Client Management

After the initial setup, you can run the wireguard-install.sh script again at any time to manage your VPN clients. The script will detect that WireGuard is already installed and present you with a management menu.

./wireguard-install.sh

The Management Menu

When you run the script on a system with an existing WireGuard installation, you will see the following options:

What do you want to do?
   1) Add a new user
   2) List all users
   3) Revoke existing user
   4) Uninstall WireGuard
   5) Exit
Select an option [1-5]:

1. Add a New User

This option allows you to generate a new client configuration. The process is identical to creating the first client during installation:

  1. Enter a unique client name. The name must be alphanumeric and can include underscores or dashes.
  2. Confirm the client's internal VPN IP addresses. The script will suggest the next available IPs.

Upon completion, a new .conf file is generated, and a QR code is displayed for easy setup on mobile devices.

2. List All Users

This option displays a numbered list of all client names that have been configured on the server. This is useful for seeing who has access and for identifying clients to revoke.

3. Revoke Existing User

This option securely removes a client's access to the VPN.

  1. The script will display a numbered list of all existing clients.
  2. Select the number corresponding to the client you wish to revoke.
  3. The script will then:
    • Remove the client's [Peer] section from the server's configuration file (/etc/wireguard/wg0.conf).
    • Delete the corresponding client .conf file from the user's home directory.
    • Reload the WireGuard configuration to apply the changes immediately.

4. Uninstall WireGuard

This option completely removes WireGuard and all its configuration files from your server. For more details, see the Uninstallation page.

Understanding the Client Configuration File

A generated client configuration file (e.g., wg0-client-myphone.conf) contains everything a client device needs to connect to the server. Here is a breakdown of its contents:

[Interface]
# Client's private key
PrivateKey = <CLIENT_PRIVATE_KEY>

# Client's internal IP addresses within the VPN
Address = 10.66.66.2/32,fd42:42:42::2/128

# DNS servers to use when connected
DNS = 1.1.1.1,1.0.0.1

# Uncomment the next line to set a custom MTU
# This might impact performance, so use it only if you know what you are doing
# See https://github.com/nitred/nr-wg-mtu-finder to find your optimal MTU
# MTU = 1420

[Peer]
# Server's public key
PublicKey = <SERVER_PUBLIC_KEY>

# A pre-shared key for an extra layer of symmetric-key cryptography
PresharedKey = <PRE_SHARED_KEY>

# The server's public IP address and port
Endpoint = my.server.com:51820

# Defines which traffic should be routed through the VPN
# 0.0.0.0/0, ::/0 means all traffic will be sent to the VPN server
AllowedIPs = 0.0.0.0/0,::/0