wg-ip, a tool to assign automatic ip addresses to wireguard interfaces
smntov at gmail.com
Thu Apr 12 11:01:26 CEST 2018
> from https://lists.zx2c4.com/pipermail/wireguard/2018-April/002595.html:
> > PS: you write that the "tool does not handle collisions", but does it
> > recognize and/or warn about them? I.e. if a peer with the newly
> > suggested IP exists already - will it warn?
> No, no detection is attempted. The script will not warn you.
> > For automation it would be nice to have some sort of "force" or
> > "keep-trying" options, so the tool regenerates the keys trying to find a
> > free IP and subsequently assigns it. With the enabled SaveConfig options
> > the new IP will be saved in the config file...
> This is why there is a 'gen' command to make an ip for a single
> pubkey. I do not see a good way to extract that info from a particular
> wireguard interface, because this interface might not know all other
> peers involved in the network, so it I find it pointless to scan for
> collisions since you can do this and it will still go undetected.
You are right. Such a scan only makes sense on a "central server" which
knows _all_ other peers, but such a use case is quite common.
Another easy way to let all peers be aware of all peers (complete N:N
mesh) is through introduction of "includes" in the config file, as I've
Unfortunately there was no feedback on that suggestion...
> If you want absolutely want to be sure to generate a key pair which
> generates an ip that is garanteed to not collide with existing peers,
> it should be fairly straightforward. Assuming all the ips of existing
> peers are in the file 'ips':
> for i in ($seq 1 1000); do # try 1000 times
> privkey=$(wg genkey)
> ip=$(echo $privkey | wg pubkey | xargs wg-ip gen)
> if ! grep -qs "^$ip$" ips; then
> echo privkey: $privkey
> echo pubkey: $(echo $privkey | wg pubkey)
> echo "Could not generate a non colliding key"
Thank you! I'm not that experienced with bash scripting so this will be
What I was thinking to implement is the following: there is a central
publicly visible server with a script `add_peer` . Once called without
any arguments, the script is supposed to automatically add a new peer to
the configuration of the central server (i.e. to itself) and output a
complete corresponding configuration for the peer. This way you can span
a VPN automatically...
> I could add this to the script, but I figured that for the number of
> peers I have and for the network ranges I am using, it is utterly
> pointless. How many peers do you intend to have?
It will depend how popular the project will be. Theoretically it could
be 100'000 or even more peers. And for certain reasons I prefer to use
> By the way, I just took care of removing all bashisms and I added
> automated testing of this script with the 'dash' shell. It should be
> safe to run on platform where bash is not present, such as openwrt.
More information about the WireGuard