Simple Example
The following example contains just the basic settings.
You can find the file at:
- In a local installation:
/etc/cunicu/cunicu.yaml
- In the Git repo:
etc/cunicu.yaml
/etc/cunicu.yaml
# SPDX-FileCopyrightText: 2023 Steffen Vogel <post@steffenvogel.de>
# SPDX-License-Identifier: Apache-2.0
# This is an example of a simple cunicu configuration file.
# For a full example please look at cunicu.advanced.yaml
## WireGuard interface settings
#
# These settings configure WireGuard specific settings
# of the interface.
#
# The following settings can be overwritten for each interface
# using the 'interfaces' settings (see below).
# The following settings will be used as default.
# A base64 private key generated by wg genkey.
# Will be automatically generated if not provided.
private_key: KLoqDLKgoqaUkwctTd+Ov3pfImOfadkkvTdPlXsuLWM=
# The remote WireGuard peers provided as a dictionary
# The keys of this dictionary are used as names for the peers
peers:
test:
# A base64 public key calculated by wg pubkey from a private key,
# and usually transmitted out of band
# to the author of the configuration file.
public_key: FlKHqqQQx+bTAq7+YhwEECwWRg2Ih7NQ48F/SeOYRH8=
# A base64 pre-shared key generated by wg genpsk.
# Optional, and may be omitted.
# This option adds an additional layer of symmetric-key
# cryptography to be mixed into the already existing
# public-key cryptography, for post-quantum resistance.
preshared_key: zu86NBVsWOU3cx4UKOQ6MgNj3gv8GXsV9ATzSemdqlI=
# An endpoint IP or hostname, followed by a colon,
# and then a port number. This endpoint will be updated
# automatically to the most recent source IP address and
# port of correctly authenticated packets from the peer.
# If provided, no endpoint discovery will be performed.
endpoint: vpn.example.com:51820
# A time duration, between 1 and 65535s inclusive, of how
# often to send an authenticated empty packet to the peer
# for the purpose of keeping a stateful firewall or NAT mapping
# valid persistently. For example, if the interface very rarely
# sends traffic, but it might at anytime receive traffic from a
# peer, and it is behind NAT, the interface might benefit from
# having a persistent keepalive interval of 25 seconds.
# If set to zero, this option is disabled.
# By default or when unspecified, this option is off.
# Most users will not need this. Optional.
persistent_keepalive: 120s
# A comma-separated list of IP (v4 or v6) addresses with
# CIDR masks from which incoming traffic for this peer is
# allowed and to which outgoing traffic for this peer is directed.
# The catch-all 0.0.0.0/0 may be specified for matching
# all IPv4 addresses, and ::/0 may be specified for matching
# all IPv6 addresses. May be specified multiple times.
allowed_ips:
- 192.168.5.0/24
## Basic interface settings
#
# The Maximum Transfer Unit of the WireGuard interface.
# If not specified, the MTU is automatically determined from
# the endpoint addresses or the system default route,
# which is usually a sane choice.
# However, to manually specify an MTU to override this
# automatic discovery, this value may be specified explicitly.
mtu: 1420
# A list of IP (v4 or v6) addresses (optionally with CIDR masks)
# to be assigned to the interface.
# May be specified multiple times.
addresses:
- 10.10.0.1/24
# A list of prefixes which cunicu uses to derive local addresses
# from the interfaces public key
prefixes:
- fc2f:9a4d::/32
- 10.237.0.0/16
## Peer discovery
#
# Peer discovery finds new peers within the same community and adds them to the respective interface
discover_peers: true
# The hostname which gets advertised to remote peers
hostname: my-node
# A passphrase shared among all peers of the same community
community: "some-common-password"
# Networks which are reachable via this peer and get advertised to remote peers
# These will be part of this interfaces AllowedIPs at the remote peers.
networks:
- 192.168.1.0/24
- 10.2.0.0/24
## Endpoint discovery
#
# Endpoint discovery uses Interactive Connectivity Establishment (ICE) as used by WebRTC to
# gather a list of candidate endpoints and performs connectivity checks to find a suitable
# endpoint address which can be used by WireGuard
discover_endpoints: true