw=
    Public Key: YZKmpdlJN+lFlsVFxy9zKdHsdzN8j5BpWjjEgoKucj8=

ip4 listen_port

[Command] ip4 listen_portportprivate_keystringintf_addrA.B.C.D/M no ip4

[Purpose] Configure WireGuard’s listening port, private key, and IPv4 address.

[View] Wireguard configuration view

[Parameter]

Parameter	Description
listen_port	wireguard listening port
private_key	Local private key
inft_addr	IPv4 address of the WireGuard tunnel

[Use Cases]

sonic(config-wireguard-1)# ip4 listen_port 51820 private_key UFnTg/3VsDmc6QGimqiSL66FZcBnV/4UiSOcot+gkGw= intf_addr 10.0.0.1/24

ip6 listen_port

[Command] ip6 listen_portportprivate_keystringintf_addrA::B/M no ip6

[Purpose] ip6 listen_port port private_key string intf_addr A::B/M

[View] Wireguard configuration view

[Parameter]

Parameter	Description
listen_port	wireguard listening port
private_key	Local private key
inft_addr	IPv6 address of the WireGuard tunnel

[Use Cases]

sonic(config-wireguard-1)# ip6 listen_port 51820 private_key UFnTg/3VsDmc6QGimqiSL66FZcBnV/4UiSOcot+gkGw= intf_addr 2000::1/64

mtu

[Command] mtuvalue

[Purpose] Configuring the MTU for the WireGuard tunnel

[View] Wireguard configuration view

[Use Cases]

sonic(config-wireguard-1)# mtu 1000

nat-zone

[Command] nat-zoneid no nat-zone

[Purpose] Configuring NAT traversal for WireGuard tunnels

[View] Wireguard configuration view

[Parameter]

Parameter	Description
nat-zone	The default value is 0, meaning NAT functionality is disabled. When configured as 1 to 3, NAT conversion functionality is enabled.

[Use Cases]

sonic(config-wireguard-1)# nat-zone 1

peer {ip4|ip6} public_key

[Command] peer {ip4|ip6} public_keykey**[endpoint_ipA.B.C.Dendpoint_portport] [persistent_keepaliveint]** no peer {ip4|ip6} public_keykey

[Purpose] Configure the WireGuard peer’s public key and IP settings. When the endpoint_ip is not configured, it will passively receive peer requests and learn the peer’s IP and port.

[View] Wireguard configuration view

[Parameter]

Parameter	Description
public_key	The public key of the remote end
endpoint_ip	The ip address of the remote end
endpint_port	The port of the remote end
persistent_keepalive	Tunnel survival time

[Use Cases]

sonic(config-wireguard-1)# peer ip4 public_key YZKmpdlJN+lFlsVFxy9zKdHsdzN8j5BpWjjEgoKucj8= endpoint_ip 1.1.1.1 endpoint_port 51820 persistent_keepalive 300

peer public_key

[Command] peer public_keykeyallowed_ipA.B.C.D/M

[Purpose] Configure the WireGuard peer’s public key and allowed IP list

[View] Wireguard configuration view

[Parameter]

Parameter	Description
public_key	The public key of the remote end
allowed_ip	Allowed IP list for encryption and decryption

[Use Cases]

sonic(config-wireguard-1)# peer public_key YZKmpdlJN+lFlsVFxy9zKdHsdzN8j5BpWjjEgoKucj8= allowed_ip 10.0.0.0/24,20.0.0.0/24