WireGuard Configuration
Chute supports WireGuard as an outbound proxy protocol. You can either configure WireGuard inline in the [Proxy] section, or define a named [WireGuard] section and reference it.
WireGuard Section
A [WireGuard] section defines a complete WireGuard tunnel configuration that can be referenced by name from a WireGuard proxy policy.
[WireGuard wg0]
private-key = base64_private_key
peer-public-key = base64_peer_public_key
self-ip = 10.0.0.2
self-ipv6 = fd00::2
preshared-key = base64_preshared_key
server = example.com
port = 51820
mtu = 1420
keepalive = 25
dns = 1.1.1.1
Parameters
| Key | Required | Description |
|---|---|---|
private-key |
Yes | WireGuard private key, base64-encoded |
peer-public-key |
Yes | Peer public key, base64-encoded |
self-ip |
No | Local IPv4 address for the WireGuard interface |
self-ipv6 |
No | Local IPv6 address for the WireGuard interface |
preshared-key |
No | Pre-shared key for post-quantum resistance |
server |
No | Remote server address (overrides proxy policy) |
port |
No | Remote server port |
mtu |
No | MTU for the WireGuard interface (default: 1420) |
keepalive |
No | Persistent keepalive interval in seconds |
dns |
No | DNS server for the WireGuard tunnel |
reserved-bits |
No | Reserved bits for WireGuard handshake |
Usage
Reference the section from a proxy policy:
[Proxy]
WG = wireguard, section-name=wg0
[Proxy Group]
WGGroup = select, WG
[Rule]
IP-CIDR,10.0.0.0/8,WGGroup
FINAL,DIRECT
Multiple [WireGuard] sections can be defined for different tunnels:
[WireGuard us]
private-key = ...
peer-public-key = ...
self-ip = 10.0.1.2
[WireGuard eu]
private-key = ...
peer-public-key = ...
self-ip = 10.0.2.2
Note: WireGuard uses the QUIC-based adapter. The names (e.g.
wg0) are case-sensitive.