To connect to a Wireguard VPN server you need the kernel module to be
loaded in memory and a package providing networking tools that support
Here is a configuration example for Linux-Libre < 5.6, where the module is out of tree and need to be loaded manually—following revisions of the kernel have it built-in and so don’t need such configuration:
(use-modules (gnu)) (use-service-modules desktop) (use-package-modules vpn) (operating-system ;; … (services (cons (simple-service 'wireguard-module kernel-module-loader-service-type '("wireguard")) %desktop-services)) (packages (cons wireguard-tools %base-packages)) (kernel-loadable-modules (list wireguard-linux-compat)))
After reconfiguring and restarting your system you can either use Wireguard tools or NetworkManager to connect to a VPN server.
To test your Wireguard setup it is convenient to use
Just give it a configuration file
wg-quick up ./wg0.conf; or
put that file in /etc/wireguard and run
wg-quick up wg0
Note: Be warned that the author described this command as a: “[…] very quick and dirty bash script […]”.
Thanks to NetworkManager support for Wireguard we can connect to our VPN
nmcli command. Up to this point this guide assumes that
you’re using Network Manager service provided by
%desktop-services. Ortherwise you need to adjust your services
list to load
network-manager-service-type and reconfigure your
To import your VPN configuration execute nmcli import command:
# nmcli connection import type wireguard file wg0.conf Connection 'wg0' (edbee261-aa5a-42db-b032-6c7757c60fde) successfully added
This will create a configuration file in /etc/NetworkManager/wg0.nmconnection. Next connect to the Wireguard server:
$ nmcli connection up wg0 Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)
By default NetworkManager will connect automatically on system boot. To change that behaviour you need to edit your config:
# nmcli connection modify wg0 connection.autoconnect no
For more specific information about NetworkManager and wireguard see this post by thaller.