Connect to a Wireguard VPN server with NetworkManager


Categories: logiciel Tags: wireguard networkmanager linux

Wireguard is a communication protocol that can be used to create a VPN network. It has better performance than its competitor OpenVPN, but OpenVPN still keeps a significant lead since almost all commercial VPNs use it.

Wireguard still has a long way to go, but it has been integrated into the Linux kernel since version 5.6 which facilitates its adoption.

Installing a Wireguard VPN server under Linux is very easy, the only difficulty remaining stems in the clients availbale. Under Linux some connection managers do not yet manage Wireguard very well.

It’s the case of NetworkManager, one of the most used connection managers (used by Debian, Ubuntu and Fedora among others). Although it has a native compatibility with Wireguard, NetworkManager does not yet allow to configure a Wireguard client from its GUI.

It is possible to manage a Wireguard connection from NetworkManager from the command line, but the configuration is quite complex. This tutorial uses a simpler method: the Wireguard connection will be managed by the official utility wg-quick, and NetworkManager will be configured in order to not have any conflict with wg-quick.

The following tutorial has been tested under Archlinux, but it should work on any Linux distribution using NetworkManager.

Installing a Wireguard server

There are several ways to install Wireguard on a server, I personally use this script:

curl -O
chmod +x

Then copy the certificate to the client (with scp for example).

Necessary packages

Let’s now move on to the client configuration. Under Archlinux, the necessary packages are :

Package names may be different on other distributions. It may also be necessary to install the wireguard-dkms module if the Linux kernel version is lower than 5.6.

Configuring NetworkManager

First we will configure NetworkManager. Just create two configuration files in the /etc/NetworkManager/conf.d folder with the following content :

# /etc/NetworkManager/conf.d/no-systemd-resolved.conf
# /etc/NetworkManager/conf.d/unmanaged.conf

The first configuration file disables the use of systemd-resolved as a DNS resolver. Wireguard will be able to use and modify the configuration of systemd-resolved without affecting NetworkManager.

The second configuration file disables the management of interfaces created by Wireguard, more precisely those whose name starts with the letters wg.

Run systemd-resolved and restart NetworkManager.

sudo systemctl enable --now systemd-resolved
sudo systemctl restart NetworkManager

Connect to the Wireguard server

Once the systemd-resolved and NetworkManager services are active, we can start Wireguard. The previously created certificate will have to be placed in the folder /etc/wireguard. The connection to Wireguard is then started using the wg-quick utility.

sudo cp wg1.conf /etc/wireguard/wg1.conf
sudo wg-quick up wg1

You should now be connected as a client to your Wireguard server!

To disconnect from Wireguard and return to the initial configuration:

sudo wg-quick down wg1

You might also need to disable the systemd-resolved service.

sudo systemctl disable --now systemd-resolved

Have a comment? React on Mastodon!

>> Home