wg-ip, a tool to assign automatic ip addresses to wireguard interfaces

ST smntov at gmail.com
Tue Apr 10 14:57:47 CEST 2018

PS: you write that the "tool does not handle collisions", but does it
recognize and/or warn about them? I.e. if a peer with the newly
suggested IP exists already - will it warn?

For automation it would be nice to have some sort of "force" or
"keep-trying" options, so the tool regenerates the keys trying to find a
free IP and subsequently assigns it. With the enabled SaveConfig options
the new IP will be saved in the config file...

On Tue, 2018-04-10 at 14:32 +0200, Christophe-Marie Duquesne wrote:
> Hi,
> In an old thread [1], danrl suggested deriving node addresses from the
> peer public keys. I liked this idea, so I wrote a tool to do it. It
> works like this:
> generate an ipv6 address from the default ipv6 subnet of the script
> (fd1a:6126:2887::/48):
> wg-ip -6 gen uymIRDopubn0XRLLRTymOvuK2iG90wRcXxhsb2EOYzg=
> fd1a:6126:2887:17a1:2793:518a:7886:e8a4
> generate an ipv4 address from the default ipv4 subnet of the script
> (
> wg-ip -4 gen uymIRDopubn0XRLLRTymOvuK2iG90wRcXxhsb2EOYzg=
> generate an ip address from a custom subnet (ip version inferred from prefix):
> wg-ip --subnet gen uymIRDopubn0XRLLRTymOvuK2iG90wRcXxhsb2EOYzg=
> assign an ip address to the selected interface and allowed ips to the
> peers, all in the same subnet (existing allowed ips are preserved):
> wg-ip [-4|-6|--subnet <subnet>] [dev wg0] apply
> or just see which commands 'apply' would run
> wg-ip [-4|-6|--subnet <subnet>] [dryrun]
> Derivation algorithm: the bytes of the ip address are taken from the
> beginning bytes of the sha256 hash of the corresponding pubkey, and
> are masked with the network mask.
> The tool does not handle collisions nor special addresses: The idea is
> to pick a subnet large enough so that these cases are unlikely enough.
> For ipv6, with a /48 prefix, that would be a 80 bits address space, so
> birthday attacks say one needs about 2^40 peers until they reach a
> significant risk of collision, which will fill the routing table well
> before this even becomes a problem. For ipv4 with the, the
> address space is 24 bits, so odds are still pretty good until 2^12
> peers, but this time it is reachable. For my personal needs (about 10
> peers) and for anyone with a network of less than 1000 peers (if my
> maths are correct), it should be largely sufficient (collision
> probability under 5%). Worst case, if you don't like the ip address
> generated, just use another key pair.
> It is written in bash, in the spirit of wg-quick. I am definitely open
> to have it integrated in wireguard if people show interest.
> https://github.com/chmduquesne/wg-ip
> [1]: https://lists.zx2c4.com/pipermail/wireguard/2016-December/000812.html
> _______________________________________________
> WireGuard mailing list
> WireGuard at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

More information about the WireGuard mailing list