VPN Configuration¶
The vpn: block in ~/.bnerd.yaml configures the WireGuard VPN connection used by bnerd up.
Complete VPN Configuration¶
vpn:
# Server connection (required)
server-endpoint: vpn.bnerd.net:51820
server-public-key: BASE64_SERVER_PUBLIC_KEY
# Client identity (auto-generated on first run)
private-key: BASE64_PRIVATE_KEY
public-key: BASE64_PUBLIC_KEY
# Network settings (usually auto-configured)
client-address: 10.8.0.2/24
allowed-ips: 10.8.0.0/24,193.163.206.241/32,10.244.0.0/16
dns: 1.1.1.1
# Interface settings
interface: bnerd0
config-dir: /etc/wireguard
cleanup-config: false
Field Reference¶
Required Fields¶
| Field | Type | Description |
|---|---|---|
server-endpoint | string | WireGuard server address in host:port format (e.g., vpn.bnerd.net:51820) |
server-public-key | string | Base64-encoded WireGuard public key of the server |
Auto-Generated Fields¶
These are created automatically when you run bnerd up --generate-keys:
| Field | Type | Description |
|---|---|---|
private-key | string | Base64-encoded Curve25519 private key |
public-key | string | Base64-encoded public key (derived from private key) |
Network Fields¶
| Field | Type | Default | Description |
|---|---|---|---|
client-address | string | Assigned by server | Client's VPN IP address with subnet mask (e.g., 10.8.0.2/24) |
allowed-ips | string | 10.8.0.0/24 | Comma-separated IP ranges to route through the VPN tunnel |
dns | string | 1.1.1.1 | DNS server to use when connected to VPN |
Interface Fields¶
| Field | Type | Default | Description |
|---|---|---|---|
interface | string | bnerd0 | WireGuard network interface name (max 15 chars, alphanumeric + -_) |
config-dir | string | /etc/wireguard | Directory for WireGuard configuration files |
cleanup-config | bool | false | Remove WireGuard config files when disconnecting |
Multiple VPN Connections¶
To connect to multiple VPN endpoints simultaneously, use different interface names:
# Primary connection uses default interface (bnerd0)
vpn:
server-endpoint: vpn1.bnerd.net:51820
server-public-key: KEY1
interface: bnerd0
Override the interface for a second connection:
Allowed IPs must not overlap
When running multiple VPN connections, ensure the allowed-ips ranges don't overlap between connections. Overlapping routes cause unpredictable routing behavior.
See the Multiple VPN Connections guide for detailed instructions.
Key Storage¶
WireGuard keys are stored in the config file (~/.bnerd.yaml). The file should have restrictive permissions:
Generated WireGuard config files are written to the config-dir directory (default: /etc/wireguard/).