What is the difference between the wg and wg-quick keys?

The low-level wg command understands only the cryptographic and routing keys: PrivateKey, ListenPort, FwMark, PublicKey, AllowedIPs, Endpoint, PersistentKeepalive and PresharedKey. Keys like Address, DNS, MTU, Table and the Pre/Post Up/Down hooks are extensions interpreted by the wg-quick wrapper script.

What does AllowedIPs actually control?

AllowedIPs is a cryptokey routing table. Inbound, it filters which source addresses are accepted from a peer; outbound, it decides which destination addresses are routed into the tunnel to that peer. Setting it to 0.0.0.0/0 and ::/0 routes all traffic through the peer, turning it into a full VPN.

When do I need PersistentKeepalive?

Set it, typically to 25 seconds, when a peer sits behind NAT and needs to keep its mapping open so the other side can reach it. Without keepalives a NAT entry expires after idle time and the inbound connection silently breaks. It is unnecessary for peers with a stable public endpoint.

Is the Endpoint key required?

No. A peer that only ever initiates connections (a roaming client) needs an Endpoint to know where to send packets, but a server peer that only receives can omit it because WireGuard learns the remote endpoint from the first valid packet.

What is PresharedKey for?

PresharedKey adds an optional symmetric key mixed into the handshake, providing an extra layer of post-quantum resistance on top of the public-key cryptography. Generate it with wg genpsk and configure the same value on both peers.

WireGuard Config Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

The WireGuard configuration file

A WireGuard tunnel is described by a small INI-style .conf file with one [Interface] section for the local node and one or more [Peer] sections for the remote ends. This reference lists every common key, its type, whether it is required, and which keys are wg-quick extensions rather than core wg options.

How it works

The [Interface] section holds this node’s identity and (via wg-quick) its IP and routing setup; each [Peer] defines a remote node, its public key, the IPs it owns, and how to reach it:

[Interface]
PrivateKey = <client private key>
Address = 10.0.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = <server public key>
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

AllowedIPs is the heart of WireGuard’s cryptokey routing: it doubles as an inbound source filter and an outbound route. Keys such as Address, DNS and the PostUp/PostDown hooks are applied by the wg-quick wrapper.

Tips and notes

A minimal client needs PrivateKey + Address plus a peer with PublicKey, AllowedIPs and Endpoint.
Use AllowedIPs = 0.0.0.0/0, ::/0 for a full-tunnel VPN; list specific subnets for split tunnelling.
Add PersistentKeepalive = 25 on peers behind NAT to keep the path open.
Keys flagged wg-quick only will be ignored if you configure the interface directly with wg setconf.