[RFE] add support for nmcli for configuring WireGuard peers
NetworkManager has native support for WireGuard ([1]). But still, nmcli does not support configuring WireGuard peers of a connection profile.
The workarounds are:
-
edit the keyfile under
/etc/NetworkManager/system-connectionsand reload the profile withnmcli connection reloadornmcli connection load $FILENAME. -
re-import a new profile from a wg-quick configuration file with
nmcli connection import type wireguard file $FILENAME. The downside of this is that it always creates a new profile. -
use the example script or the D-Bus API directly in any way you see fit.
-
use recent plasma-nm or nm-connection-editor which supports peers. nm-applet support is still missing (https://gitlab.gnome.org/GNOME/network-manager-applet/issues/77) and gnome-control-center/gnome-shell (both don't support WireGuard at the moment).
The difficulty is that currently nmcli has a static list of properties that it supports. But for peers, the properties should be multilayered and dynamic. E.g.
nmcli connection modify "$PROFILE" 'wireguard.v6+0YmFFqm/ZNlzxBp05qAOIhD+E1tw29eFqAq8yFi0=.endpoint' 'my.host.tld:8000'should work as you'd expect. Likewise, nmcli connection show "$PROFILE" should list:
wireguard.private-key-flags: 0 (none)
wireguard.listen-port: 8001
wireguard.v6+0YmFFqm/ZNlzxBp05qAOIhD+E1tw29eFqAq8yFi0=.endpoint my.host.tld:8000
wireguard.v6+0YmFFqm/ZNlzxBp05qAOIhD+E1tw29eFqAq8yFi0=.allowed-ips 192.168.75.3/32
...It should not treat WireGuard peers like ipv4.addresses, vpn.data or bond.options. Instead, those properties should unfold in nmcli.
This is currently not how nmcli works, so it's a larger effort...