configuration/wireguard: drop wg-quick warnings

jbtrystram · jbtrystram · commit dec2adc001af · 2025-07-02T14:08:01.000+02:00
wg-quick is working without issues now.
Also add example on how to use NetworkManager.
diff --git a/modules/ROOT/pages/sysconfig-configure-wireguard.adoc b/modules/ROOT/pages/sysconfig-configure-wireguard.adoc
@@ -1,6 +1,5 @@
 = Configuring FCOS to use WireGuard
 
-WARNING: Some examples in this page may not work properly. An issue with WireGuard SELinux isolation breaks Pre/Post actions in the WireGuard configuration for recent releases of Fedora Coreos. You can check the progress of this issue on the https://github.com/coreos/fedora-coreos-tracker/issues/1487[issue tracker]. 
 
 == Introduction
 
@@ -12,10 +11,15 @@ https://www.wireguard.com/[WireGuard] is a novel VPN that runs inside the Linux
 
 FCOS has full support for WireGuard out of the box. This guide is going to demonstrate how to set up a single connection between a FCOS server and one client computer. It goes over the basic client configuration, but it does not cover installing WireGuard on your clients.
 
+There are several ways to set up wireguard on FCOS, here we show two approaches:
+ * Using [wg-quick](https://www.man7.org/linux/man-pages/man8/wg-quick.8.html).
+ * importing the Wireguard configuration in NetworkManager.
+
 == Generate Keys
 
-You will need to generate some keys to configure WireGuard. For this guide, the keys should be pre-generated on your workstation. First, let's create the FCOS WireGuard keys:
+You will need to generate some keys to configure WireGuard. You can generate the keys on your workstation or a running FCOS system.
 
+First, let's create the FCOS WireGuard keys:
 .Generate FCOS WireGuard keys
 [source,bash]
 ----
@@ -36,7 +40,7 @@ $ wg genkey | tee privatekey | wg pubkey > publickey
 
 These keys will be referenced as `client_one_public_key` and `client_one_private_key` from here on out in this guide.
 
-Now create a PresharedKey:
+You can optionnaly generate a pre-shared key to increase security:
 
 .Generate a Preshared key per peer pair
 [source,bash]
@@ -71,19 +75,60 @@ storage:
           [Peer]
           PublicKey = <client_one_public_key>
           PresharedKey = <fcos_client_one_psk>
-          AllowedIPs = 192.168.71.0/24,fdc9:3c6b:21c7:e6bd::/64
+          AllowedIPs = 192.168.71.2/32,fdc9:3c6b:21c7:e6bd::2/128
+----
+
+=== Import the wireguard configuration to NetworkManager
+
+You can import the configuration with a simple oneshot unit :
+[source,yaml,subs="attributes"]
+----
+systemd:
+  units:
+    - name: import-wireguard-config.service
+      enabled: true
+      contents: |
+        [Unit]
+        ConditionPathExists=!/etc/NetworkManager/system-connections/wg0.nmconnection
+        Description=Import wireguard configuration to NetworkManager
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
+        ExecStart=nmcli connection import type wireguard file /etc/wireguard/wg0.conf
+        [Install]
+        WantedBy=multi-user.target
+----
+
+NOTE: NetworkManager will ignore `PostUp` and `PostDown` directives in the wiregaurd config. If you have firewall configuration to apply, make sure to apply it with a separate unit, or manually.
+
+NOTE: If you need to make further changes to update Wireguard's configuration, delete the connection and re-import it from the updated configuration file.
+.Re-import updated Wireguard configuration on FCOS
+[source,bash]
+----
+[core@wireguard-demo ~]$ sudo nmcli con delete wg0 && sudo nmcli con import type wireguard file /etc/wireguard/wg0.conf
+Connection 'wg0' (1e4f869e-f95c-4221-b2b9-99726ffde92b) successfully deleted.
+Connection 'wg0' (18cd8e61-1cc2-43a2-9f2e-467b75cd99da) successfully added.
+----
+
+
+=== Using wg-quick
+
+[source,yaml,subs="attributes"]
+----
 systemd:
   units:
     - name: wg-quick@wg0.service
       enabled: true
 ----
 
+NOTE: If you need to make further changes to Wireguard's configuration, reload the service with `systemctl reload wg-quick@wg0.conf`.
+
 Boot FCOS and log in. When you run `sudo wg show` you should see this:
 
 .Check WireGuard configuration on FCOS
 [source,bash]
 ----
-[core@wireguard-demo ~]$ sudo wg show
+[core@wireguard-demo ~]# sudo wg show
 interface: wg0
   public key: <fcos_public_key>
   private key: (hidden)
@@ -94,7 +139,7 @@ peer: <client_one_public_key>
   endpoint: <Client IP Address>:51821
   allowed ips: 192.168.71.0/24, fdc9:3c6b:21c7:e6bd::/64
 
-[root@wireguard-demo ~]# ip a s wg0
+[core@wireguard-demo ~]# sudo ip a s wg0
 12: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
     link/none
     inet 192.168.71.1/24 scope global wg0
@@ -126,7 +171,8 @@ AllowedIPs = 192.168.71.0/24,fdc9:3c6b:21c7:e6bd::/64
 
 NOTE: <FCOS IP address> is the IP or FQDN of the FCOS server.
 
-Write the above config to `/etc/wireguard/wg0.conf` and `chmod 0600 /etc/wireguard/wg0.conf` on your client. Run `sudo systemctl start wg-quick@wg0.service` and then check your configuration:
+Write the above config to `/etc/wireguard/wg0.conf` and `chmod 0600 /etc/wireguard/wg0.conf` on your client.
+Run `nmcli con import type wireguard file /etc/wireguard/wg0.conf` and then check your configuration:
 
 .Check WireGuard configuration on a client
 [source,bash]
@@ -141,6 +187,7 @@ peer: <fcos_public_key>
   preshared key: (hidden)
   endpoint: <FCOS IP address>:51820
   allowed ips: 192.168.71.0/24, fdc9:3c6b:21c7:e6bd::/64
+
 [root@wireguard-client ~]# ip a s wg0
 21: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
     link/none
@@ -189,7 +236,6 @@ interface: wg0
   public key: <client_one_public_key>
   private key: (hidden)
   listening port: 51821
-
 peer: <fcos_public_key>
   preshared key: (hidden)
   endpoint: <Client IP address>:51820
@@ -239,8 +285,18 @@ storage:
           AllowedIPs = 192.168.71.0/24,fdc9:3c6b:21c7:e6bd::/64
 systemd:
   units:
-    - name: wg-quick@wg0.service
+    - name: import-wireguard-config.service
       enabled: true
+      contents: |
+        [Unit]
+        ConditionPathExists=!/etc/NetworkManager/system-connections/wg0.nmconnection
+        Description=Import wireguard configuration to NetworkManager
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
+        ExecStart=nmcli connection import type wireguard file /etc/wireguard/wg0.conf
+        [Install]
+        WantedBy=multi-user.target
 ----
 
 NOTE: FCOS uses https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/[predictable interface names] by https://lists.fedoraproject.org/archives/list/coreos-status@lists.fedoraproject.org/thread/6IPTZL57Z5NLBMPYMXNVSYAGLRFZBLIP/[default]. Please take care to use the correct interface name for your hardware in the above PostUp and PostDown commands!
