Skip to content


We use WireGuard (WG) as a VPN in many places.


Manage user clients

List of allowed client for the user VPN service are managed in the private Puppet repository, in the hiera file for the active VPN server.

To find the active VPN server, check where the service name points:

$ host -tCNAME is an alias for
This means the file to edit is hieradata/nodes/

In the hiera file, clients are listed first by server interface and then by client public key. The structure is this:

  wg0: # user
    # username, some client description
    - public_key: aaaasomekey=
      addresses: []
    # username, some other client description
    - public_key: aaaasomeotherkey=
      addresses: []
To add a key, add a new YAML block to the end of that array for the interface you want to edit. Feel free to just pick the next unused IP address and assign that to the client. Keep the list sorted by IP addresses to make it easy to see the next available address.

After saving the file, commit the changes as usual and run Puppet on the active server to apply the changes.