How to import WireGuard profile using nmcli on Linux

I have multiple wireguard profiles on Linux. Is there any way to import WireGuard profile (/etc/wireguard/wg{0,1,2}.conf files) using nmcli on Linux? I don’t want to become root and run systemctl start wg-quick@wg0. How can I import an existing WireGuard profile from using NetworkManager command-line interface?

WireGuard is easy to set up and opensource virtual private network (VPN) techniques to create secure point-to-point connections in various configs. It works on Linux, *BSD, macOS, and mobile devices. However, this page explains how to import the existing WireGuard profile file using nmcli on a Linux desktop.
How to import WireGuard profile using nmcli on Linux

How to import WireGuard profile using nmcli on Linux

We can import /etc/wireguard/wg0.conf by typing the following command:

  1. Set up shell environment variable: file='/etc/wireguard/wg0.conf'
  2. Now import it using the nmcli command: sudo nmcli connection import type wireguard file "$file"
  3. Rename profile wg0 as mum-office-vpn: nmcli connection modify wg0 connection.id "mum-office-vpn"
  4. You may repeat this procedure for all WireGuard profiles on Linux when using NetworkManager CLI interface called nmcli.

Let use see WireGuard in NetworkManager in details. Please note that you must have WireGuard server installed and configured. See how to install WireGuard on Alpine Linux, CentOS 8, Debian 10, and Ubuntu 20.04 LTS.

Importing WireGuard profile

The WireGuard comes with a wg-quick to setup WireGuard tunnels quickly. Here is how sample wg0.conf looks:

# MUM OFFICE VPN
[Interface]
PrivateKey = {private-key-here}
Address = 10.8.1.2/24
DNS = 10.8.1.1
[Peer]
PublicKey = {Pub-key-here}
PresharedKey = {Pre-shared-key-here}
AllowedIPs = 0.0.0.0/0
Endpoint = $Linux_SERVER_IP_HERE:$Port
PersistentKeepalive = 15

I am not aware of a GUI option on Linux that can import config files such as wg0.conf. Hence, I ended up using nmcli. It is a command-line tool for controlling NetworkManager and reporting network status.

nmcli import command syntax

The import option allows users to import an external/foreign configuration as a NetworkManager connection profile. The type option specifies the type of the input file. Keep in mind only VPN configurations are supported at the moment. The syntax is:
nmcli connection import type wireguard file "/path/to/wg0.conf"
We can import wg0.conf, wg1.conf and wg2.conf as follows using a bash for loop:

#!/usr/bin/env bash
configs="wg0.conf|mum-office-vpn wg1.conf|del-office-vpn wg2.conf|aws-ec2-vpn"
wgpath="/etc/wireguard"
for c in $configs
do
	IFS='|'
	set -- $c
	echo "Importing ${wgpath}/$1 ... "
	sudo nmcli connection import type wireguard file "${wgpath}/$1"
	echo "Renaming ${1%%.conf} as $2 ..."
	nmcli connection modify "${1%%.conf}" connection.id "$2"
done

Run your shell script as follows:
bash /path/to/script

Viewing information about imported WireGuard configs

Run:
nmcli connection show
See detailed information about wg0 profile called mum-office-vpn
nmcli connection show mum-office-vpn
nmcli connection show mum-office-vpn | more

Activating WireGuard VPN from the CLI

We can activate a connection. The connection is identified by its name such as mum-office-vpn. Hence, we can type the following command to bring up the VPN interface:
nmcli connection up mum-office-vpn
Takedown or deactivate WireGuard VPN using the following syntax:
nmcli connection down mum-office-vpn
We can connect to multiple VPN interfaces provided that we have correct routing and IP settings are in place. For example, I can work with office stuff and AWS ec2 cloud same time:
nmcli connection up mum-office-vpn
nmcli connection up aws-ec2-vpn
ping -c4 ec2-server-wg-ip
ping -c4 mum-office-ssh-gateway-wg-ip

Use the ip command and wg command to view IP routing and other information:
ip -c r
sudo wg

How to see WireGuard profile options

Run the following command along with the grep command/egrep command:
nmcli connection show mum-office-vpn
nmcli connection show mum-office-vpn | more
nmcli connection show mum-office-vpn | grep 'dns'
nmcli connection show mum-office-vpn | grep -E -i 'dns|autoconnec'

Here we see options:

connection.autoconnect:                 no
connection.autoconnect-priority:        0
connection.autoconnect-retries:         -1 (default)
connection.autoconnect-slaves:          -1 (default)
connection.mdns:                        -1 (default)
ipv4.dns:                               --
ipv4.dns-search:                        --
ipv4.dns-options:                       --
ipv4.dns-priority:                      0
ipv4.ignore-auto-dns:                   no
ipv6.dns:                               --
ipv6.dns-search:                        --
ipv6.dns-options:                       --
ipv6.dns-priority:                      0
ipv6.ignore-auto-dns:                   no

For instance, I can enable auto connection option for the mum-office-vpn but disable it for aws-ec2-vpn as follows:
$ nmcli connection modify mum-office-vpn connection.autoconnect yes
$ nmcli connection modify aws-ec2-vpn connection.autoconnect no

Change the WirdeGuard interface name too:
# interface name must not be longer than 15 characters #
$ nmcli connection modify sg-wg2 connection.interface-name sg-nixcraft-vpn
$ nmcli connection up sg-wg2
$ ip a s sg-nixcraft-vpn

And here is what we see:

26: sg-nixcraft-vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 172.16.0.2/24 brd 172.16.0.255 scope global noprefixroute sg-nixcraft-vpn
       valid_lft forever preferred_lft forever

Make sure you read the nmcli man page by typing the following man command:
man nmcli

What about GUI option

I believe they are working on adding WireGuard support to other NetworkManager clients, like nm-connection-editor. Once added, we can tray applet as an advanced network connection editor GUI.

Summing up

I hope you will find this little tutorial useful to deal with WireGuard using nmcli, especially importing WireGuard profile for your Linux desktop or laptop.

This entry is 7 of 7 in the WireGuard moden Linux/Unix/*BSD VPN Tutorial series. Keep reading the rest of the series:
  1. Ubuntu 20.04 set up WireGuard VPN server
  2. CentOS 8 set up WireGuard VPN server
  3. Debian 10 set up WireGuard VPN server
  4. WireGuard Firewall Rules in Linux
  5. Wireguard VPN client in a FreeBSD jail
  6. Alpine Linux set up WireGuard VPN server
  7. Import WireGuard profile using nmcli on Linux

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 2 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
2 comments… add one
  • Bayilik Veren Siteler Feb 8, 2021 @ 23:06

    Thank you for writing this import content about WireGuard. Very understandable and simple.

  • Élise Duguay Mar 10, 2021 @ 7:35

    Just imported profile on my Fedora workstation. All tutorials on this site are goldan.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum