You are not logged in.
That is my WireGuard config file, it routes the entire internet traffic through the VPN server:
[Interface]
PrivateKey = MY_PRIVATE_KEY
Address = 10.66.209.180/32,fc00:bbbb:bbbb:bb01::3:d1b3/128
DNS = 100.64.0.3
[Peer]
PublicKey = 5Ms10UxGjCSzwImTrvEjcygsWY8AfMIdYyRvgFuTqH8=
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = IP.ADDR:51820
I can activate the config by invoking `wg-quick` directly or by using `systemctl start wg-quick@cfgname`, and everything works as it should; my public IP address does change. If I enable the config via systemd and reboot my computer, my public IP address no longer changes. There are no other VPN connections on the device.
How do I make my WireGuard config persistent?
Last edited by pyraluxite (2025-10-17 06:49:46)
Offline
While you can enable a wg-quick WireGuard configuration in this way your network management may interfere and reset (overwrite) your default route.
You have to integrate your WireGuard connection into your network management.
Offline
This is what my entire network configuration looks like (no NetworkManager):
#/etc/systemd/network/20-wired.network
[Match]
Name=enp4s0
[Link]
RequiredForOnline=routable
[Network]
DHCP=yes
Offline
systemd-networkd has native support for WireGuard.
Stop & disable the wg-quick unit.
Follow the example in the Wiki: https://wiki.archlinux.org/title/WireGu … d-networkd (Your netdev file only needs one peer):
[NetDev]
Name=wg0
Kind=wireguard
[WireGuard]
PrivateKey=EEGlnEPYJV//kbvvIqxKkQwOiS+UENyPncC4bF46ong=
ListenPort=51820
[WireGuardPeer]
PublicKey=RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA=
AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24
Endpoint=wireguard.example.com:51820
Offline
[NetDev]
Name=wg0
Kind=wireguard
[WireGuard]
PrivateKey=PRIVATE_KEY
[WireGuardPeer]
PublicKey=5Ms10UxGjCSzwImTrvEjcygsWY8AfMIdYyRvgFuTqH8=
AllowedIPs=0.0.0.0/0 ::0/0
Endpoint=IP.ADDR:51820
[Match]
Name=wg0
[Network]
Address=10.66.209.180/32
Address=fc00:bbbb:bbbb:bb01::3:d1b3/128
DNS=100.64.0.3
These two configs create a wireguard interface, but my system traffic still does not go through that interface (my public IP does not change). What is wrong?
Offline
AllowedIPs must be either separated by a comma or on two separate AllowedIPs lines.
I just read that systemd-networkd has it's own mode for routing all traffic through WireGuard: https://wiki.archlinux.org/title/WireGu … _WireGuard (PeerB setup)
Last edited by -thc (2025-10-16 17:03:42)
Offline
#/etc/systemd/network/40-wg0.netdev
[NetDev]
Name=wg0
Kind=wireguard
[WireGuard]
PrivateKey=PRIVATE_KEY
FirewallMark=0x8888
[WireGuardPeer]
PublicKey=5Ms10UxGjCSzwImTrvEjcygsWY8AfMIdYyRvgFuTqH8=
AllowedIPs=0.0.0.0/0
AllowedIPs=::0/0
Endpoint=EP.IP.ADDDR:51820
RouteTable=1000
#/etc/systemd/network/40-wg0.network
[Match]
Name=wg0
[Network]
Address=10.66.209.180/32
Address=fc00:bbbb:bbbb:bb01::3:d1b3/128
DNS=100.64.0.3
[RoutingPolicyRule]
Family=both
FirewallMark=0x8888
InvertRule=true
Table=1000
Priority=10
# Exempt the endpoint IP address so that wireguard can still connect to it.
[RoutingPolicyRule]
To=EP.IP.ADDR/32
Priority=5
# Exempt LAN.
[RoutingPolicyRule]
To=192.168.2.0/24
Priority=9
That solves it.
Last edited by pyraluxite (2025-10-17 09:31:05)
Offline
O.K.
Whoever reads this and asks "Why is the wg-quick configuration so simple in comparison to the systemd-networkd configuration?".
wg-quick silently implements a comparable rule based routing on activation.
Offline