generateKeys – WireGuard Utils
Skip to content

generateKeys

Generates secure WireGuard key pairs for VPN authentication.

Overview

The generateKeys function creates a new public/private key pair using WireGuard's built-in key generation utilities. This is essential for setting up secure VPN connections.

Signature

generateKeys(options?: {
  privateKeyPath?: string
  publicKeyPath?: string
}): Promise<{
  publicKey: string
  privateKey: string
}>

Parameters

  • options (object, optional): Configuration options
    • privateKeyPath (string, optional): Custom path to save the private key
    • publicKeyPath (string, optional): Custom path to save the public key

Returns

Returns a Promise that resolves to an object containing:

  • publicKey (string): The generated public key (safe to share)
  • privateKey (string): The generated private key (keep secret)

Basic Usage

import { generateKeys } from "@kriper0nind/wg-utils"
 
// Generate keys with default settings
const keys = await generateKeys()
 
console.log("Public Key:", keys.publicKey)
console.log("Private Key:", keys.privateKey)

Advanced Usage

Custom Key Paths

const keys = await generateKeys({
  privateKeyPath: "/custom/path/server.key",
  publicKeyPath: "/custom/path/server.pub"
})

Server Setup

import { generateKeys, initConf } from "@kriper0nind/wg-utils"
 
// Generate server keys
const serverKeys = await generateKeys()
 
// Create server configuration
await initConf("/etc/wireguard/wg0.conf", {
  privateKey: serverKeys.privateKey,
  port: 51820,
  ip: "10.0.0.1"
})
 
console.log("Server public key:", serverKeys.publicKey)

Client Setup

import { generateKeys, addPeer } from "@kriper0nind/wg-utils"
 
// Generate client keys
const clientKeys = await generateKeys()
 
// Add client to server configuration
const result = await addPeer("/etc/wireguard/wg0.conf", {
  publicKey: clientKeys.publicKey
})
 
console.log("Client private key:", clientKeys.privateKey)
console.log("Client IP:", result.ip)

Key Security

Best Practices

  1. Keep private keys secure: Never share private keys
  2. Use proper file permissions: Set 600 permissions for private key files
  3. Store keys safely: Consider using secure key management systems
  4. Rotate keys regularly: Generate new keys periodically

File Permissions

import { chmod } from "fs/promises"
 
const keys = await generateKeys()
 
// Set secure permissions for private key
await chmod("/etc/wireguard/privatekey", 0o600)

Key Format

WireGuard keys are base64-encoded strings:

  • Public Key: 44 characters (e.g., "ABC123...XYZ789=")
  • Private Key: 44 characters (e.g., "DEF456...UVW012=")

Error Handling

The function may throw errors in the following scenarios:

  • WireGuard not installed: Missing wg command
  • Permission denied: Insufficient privileges to write key files
  • Invalid paths: Non-existent directories for custom paths
  • System errors: General system-level failures
try {
  const keys = await generateKeys()
} catch (error) {
  if (error.message.includes('wg genkey')) {
    console.error("WireGuard is not installed")
  } else if (error.code === 'EACCES') {
    console.error("Permission denied - run with sudo")
  } else {
    console.error("Key generation failed:", error.message)
  }
}

Implementation Details

The function uses WireGuard's native key generation:

  1. Private Key: Generated using wg genkey
  2. Public Key: Derived from private key using wg pubkey
  3. File Operations: Keys are written to /etc/wireguard/ by default
  4. Security: Uses umask 077 for secure file creation

Examples

Complete VPN Setup

import { generateKeys, initConf, addPeer, up } from "@kriper0nind/wg-utils"
 
async function setupVPN() {
  try {
    // 1. Generate server keys
    const serverKeys = await generateKeys()
    console.log("Server keys generated")
 
    // 2. Create server configuration
    await initConf("/etc/wireguard/wg0.conf", {
      privateKey: serverKeys.privateKey,
      port: 51820,
      ip: "10.0.0.1"
    })
    console.log("Server configuration created")
 
    // 3. Generate client keys
    const clientKeys = await generateKeys()
    console.log("Client keys generated")
 
    // 4. Add client to server
    const result = await addPeer("/etc/wireguard/wg0.conf", {
      publicKey: clientKeys.publicKey
    })
    console.log(`Client added with IP: ${result.ip}`)
 
    // 5. Start the VPN
    await up("wg0")
    console.log("VPN started successfully")
 
    // 6. Return keys for client configuration
    return {
      serverPublicKey: serverKeys.publicKey,
      clientPrivateKey: clientKeys.privateKey,
      clientIP: result.ip
    }
 
  } catch (error) {
    console.error("VPN setup failed:", error.message)
    throw error
  }
}

Batch Key Generation

async function generateMultipleKeys(count: number) {
  const keyPairs = []
  
  for (let i = 0; i < count; i++) {
    const keys = await generateKeys()
    keyPairs.push({
      id: i + 1,
      publicKey: keys.publicKey,
      privateKey: keys.privateKey
    })
  }
  
  return keyPairs
}
 
// Generate 5 key pairs
const keyPairs = await generateMultipleKeys(5)
console.log(`Generated ${keyPairs.length} key pairs`)

Dependencies

  • WireGuard tools: wg genkey and wg pubkey commands
  • Node.js fs/promises: For file operations
  • System permissions: Write access to /etc/wireguard/

Notes

  • Keys are generated using WireGuard's cryptographically secure random number generator
  • The function automatically handles file creation and permissions
  • Generated keys are immediately ready for use in WireGuard configurations
  • Private keys should never be logged or transmitted in plain text