Using Wireguard when your Linux Distro hasn't caught up yet

Using Wireguard when your Linux Distro hasn't caught up yet

Update: 31 August 2020 - Added command to stop WG VPN launching on OS Startup
Update: 30 Aug 2020 - Added nm-connection-editor information following reddit conversation
Published 29 Aug 2020

September is (or was depending when you read this) Fedora 32 Month, and a departure to Gnome 3 having spent over a year using KDE Plasma.

After setting up Fedora I got to the VPN setup and then it hit me, in the Network Manager GUI on Fedora 32 Gnome, unlike just about every other mainstream distro there is no Wireguard option.

This option doesn't exist yet. It is possible in Fedora32 to setup Wireguard as a Network Device, it just doesn't show up as a VPN in any of the Gnome Gui Interfaces

Note: this is not the same as Fedora 32 KDE which does have the above option.

This caused me an issue because I have a Wireguard VPN at home and would like to use it from the GUI rather than the command line.


I'm writing this based on my existing Wireguard Roadwarrior server setup which i've documented here (and rebuilt twice using these instructions)

Wireguard Roadwarrior setup using Ubuntu Server 18.04, Pi-hole and Google Wifi (with some double NAT)
Wireguard has had a lot of press because of its addition to the Linux Kernel. With this in mind I look to setup a Roadwarrior setup

I'm aware i could use the inbuilt wireguard tools, nmcli seemed to be a tidier answer for my needs.

Client setup

The answer, or at least part of it is the Network Manager CLI (nmcli) which provides us addtional functionality than the standard wg-quick command.

Ensure under /etc/wireguard/ the following are available

public and private keys

These are generated using the command

wg genkey | tee privatekey | wg pubkey > publickey

This command will generate two files

privatekey and publickey

use the commands to view the random key information

cat privatekey
cat publickey


A client configuation is needed to connect back to the main Wireguard server. I've kept mine purposefully light. I am also running a pi-hole DNS on the Wireguard server.

Address =
PrivateKey = theprivatekeyyoumadeearlier
ListenPort = 21841

PublicKey = thepublickeyofyourwireguardserver
Endpoint =
AllowedIPs =

You can test this using the commands

wg-quick up wg0
wg-quick down wg0

If this works and you can sucessfully connect to the VPN, then move forward

Import using NMCLI

If the config is working we can now import it into Network Manager

nmcli connection import type wireguard file "$CONF_FILE"

If you want to delete the config use

nmcli connection delete wg0

To check the config which has been imported run

nmcli --overview connection show wg0

this should return something like this                          wg0
connection.uuid:                        35cf8681-bc42-482f-b686-d2f6ad567fe5
connection.type:                        wireguard
connection.interface-name:              wg0
connection.timestamp:                   1598731025
ipv4.method:                            manual
ipv6.method:                            disabled
wireguard.private-key-flags:            0 (none)
wireguard.listen-port:                  21841

To launch the VPN run the command

nmcli connection up wg0

Re run the command

nmcli --overview connection show wg0

This time there should be a lot more displayed                          wg0
connection.uuid:                        35cf8681-bc42-482f-b686-d2f6ad567fe5
connection.type:                        wireguard
connection.interface-name:              wg0
connection.timestamp:                   1598733549
ipv4.method:                            manual
ipv6.method:                            disabled
wireguard.private-key-flags:            0 (none)
wireguard.listen-port:                  21841
GENERAL.NAME:                           wg0
GENERAL.UUID:                           35cf8681-bc42-482f-b686-d2f6ad567fe5
GENERAL.DEVICES:                        wg0
GENERAL.IP-IFACE:                       wg0
GENERAL.STATE:                          activated
GENERAL.DEFAULT:                        no
GENERAL.DEFAULT6:                       no
GENERAL.SPEC-OBJECT:                    --
GENERAL.VPN:                            no
GENERAL.DBUS-PATH:                      /org/freedesktop/NetworkManager/ActiveC>
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/Setting>
GENERAL.ZONE:                           --
GENERAL.MASTER-PATH:                    --
IP4.ROUTE[1]:                           dst =, nh =, mt = 200>

The important line is

GENERAL.STATE:                          activated

To shutdown the vpn run

nmcli connection up wg0

The last thing we need to do here is to stop Wireguard launching when the OS starts

nmcli con mod wg0 connection.autoconnect no

The other useful command for troubleshooting is just


Which will also show the network card status

Next we will wrap a gui around these commands using bash and Zenity

Using the GUI

Open the Network Manager Connection Editor from the command line


Click on the + Button and select Wireguard from the drop down

Complete the General, Wireguard and IPV4 Tabs (if you're not sure how, scroll up to the Setup Wireguard Roadwarrior link, and scroll to near the end of that post)


You will notice that even using the nm-connection-editor when you look at the available VPN's the new Wireguard connection isn't shown

Also at time of writing I wasn't able to get any Wireguard Gnome extention to work either.


Zenity is a rewrite of gdialog, the GNOME port of dialog which allows you to display dialog boxes from the commandline and shell scripts.

Using Zenity a bash script in Gnome can generate dialog boxes like this

There are links at the end of this post which will help provide a starting point with Zenity.


With the nmcli commands and zenity I was able to create this script

DISCLAIMER: I know running functions from within functions within bash is frowned upon, it was the quickest and dirtiest way of getting this sorted. I'd happily go over better ways to do this.

# Bash runction for the main menu, split out into a function as it rill be looped back to
ans=$(zenity  --list  --text "Wireguard HomeVPN" --radiolist  --column "Pick" --column "Item" TRUE "Wireguard UP" FALSE "Wireguard DOWN" FALSE "Wireguard STATUS")

    nmcli connection up wg0
    zenity --question --text "Do you want to check NMCLI status?"
    if [ $? = 0 ]; then

    nmcli connection down wg0
    zenity --question --text "Do you want to check NMCLI status?"
    if [ $? = 0 ]; then

     nmcli --overview connection show wg0 | zenity --text-info --width 600 --height 800
   nmcli | zenity --text-info --width 600 --height 800

 ##Call the main menu function
 ## take the output of the zenity command and use it over an
 ## array in a for do look
   echo $ans
   array=( UP DOWN STATUS )
     for i in "${array[@]}"
       echo $ans | grep $i
       result=$(echo $?)
       echo $result
       if [ $result = 0 ]; then 

This Runs the following

Click on Wireguard UP and the Wireguard connection will be brought up, once done you'll be asked if you want to see the status of the connection

Clicking No goes back to the main menu, clicking yes

Shows all the enabled connections in Network Manager, and we can see the wg0 interface is up.

Click on OK/Cancel and the main menu is displayed

Selecting Wireguard DOWN reverses the process and drops the connection.

Selecting Wireguard STATUS provides the status of the connection.

Last bits

I linked the script to /usr/local/bin/wglauncher and pulled an icon off a google search.

I created a wglauncher.desktop file in /usr/share/applications

[Desktop Entry]

This created a simple bash driven Wireguard launcher.

Git Repo

Projects · mightywomble_public / wireguard_launcher
A complete zenity dialog examples 2
A complete zenity dialog examples 1
WireGuard in NetworkManager

Share Tweet Send
You've successfully subscribed to Tech Blog Posts - David Field
Great! Next, complete checkout for full access to Tech Blog Posts - David Field
Welcome back! You've successfully signed in
Success! Your account is fully activated, you now have access to all content.