wg-ip, a tool to assign automatic ip addresses to wireguard interfaces

ST smntov at gmail.com
Thu Apr 12 11:01:26 CEST 2018

> from https://lists.zx2c4.com/pipermail/wireguard/2018-April/002595.html:
> > PS: you write that the "tool does not handle collisions", but does it
> > recognize and/or warn about them? I.e. if a peer with the newly
> > suggested IP exists already - will it warn?
> No, no detection is attempted. The script will not warn you.
> > For automation it would be nice to have some sort of "force" or
> > "keep-trying" options, so the tool regenerates the keys trying to find a
> > free IP and subsequently assigns it. With the enabled SaveConfig options
> > the new IP will be saved in the config file...
> This is why there is a 'gen' command to make an ip for a single
> pubkey. I do not see a good way to extract that info from a particular
> wireguard interface, because this interface might not know all other
> peers involved in the network, so it I find it pointless to scan for
> collisions since you can do this and it will still go undetected.

You are right. Such a scan only makes sense on a "central server" which
knows _all_ other peers, but such a use case is quite common.

Another easy way to let all peers be aware of all peers (complete N:N
mesh) is through introduction of "includes" in the config file, as I've
recently proposed:


Unfortunately there was no feedback on that suggestion...

> If you want absolutely want to be sure to generate a key pair which
> generates an ip that is garanteed to not collide with existing peers,
> it should be fairly straightforward. Assuming all the ips of existing
> peers are in the file 'ips':
> for i in ($seq 1 1000); do # try 1000 times
>   privkey=$(wg genkey)
>   ip=$(echo $privkey | wg pubkey | xargs wg-ip gen)
>   if ! grep -qs "^$ip$" ips; then
>     echo privkey: $privkey
>     echo pubkey: $(echo $privkey | wg pubkey)
>     break
>   fi
> done
> echo "Could not generate a non colliding key"

Thank you! I'm not that experienced with bash scripting so this will be

What I was thinking to implement is the following: there is a central
publicly visible server with a script `add_peer` . Once called without
any arguments, the script is supposed to automatically add a new peer to
the configuration of the central server (i.e. to itself) and output a
complete corresponding configuration for the peer. This way you can span
a VPN automatically...

> I could add this to the script, but I figured that for the number of
> peers I have and for the network ranges I am using, it is utterly
> pointless. How many peers do you intend to have?

It will depend how popular the project will be. Theoretically it could
be 100'000 or even more peers. And for certain reasons I prefer to use

> By the way, I just took care of removing all bashisms and I added
> automated testing of this script with the 'dash' shell. It should be
> safe to run on platform where bash is not present, such as openwrt.

Thank you!

More information about the WireGuard mailing list