1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
wgconfd(5)
# NAME
wgconfd - configuration file
# GLOBAL OPTIONS
The following global options are available:
*min_keepalive*
The minimum value for the persistent keepalive timeout, in seconds. Any peer
with a smaller timeout uses this one instead. Set to 0 to disable the
timeout altogether.
Default: _10_
*max_keepalive*
The maximum value for the persistent keepalive timeout, in seconds. Any peer
with a larger (or missing) timeout uses this one instead. If set to 0, there
is no maximum.
Default: _0_
*refresh_sec*
The time between configuration updates, in seconds.
Default: _1200_
*cache_directory*
Path to the cache directory.
Default: _$CACHE_DIRECTORY_
*runtime_directory*
Path to the runtime state directory.
Default: _$RUNTIME_DIRECTORY_
# SOURCE SECTIONS
Sources are defined in *[[source]]* sections. The following options are available:
*name*
The name used to identify the source in logs and in the cache. All sources
should have distinct names. Should only contain characters that can be put
in a filename. Required.
*url*
The URL of the source. It must point to a JSON file following the format
described in the README.
*ipv4*
A list of allowed IPv4 networks, each of the form _"ADDR/LEN"_. All of the
address bits after the prefix must be set to 0.
If a source tries to assign a range of addresses to a peer and that range
has addresses that are not listed in the *ipv4* configuration option, the
entire range is discarded.
Default: _[]_
*ipv6*
A list of allowed IPv6 networks, each of the form _"ADDR/LEN"_. All of the
address bits after the prefix must be set to 0.
If a source tries to assign a range of addresses to a peer and that range
has addresses that are not listed in the *ipv6* configuration option, the
entire range is discarded.
Default: _[]_
*psk*
Path to a file containing the default preshared key used for all peers
defined by this source.
Default: no preshared key
*required*
Boolean. If set to true, *wgconfd*(8) will fail to start if fetching the
source fails.
Default: _false_
*allow_road_warriors*
Boolean. If set to false, road warriors from this source will not be allowed
to use this interface machine as their base peer.
Default: _true_
# PEER SECTIONS
In some cases one may want to override some settings for individual peers.
This can be achieved through *[[peer]]* sections:
*public_key*
The public key of the peer for which the overrides apply, as a base64
encoded string.
Required.
*source*
If specified, ignore attempts by other sources to define this peer. Note
that even if this is set, other sources can add allowed IP addresses for
the peer by creating road warriors.
Default: do not restrict source
*endpoint*
Override the endpoint address of the peer.
Default: use the endpoint address from the source
*psk*
Path to a preshared key to use for this peer.
Default: the PSK of the source, if any
*keepalive*
Override the persistent keepalive timeout for this peer. The value here is
not affected by the *min_keepalive* and *max_keepalive* configuration
options.
Default: the keepalive value from the source, or infinite if not set,
restricted by *min_keepalive* and *max_keepalive*
Note that having a *[[peer]]* section is not enough to create a peer - it must
also exist in one of the sources.
|
