English Italian
Configure WireGuard on FCOS
You can now configure your Ignition config to create the `wg0` configuration file:
Example FCOS WireGuard configuration
variant: fcos
version: 1.4.0
- path: /etc/wireguard/wg0.conf
mode: 0600
inline: |
Address =,fdc9:3c6b:21c7:e6bd::1/64
PrivateKey = <fcos_private_key>
ListenPort = 51820
PublicKey = <client_one_public_key>
PresharedKey = <fcos_client_one_psk>
AllowedIPs =,fdc9:3c6b:21c7:e6bd::/64
- name: wg-quick@wg0.service
enabled: true
Boot FCOS and log in. When you run `sudo wg show` you should see this:
Check WireGuard configuration on FCOS
[core@wireguard-demo ~]$ sudo wg show
interface: wg0
public key: <fcos_public_key>
private key: (hidden)
listening port: 51820
peer: <client_one_public_key>
preshared key: (hidden)
endpoint: <Client IP Address>:51821
allowed ips:, fdc9:3c6b:21c7:e6bd::/64
[root@wireguard-demo ~]# ip a s wg0
12: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet scope global wg0
valid_lft forever preferred_lft forever
inet6 fdc9:3c6b:21c7:e6bd::1/64 scope global
valid_lft forever preferred_lft forever
<Client IP address> above is the IP or FQDN of the Client computer.
Configure WireGuard on a client
You will now want to configure WireGuard on your client computer with the following configuration:
Client WireGuard configuration
Address =,fdc9:3c6b:21c7:e6bd::2/64
PrivateKey = <client_one_private_key>
ListenPort = 51821
PublicKey = <fcos_public_key>
PresharedKey = <fcos_client_one_psk>
Endpoint = <FCOS IP address>:51820
AllowedIPs =,fdc9:3c6b:21c7:e6bd::/64
<FCOS IP address> is the IP or FQDN of the FCOS server.
Write the above config to `/etc/wireguard/wg0.conf` and `chmod 0600 /etc/wireguard/wg0.conf` on your client. Run `sudo systemctl start wg-quick@wg0.service` and then check your configuration:
Check WireGuard configuration on a client
[root@wireguard-client ~]# wg show
interface: wg0
public key: <client_one_public_key>
private key: (hidden)
listening port: 51821