website/content/v1.13/reference/configuration/network/wireguardconfig.md
{{< highlight yaml >}} apiVersion: v1alpha1 kind: WireguardConfig name: wg1 # Name of the Wireguard link (interface). privateKey: OJ34O6J1z4ZZB+t16c+vYrzIrKddxyU3Z2eLhwYzqE8= # Specifies a private key configuration (base64 encoded). listenPort: 51820 # Specifies a device's listening port (UDP).
peers: - publicKey: fP+xJZvUA5n1Pi/f5wcPiV6tZ6fHwqcGaXe98NfEgkE= # Specifies the public key of this peer. endpoint: 10.0.0.1:5180 # Specifies the endpoint of this peer entry. # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer. allowedIPs: - 192.168.2.0/24 - publicKey: TDd25Cwq6tMZANIKUaqred+Zt+09HtCqwFeOLtKQ9Cs= # Specifies the public key of this peer. presharedKey: UpH8htYK7yJBPg5+q4M/Tx0o5ipHbeSZtI/h/mHxOeU= # Specifies the preshared key for this peer (base64 encoded). # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer. allowedIPs: - 192.168.3.0/24 mtu: 1420 # Configure LinkMTU (Maximum Transmission Unit) for the link.
addresses: - address: 192.168.1.100/24 # IP address to be assigned to the link. {{< /highlight >}}
| Field | Type | Description | Value(s) |
|---|---|---|---|
name | string | Name of the Wireguard link (interface). <details><summary>Show example(s)</summary>{{< highlight yaml >}} | |
| name: wg.int | |||
| {{< /highlight >}}</details> | |||
privateKey | string | Specifies a private key configuration (base64 encoded). | |
Can be generated by wg genkey. | |||
listenPort | int | Specifies a device's listening port (UDP). | |
| If not specified, a random port will be chosen. | |||
firewallMark | int | Specifies a device's firewall mark. | |
| Useful for advanced routing setups, marking packets originating from this device. | |||
peers | <a href="#WireguardConfig.peers.">[]WireguardPeer</a> | Specifies a list of peer configurations to apply to a device. | |
up | bool | Bring the link up or down. |
If not specified, the link will be brought up. | |
|mtu |uint32 |Configure LinkMTU (Maximum Transmission Unit) for the link.
If not specified, the system default LinkMTU will be used (usually 1500). | |
|addresses |<a href="#WireguardConfig.addresses.">[]AddressConfig</a> |Configure addresses to be statically assigned to the link. | |
|routes |<a href="#WireguardConfig.routes.">[]RouteConfig</a> |Configure routes to be statically created via the link. | |
|multicast |bool |Set the multicast capability of the link. | |
WireguardPeer describes a Wireguard peer configuration.
| Field | Type | Description | Value(s) |
|---|---|---|---|
publicKey | string | Specifies the public key of this peer. | |
Can be extracted from private key by running wg pubkey < private.key. | |||
presharedKey | string | Specifies the preshared key for this peer (base64 encoded). | |
Can be generated by wg genpsk. | |||
| Optional, this key provides an additional layer of symmetric-key cryptography | |||
| to the peer connection. | |||
endpoint | AddrPort | Specifies the endpoint of this peer entry. | |
| Format: <IP address>:<port>. | |||
| If not set, the peer should connect to us without us connecting to it first. | |||
persistentKeepaliveInterval | Duration | Specifies the persistent keepalive interval for this peer. | |
| Field format accepts any Go time.Duration format ('1h' for one hour, '10m' for ten minutes). | |||
allowedIPs | []Prefix | AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer. | |
| These IPs will be routed to this peer, and defines which IPs this peer is allowed to use. |
AddressConfig represents a network address configuration.
| Field | Type | Description | Value(s) |
|---|---|---|---|
address | Prefix | IP address to be assigned to the link. |
This field must include the network prefix length (e.g. /24 for IPv4, /64 for IPv6). <details><summary>Show example(s)</summary>{{< highlight yaml >}}
address: 192.168.1.100/24
{{< /highlight >}}{{< highlight yaml >}}
address: fd00::1/64
{{< /highlight >}}</details> | |
|routePriority |uint32 |Configure the route priority (metric) for routes created for this address.
If not specified, the system default route priority will be used. | |
RouteConfig represents a network route configuration.
| Field | Type | Description | Value(s) |
|---|---|---|---|
destination | Prefix | The route's destination as an address prefix. |
If not specified, a default route will be created for the address family of the gateway. <details><summary>Show example(s)</summary>{{< highlight yaml >}}
destination: 10.0.0.0/8
{{< /highlight >}}</details> | |
|gateway |Addr |The route's gateway (if empty, creates link scope route). <details><summary>Show example(s)</summary>{{< highlight yaml >}}
gateway: 10.0.0.1
{{< /highlight >}}</details> | |
|source |Addr |The route's source address (optional). | |
|metric |uint32 |The optional metric for the route. | |
|mtu |uint32 |The optional MTU for the route. | |
|table |RoutingTable |The routing table to use for the route.
If not specified, the main routing table will be used. | |