GitLab

NetworkManager has native support for WireGuard ([1]). But still, nmcli does not support configuring WireGuard peers of a connection profile.

---

The workarounds are:

• edit the keyfile under /etc/NetworkManager/system-connections and reload the profile with nmcli connection reload or nmcli connection load $FILENAME.

• re-import a new profile from a wg-quick configuration file with nmcli connection import type wireguard file $FILENAME. The downside of this is that it always creates a new profile.

• use the example script or the D-Bus API directly in any way you see fit.

• use recent plasma-nm or nm-connection-editor which supports peers. nm-applet support is still missing (https://gitlab.gnome.org/GNOME/network-manager-applet/issues/77) and gnome-control-center/gnome-shell (both don't support WireGuard at the moment).

---

The difficulty is that currently nmcli has a static list of properties that it supports. But for peers, the properties should be multilayered and dynamic. E.g.

  nmcli connection modify "$PROFILE" 'wireguard.v6+0YmFFqm/ZNlzxBp05qAOIhD+E1tw29eFqAq8yFi0=.endpoint' 'my.host.tld:8000'

should work as you'd expect. Likewise, nmcli connection show "$PROFILE" should list:

wireguard.private-key-flags:                                         0 (none)
wireguard.listen-port:                                               8001
wireguard.v6+0YmFFqm/ZNlzxBp05qAOIhD+E1tw29eFqAq8yFi0=.endpoint      my.host.tld:8000
wireguard.v6+0YmFFqm/ZNlzxBp05qAOIhD+E1tw29eFqAq8yFi0=.allowed-ips   192.168.75.3/32
...

It should not treat WireGuard peers like ipv4.addresses, vpn.data or bond.options. Instead, those properties should unfold in nmcli.

This is currently not how nmcli works, so it's a larger effort...

---