aboutsummaryrefslogblamecommitdiff
path: root/man/wgconfd.5.scd
blob: 15c19e9922284fe137c815ea1350d57f3b2ad88d (plain) (tree)































































































































                                                                                    
wgconfd(5)

# NAME

wgconfd - configuration file

# GLOBAL OPTIONS

The following global options are available:

*min_keepalive*
	The minimum value for the persistent keepalive timeout, in seconds. Any peer
	with a smaller timeout uses this one instead. Set to 0 to disable the
	timeout altogether.

	Default: _10_

*max_keepalive*
	The maximum value for the persistent keepalive timeout, in seconds. Any peer
	with a larger (or missing) timeout uses this one instead. If set to 0, there
	is no maximum.

	Default: _0_

*refresh_sec*
	The time between configuration updates, in seconds.

	Default: _1200_

*cache_directory*
	Path to the cache directory.

	Default: _$CACHE_DIRECTORY_

*runtime_directory*
	Path to the runtime state directory.

	Default: _$RUNTIME_DIRECTORY_

# SOURCE SECTIONS

Sources are defined in *[[source]]* sections. The following options are available:

*name*
	The name used to identify the source in logs and in the cache. All sources
	should have distinct names. Should only contain characters that can be put
	in a filename. Required.

*url*
	The URL of the source. It must point to a JSON file following the format
	described in the README.

*ipv4*
	A list of allowed IPv4 networks, each of the form _"ADDR/LEN"_. All of the
	address bits after the prefix must be set to 0.

	If a source tries to assign a range of addresses to a peer and that range
	has addresses that are not listed in the *ipv4* configuration option, the
	entire range is discarded.

	Default: _[]_

*ipv6*
	A list of allowed IPv6 networks, each of the form _"ADDR/LEN"_. All of the
	address bits after the prefix must be set to 0.

	If a source tries to assign a range of addresses to a peer and that range
	has addresses that are not listed in the *ipv6* configuration option, the
	entire range is discarded.

	Default: _[]_

*psk*
	Path to a file containing the default preshared key used for all peers
	defined by this source.

	Default: no preshared key

*required*
	Boolean. If set to true, *wgconfd*(8) will fail to start if fetching the
	source fails.

	Default: _false_

*allow_road_warriors*
	Boolean. If set to false, road warriors from this source will not be allowed
	to use this interface machine as their base peer.

	Default: _true_

# PEER SECTIONS

In some cases one may want to override some settings for individual peers.
This can be achieved through *[[peer]]* sections:

*public_key*
	The public key of the peer for which the overrides apply, as a base64
	encoded string.

	Required.

*source*
	If specified, ignore attempts by other sources to define this peer. Note
	that even if this is set, other sources can add allowed IP addresses for
	the peer by creating road warriors.

	Default: do not restrict source

*endpoint*
	Override the endpoint address of the peer.

	Default: use the endpoint address from the source

*psk*
	Path to a preshared key to use for this peer.

	Default: the PSK of the source, if any

*keepalive*
	Override the persistent keepalive timeout for this peer. The value here is
	not affected by the *min_keepalive* and *max_keepalive* configuration
	options.

	Default: the keepalive value from the source, or infinite if not set,
	restricted by *min_keepalive* and *max_keepalive*

Note that having a *[[peer]]* section is not enough to create a peer - it must
also exist in one of the sources.