Skip to content

The "Wireguard" Command

WireGuard, a modern and secure VPN protocol, is natively supported in ChromeOS through the Chrome OS Shell (crosh). This chapter will guide you through configuring and managing WireGuard connections directly from your Chromebook's terminal.

Understanding the WireGuard Command

The wireguard command in crosh provides a comprehensive set of tools for managing WireGuard VPN connections. You can access these tools by opening crosh (Ctrl + Alt + T) and using the wireguard command followed by various subcommands.

Basic WireGuard Operations

Viewing Configured Services

To see all your configured WireGuard services:

wireguard list

To view details of a specific service:

wireguard show <service_name>

Creating and Removing Services

To create a new WireGuard service:

wireguard new <service_name>

To delete an existing service:

wireguard del <service_name>

Configuring WireGuard Services

The most complex part of WireGuard management is service configuration. The set command allows you to configure various aspects of your WireGuard service:

wireguard set <name> [options]

Key Configuration Options:

  1. Local IP Configuration
  2. Set your local IP address(es)
  3. Supports one IPv4 and one IPv6 address

  4. Syntax: local-ip <ip1>[,<ip2>]

  5. Private Key Management

  6. Set up your private key securely
  7. Uses stdin to avoid leaving sensitive data in shell history

  8. Command: private-key (will prompt for input)

  9. DNS Settings

  10. Configure DNS servers
  11. Defaults to Google DNS (8.8.8.8, 8.8.4.4) if not specified

  12. Syntax: dns <ip1>[,<ip2>...]

  13. MTU Configuration

  14. Set custom MTU values
  15. Automatic detection if not specified
  16. Set to 0 to reset to default
  17. Syntax: mtu <value>

Peer Configuration

Peer configuration is crucial for establishing connections. The syntax follows:

wireguard set <name> peer <base64-public-key> [options]

Key peer options include: - endpoint <hostname>/<ip>:<port>: Server endpoint (required for connections) - preshared-key: Optional additional security layer - allowed-ips <ip1>/<cidr1>[,<ip2>/<cidr2>...]: Allowed IP ranges - persistent-keepalive <interval>: Keep connection alive

Managing Connections

Once configured, you can manage your WireGuard connections using:

wireguard connect <name>     # Connect to a service
wireguard disconnect <name>  # Disconnect from a service

IPv6 Considerations

ChromeOS's WireGuard implementation includes special handling for IPv6: - IPv6 is blocked if the shortest allowed-ips prefix is less than 8 - This occurs when no IPv6 configuration is present in: - Local IP settings - DNS configuration - Allowed IPs

Best Practices

  1. Security
  2. Always input private keys and preshared keys via prompt
  3. Keep your configuration information secure

  4. Regularly update your keys

  5. Configuration

  6. Test your configuration with show before connecting
  7. Verify endpoint accessibility

  8. Double-check allowed IPs ranges

  9. Troubleshooting

  10. Use show to verify current configuration
  11. Check MTU settings if experiencing connection issues
  12. Verify DNS settings if experiencing resolution problems

Example Configuration

Here's a complete example of setting up a WireGuard service:

# Create new service
wireguard new my_vpn

# Configure basic settings
wireguard set my_vpn local-ip 10.0.0.2 private-key mtu 1420

# Add peer configuration
wireguard set my_vpn peer ABC123... endpoint example.com:51820 allowed-ips 10.0.0.0/24

# Connect to the service
wireguard connect my_vpn