UNPKG

wireguard-tools

Version:

The best way to interact with WireGuard from Node

guardline-vpn/wireguard-tools

123 lines (122 loc) 5.96 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
/** Defines the VPN settings for the local node. */ export interface WgConfigInterface { /** * This is just a standard comment in INI syntax used to help keep track of which config section belongs to which node, * it's completely ignored by WireGuard and has no effect on VPN behavior. */ name?: string; /** * Defines what address range the local node should route traffic for. * Depending on whether the node is a simple client joining the VPN subnet, or a bounce server that's relaying traffic * between multiple clients, this can be set to a single IP of the node itself (specified with CIDR notation), * e.g. 192.0.2.3/32), or a range of IPv4/IPv6 subnets that the node can route traffic for. */ address?: string[]; /** * When the node is acting as a public bounce server, it should hardcode a port to listen for incoming VPN connections * from the public internet. Clients not acting as relays should not set this value. */ listenPort?: number; /** * This is the private key for the local node, never shared with other servers. * All nodes must have a private key set, regardless of whether they are public bounce servers relaying traffic, * or simple clients joining the VPN. */ privateKey?: string; /** * The DNS server(s) to announce to VPN clients via DHCP, most clients will use this server for DNS requests over the VPN, * but clients can also override this value locally on their nodes */ dns?: string[]; /** * Optionally defines which routing table to use for the WireGuard routes, not necessary to configure for most setups. * There are two special values: * -**‘off’**: disables the creation of routes altogether, and * -**‘auto’**: (the default if omitted) adds routes to the default table and enables special handling of default routes. */ table?: string; /** * Optionally defines the maximum transmission unit (MTU, aka packet/frame size) to use when connecting to the peer, * not necessary to configure for most setups. The MTU is automatically determined from the endpoint addresses or * the system default route, which is usually a sane choice. */ mtu?: number; /** * Optionally run bash commands before the interface is brought up. * These will be added to the config file in order and executed in order. Position 0 in array will be run first. */ preUp?: string[]; /** * Optionally run bash commands after the interface is brought up. * These will be added to the config file in order and executed in order. Position 0 in array will be run first. */ postUp?: string[]; /** * Optionally run bash commands before the interface is brought down. * These will be added to the config file in order and executed in order. Position 0 in array will be run first. */ preDown?: string[]; /** * Optionally run bash commands after the interface is brought down. * These will be added to the config file in order and executed in order. Position 0 in array will be run first. */ postDown?: string[]; } /** * Defines the VPN settings for a remote peer capable of routing traffic for one or more addresses (itself and/or other peers). * Peers can be either a public bounce server that relays traffic to other peers, or a directly accessible client via * LAN/internet that is not behind a NAT and only routes traffic for itself. */ export interface WgConfigPeer { /** * This is just a standard comment in INI syntax used to help keep track of which config section belongs to which node, * it's completely ignored by WireGuard and has no effect on VPN behavior. */ name?: string; /** * Defines the publicly accessible address for a remote peer. * This should be left out for peers behind a NAT or peers that don't have a stable publicly accessible IP:PORT pair. * Typically, this only needs to be defined on the main bounce server, but it can also be defined on other public nodes with stable IPs. */ endpoint?: string; /** * This defines the IP ranges for which a peer will route traffic. * On simple clients, this is usually a single address (the VPN address of the simple client itself). * For bounce servers this will be a range of the IPs or subnets that the relay server is capable of routing traffic for. */ allowedIps?: string[]; /** * This is the public key for the remote node, shareable with all peers. All nodes must have a * public key set, regardless of whether they are public bounce servers relaying traffic, or simple clients joining the VPN. */ publicKey?: string; /** * The number of seconds between each keep-alive ping. * If the connection is going from a NAT-ed peer to a public peer, the node behind the NAT must regularly send an outgoing * ping in order to keep the bidirectional connection alive in the NAT router's connection table. */ persistentKeepalive?: number; /** * A pre-shared key generated on the remote node to improve security. */ preSharedKey?: string; } /** Defines the WireGuard config for this node */ export interface WgConfigObject { /** Defines the VPN settings for the local node. */ wgInterface: WgConfigInterface; /** An array of VPN settings for remote peers */ peers?: WgConfigPeer[]; /** * A place to keep the public key for this node * Usefull when saving this config somewhere where you can't generate the public key * * Note: the private key for this node should be kept in `interface.privateKey` */ publicKey?: string; /** * A place to keep the preSharedKey key for this node * Usefull when saving this config somewhere where you need to generate peers in future */ preSharedKey?: string; }