wg Command in Linux - WireGuard VPN Management with Examples

What Does wg Do?

The wg command is the configuration utility for WireGuard, the modern high-performance VPN protocol built into the Linux kernel since version 5.6. It allows you to create and manage WireGuard interfaces, generate cryptographic keys, add and remove peers, and monitor tunnel status.

WireGuard is fundamentally different from traditional VPN solutions like OpenVPN and IPsec. With approximately 4,000 lines of kernel code (compared to OpenVPN's 600,000+), WireGuard delivers superior performance, simpler configuration, and a smaller attack surface. It uses state-of-the-art cryptography: Curve25519 for key exchange, ChaCha20 for encryption, Poly1305 for authentication, and BLAKE2s for hashing.

The wg command works alongside wg-quick, which provides a higher-level interface for bringing up and down WireGuard interfaces using configuration files. While wg handles low-level interface configuration, wg-quick manages routing, DNS, and firewall rules automatically.

System administrators use wg for key generation, real-time tunnel monitoring, dynamic peer management (adding/removing peers without restart), and troubleshooting VPN connectivity issues.

Options & Flags

Option	Description	Example
show	Show current WireGuard interface configuration and status	sudo wg show
show wg0	Show status of specific interface	sudo wg show wg0
showconf wg0	Show running configuration in config file format	sudo wg showconf wg0
genkey	Generate a new private key	wg genkey > private.key
pubkey	Derive public key from private key	cat private.key \| wg pubkey > public.key
genpsk	Generate a preshared key for quantum resistance	wg genpsk > preshared.key
set wg0 peer KEY allowed-ips IPs	Add or update a peer on a running interface	sudo wg set wg0 peer PUBKEY allowed-ips 10.0.0.2/32
set wg0 peer KEY remove	Remove a peer from a running interface	sudo wg set wg0 peer PUBKEY remove
show wg0 transfer	Show data transfer statistics per peer	sudo wg show wg0 transfer
show wg0 latest-handshakes	Show timestamp of last handshake per peer	sudo wg show wg0 latest-handshakes

Practical Examples

#1 Generate a key pair

Generate private and public keys in one command. Sets proper permissions on the private key.

$ wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key && chmod 600 /etc/wireguard/private.key

#2 Show interface status

Display full status including peers, endpoints, allowed IPs, latest handshake, and transfer stats.

$ sudo wg show wg0

Output:

interface: wg0\n  public key: abc123...\n  private key: (hidden)\n  listening port: 51820\n\npeer: def456...\n  endpoint: 203.0.113.1:51820\n  allowed ips: 10.0.0.2/32\n  latest handshake: 42 seconds ago\n  transfer: 1.23 GiB received, 456.78 MiB sent

#3 Add a peer dynamically

Add a new peer to a running WireGuard interface without restarting the tunnel.

$ sudo wg set wg0 peer "PEER_PUBLIC_KEY" allowed-ips 10.0.0.10/32 endpoint "vpn.example.com:51820"

#4 Remove a peer

Remove a peer from the running interface. Does not modify the config file.

$ sudo wg set wg0 peer "PEER_PUBLIC_KEY" remove

#5 Start WireGuard with wg-quick

Bring up wg0 interface using /etc/wireguard/wg0.conf. Configures routing, DNS, and firewall rules automatically.

$ sudo wg-quick up wg0

#6 Save running config to file

Saves the current running configuration (including dynamically added peers) back to the config file.

$ sudo wg-quick save wg0

#7 Monitor handshakes

Continuously monitor handshake timestamps. A stale timestamp (>2 minutes) indicates connectivity issues.

$ watch -n 2 'sudo wg show wg0 latest-handshakes'

#8 Enable at boot with systemd

Enable and start WireGuard as a systemd service that persists across reboots.

$ sudo systemctl enable --now wg-quick@wg0

Tips & Best Practices

Protect private keys: Private keys should be chmod 600, owned by root. Never share private keys. Only exchange public keys between peers.

Use wg-quick for daily operation: Use wg-quick up/down for starting/stopping tunnels. Use raw wg commands for dynamic peer management and monitoring.

Handshake timeout: WireGuard performs a new handshake every 2 minutes. If latest handshake is older than 5 minutes, the peer is likely unreachable.

PersistentKeepalive for NAT: If a peer is behind NAT, set PersistentKeepalive = 25 to keep the NAT mapping alive with 25-second keepalive packets.

UDP only: WireGuard uses UDP exclusively. Ensure your firewall allows UDP on the WireGuard port (default 51820). TCP is not supported.

Frequently Asked Questions

How do I set up a WireGuard VPN server?

Generate keys with wg genkey/pubkey, create /etc/wireguard/wg0.conf with [Interface] (Address, ListenPort, PrivateKey) and [Peer] sections, enable IP forwarding, and start with wg-quick up wg0.

How do I check if WireGuard is connected?

Run sudo wg show. Look for "latest handshake" — if it shows a recent timestamp (within 2 minutes), the tunnel is active. If there is no handshake, the peer cannot be reached.

Can I add peers without restarting WireGuard?

Yes. Use sudo wg set wg0 peer PUBKEY allowed-ips 10.0.0.X/32 to add peers dynamically. Use wg-quick save wg0 to persist the change to the config file.

What is the difference between wg and wg-quick?

wg is the low-level tool for key generation and interface configuration. wg-quick is a higher-level wrapper that reads config files and handles routing, DNS, and firewall rules automatically.

How do I generate a QR code for mobile WireGuard?

Install qrencode, then run: qrencode -t ansiutf8 < /etc/wireguard/client.conf — scan the QR code with the WireGuard mobile app.

Categories

wg Command

What Does wg Do?

Options & Flags

Practical Examples

#1 Generate a key pair

#2 Show interface status

#3 Add a peer dynamically

#4 Remove a peer

#5 Start WireGuard with wg-quick

#6 Save running config to file

#7 Monitor handshakes

#8 Enable at boot with systemd

Tips & Best Practices

Frequently Asked Questions

Related Commands

More Networking Commands

Master Linux with Professional eBooks