## wgtool (WireGuard helper CLI) wgtool streamlines creating and validating WireGuard configs, and generating a ready-to-paste Zion peer block. ### Features - Generate WireGuard configs with sensible defaults - Validate single configs or all .conf files in a directory - Print a Zion-ready [Peer] snippet for adding new nodes - Generate private keys (derive public key with `wg pubkey`) ### Commands - `generate`: Create a config and write keys - `validate`: Lint a config file or all `.conf` files in a directory - `zion-peer`: Print a `[Peer]` block for Zion’s `wg0.conf` - `keys`: Print a private key - `version`: Show tool version ### Defaults and endpoints - Adds one default peer in generated configs: - Zion (central server) - PublicKey: `2ztJbrN1x1NWanzPGLiKL19ZkdOhm5Y7WeKEWBT5cyg=` - Endpoint: `ugh.im:51820` - AllowedIPs: - `wg_only`: `10.8.0.0/24` - `full_tunnel`: `0.0.0.0/0, ::/0` - PersistentKeepalive: `25` ### generate Create a config into `wireguard_configs/` and output keys alongside it. Missing flags are prompted interactively unless `--yes` is used. Flags: - `--hostname` Node name (e.g., `aza`) - `--ip` Node IP in `10.8.0.x` - `--interface` Interface name (default `wg0`) - `--routing` `wg_only` | `full_tunnel` (default `wg_only`) - `--out` Output directory (default `wireguard_configs`) - `--force` Overwrite without prompt - `--yes` Non-interactive (assume yes) Examples: ```bash ./wgtool generate ./wgtool generate --hostname aza --ip 10.8.0.30 --interface wg0 --routing wg_only --out wireguard_configs --yes ./wgtool generate --hostname aza --ip 10.8.0.30 --routing full_tunnel --yes ``` Outputs: - `wireguard_configs/wg0.conf` - `wireguard_configs/_private.key` - Derive public key: `echo "" | wg pubkey` ### validate Validate a config file or every `.conf` in a directory. Flags: - `--target` Path to a file or directory Examples: ```bash ./wgtool validate --target wireguard_configs/wg0.conf ./wgtool validate --target wireguard_configs ``` Checks include: - Presence of `[Interface]` - `PrivateKey` and CIDR `Address` - Peer `PublicKey` format - `AllowedIPs` as valid CIDRs ### zion-peer Print a `[Peer]` block to add into Zion’s `/etc/wireguard/wg0.conf` for a new node. Flags: - `--name` Node name - `--pub` Node public key (44-char base64 ending with `=`) - `--ip` Node IP in `10.8.0.x` (host address) Example: ```bash ./wgtool zion-peer --name aza --pub ABCDEFG...= --ip 10.8.0.30 ``` ### keys Generate and print a private key. Example: ```bash ./wgtool keys # derive pub echo "" | wg pubkey ``` ### Quick start 1) Create a config and keys ```bash ./wgtool generate --hostname mynode --ip 10.8.0.30 --yes ``` 2) Validate the config ```bash ./wgtool validate --target wireguard_configs/wg0.conf ``` 3) Give Zion your peer details ```bash ./wgtool zion-peer --name mynode --pub $(echo "" | wg pubkey) --ip 10.8.0.30 ``` 4) Install and enable (on your node) ```bash sudo cp wireguard_configs/wg0.conf /etc/wireguard/ sudo chmod 600 /etc/wireguard/wg0.conf sudo systemctl enable --now wg-quick@wg0 ``` Notes: - IPs are enforced in the `10.8.0.x` range. - In `full_tunnel` mode DNS is set to `1.1.1.1, 8.8.8.8`. - Overwrites are blocked unless `--force` or confirmed interactively.