Skip to content

The "Wireguard" Command

WireGuard, a modern and secure VPN protocol, is natively supported in ChromeOS through the Chrome OS Shell (crosh). This chapter will guide you through configuring and managing WireGuard connections directly from your Chromebook's terminal.

Understanding the WireGuard Command

The wireguard command in crosh provides a comprehensive set of tools for managing WireGuard VPN connections. You can access these tools by opening crosh (Ctrl + Alt + T) and using the wireguard command followed by various subcommands.

Basic WireGuard Operations

Viewing Configured Services

To see all your configured WireGuard services: bash wireguard list

To view details of a specific service: bash wireguard show <service_name>

Creating and Removing Services

To create a new WireGuard service: bash wireguard new <service_name>

To delete an existing service: bash wireguard del <service_name>

Configuring WireGuard Services

The most complex part of WireGuard management is service configuration. The set command allows you to configure various aspects of your WireGuard service:

bash wireguard set <name> [options]

Key Configuration Options:

Local IP Configuration

  • Set your local IP address(es)
  • Supports one IPv4 and one IPv6 address
  • Syntax: local-ip <ip1>[,<ip2>]

Private Key Management

  • Set up your private key securely
  • Uses stdin to avoid leaving sensitive data in shell history
  • Command: private-key (will prompt for input)

DNS Settings

  • Configure DNS servers
  • Defaults to Google DNS (8.8.8.8, 8.8.4.4) if not specified
  • Syntax: dns <ip1>[,<ip2>...]

MTU Configuration

  • Set custom MTU values
  • Automatic detection if not specified
  • Set to 0 to reset to default
  • Syntax: mtu <value>

Peer Configuration

Peer configuration is crucial for establishing connections. The syntax follows:

bash wireguard set <name> peer <base64-public-key> [options]

Key peer options include: - endpoint <hostname>/<ip>:<port>: Server endpoint (required for connections) - preshared-key: Optional additional security layer - allowed-ips <ip1>/<cidr1>[,<ip2>/<cidr2>...]: Allowed IP ranges - persistent-keepalive <interval>: Keep connection alive

Managing Connections

Once configured, you can manage your WireGuard connections using:

bash wireguard connect <name> # Connect to a service wireguard disconnect <name> # Disconnect from a service

IPv6 Considerations

ChromeOS's WireGuard implementation includes special handling for IPv6: - IPv6 is blocked if the shortest allowed-ips prefix is less than 8 - This occurs when no IPv6 configuration is present in: - Local IP settings - DNS configuration - Allowed IPs

Best Practices

Security

  • Always input private keys and preshared keys via prompt
  • Keep your configuration information secure
  • Regularly update your keys

Configuration

  • Test your configuration with show before connecting
  • Verify endpoint accessibility
  • Double-check allowed IPs ranges

Troubleshooting

  • Use show to verify current configuration
  • Check MTU settings if experiencing connection issues
  • Verify DNS settings if experiencing resolution problems

Example Configuration

Here's a complete example of setting up a WireGuard service:

```bash

Create new service

wireguard new my_vpn

Configure basic settings

wireguard set my_vpn local-ip 10.0.0.2 private-key mtu 1420

Add peer configuration

wireguard set my_vpn peer ABC123... endpoint example.com:51820 allowed-ips 10.0.0.0/24

Connect to the service

wireguard connect my_vpn ```