Edit an Interface

To modify the properties of an existing interface, follow these steps:

  1. Click the Hosts link in the app header.

  2. Find the host containing the interface in the list, and click its name to view the host’s main status page.

  3. Find the interface in the Interfaces panel, and click its name to view the interface’s main status page.

  4. Click the “pencil” icon on the right side of the Interface panel to modify the interface’s properties.

State

Toggle the State button “Down” to shut down the interface; toggle it “Up” to start up the interface.

If the interface is already up, you can check the Restart checkbox to force it to restart.

If the interface is already down, you can check the Remove checkbox to prevent it from being started up as a system service on boot.

Description

Optionally enter a description for the interface, like “staging network for APAC”, in the Description field. This description will be displayed alongside the interface name in various places in the UI. There are no length or character restrictions.

Peer

Select the peer identity by which remote hosts will know this interface, either by entering the name of a peer already added to Pro Custodibus in the Peer field, or by adding a new peer by clicking the New button next to the Peer field. This peer represents the interface’s own public-key pair that it will use to authenticate itself to remote hosts (and corresponds to the “PrivateKey” setting in a wg-quick-style configuration file).

You can type part of a name in the Peer field to filter the displayed list of peers from which to choose. Use the up and down arrow keys to highlight a peer from the list, and use the tab or enter key to select the highlighted peer. If a peer is currently being used as the identity of another interface, the displayed list will indicate this (usually you don’t want to use the same peer identity for more than one interface).

If you click the New button next to the Peer field, an Add Peer dialog will appear, allowing you to register a new peer identity with Pro Custodibus. You can then select this peer to use as the identity for the interface.

Addresses

Enter one or more source IP addresses to attach to the interface, like “10.0.0.1/24, fd00:0:0:1::/64”, in the Addresses field. Separate multiple addresses with commas, newlines, or other whitespace. This address or addresses should be unique among the local interfaces and remote hosts to which this interface can connect.

Most of the time you can omit the network prefix length (the “/24” part of “10.0.0.1/24”) when specifying IP addresses for the Addresses field. Declaring a network prefix is generally not useful unless you are also planning on customizing the routing for the interface.

Port

Optionally enter a static UDP port on which the interface should listen, like “51820”, in the Port field. This is the port on which the interface’s encrypted tunnel will be established with its remote endpoints (and corresponds to the “ListenPort” setting in a wg-quick-style configuration file).

If you leave this field blank, every time the interface starts up, WireGuard will automatically choose a different free UDP port on which to listen.

Advanced Properties

The above properties are all you need to configure a WireGuard interface, most of the time. To configure the advanced properties of the interface, click the Advanced Properties toggle button to reveal a number of advanced options.

DNS Servers

Optionally enter the IP addresses of one or more DNS servers to use while the WireGuard interface is up, like “10.0.0.53, fd00::53”, in the DNS Servers field. Separate multiple addresses with commas, newlines, or other whitespace.

Usually you’d use this setting only if you have a private DNS server that is accessible only through this WireGuard interface (it corresponds to the DNS servers portion of the “DNS” setting in a wg-quick-style configuration file).

On Linux hosts using system-resolved, you may have more success using “Post Up” and “Pre Down” scripts to adjust the host’s DNS settings through direct calls to resolvectl, rather than using the DNS Servers and Search Domains settings.

Search Domains

Optionally enter the search domains for which to query the above DNS Servers, like “wg.lan, corp”, in the Search Domains field. Separate multiple addresses with commas, newlines, or other whitespace.

Usually you’d use this setting only in conjunction with the DNS Servers setting above for a private DNS server with a private domain name that is accessible only through this WireGuard interface (this setting corresponds to search domain portion of the “DNS” setting in a wg-quick-style configuration file).

MTU

Optionally enter a custom MTU value, like “1380”, in the MTU field. This is the maximum bytes of data that the OS should put in each packet it sends from local sockets to the interface (before WireGuard encrypts and wraps them in another set of packets). Usually you should omit this setting, and let WireGuard determine the best MTU to advertise automatically.

Routing Table

Optionally enter a custom routing table number or name to which to add this interface’s routes, like “123”, in the Routing Table field. Leave it blank or enter “auto” to use the host’s default routing table; enter “off” to prevent WireGuard from adding routes to any table.

WireGuard does not support the Routing Table field on Android, iOS, or macOS hosts; leave it blank for them.

Firewall Mark

Optionally enter a number with which to mark outgoing packets of this interface, like “0x7b”, in the Firewall Mark field (it corresponds to the “FwMark” setting in a wg-quick-style configuration file). Leave it blank unless you intend to set up custom firewall or routing rules on the host using this mark.

WireGuard does not support Firewall Mark on Android, iOS, macOS, or Windows hosts; leave it blank for them.

Firewall Zone

Optionally select the firewall zone to apply to the interface when up, from the options in the Firewall Zone field. Leave blank unless using a zone-based firewall on the host.

This setting is used only on Linux and Windows, and only if the host is running the Pro Custodibus agent 1.6.0 or newer.

Forwarding

Optionally select a packet forwarding policy to apply to the interface, from the options in the Forwarding field. Leave blank unless using the host as a WireGuard hub or gateway.

This setting is used only on Linux, and only if the host is running the Pro Custodibus agent 1.6.0 or newer. Also, note that this may conflict with custom firewall rules you have set up on the host.

Masquerading

Optionally select a packet masquerading policy to apply to the interface, from the options in the Masquerading field. Leave blank unless using the host as a WireGuard gateway.

This setting is used only on Linux, and only if the host is running the Pro Custodibus agent 1.6.0 or newer. Also, note that this may conflict with custom firewall rules you have set up on the host.

MSS Clamping

Optionally check the Clamp outbound to WireGuard network checkbox to clamp the MSS (Maximum Segment Size) of outbound TCP connections forwarded to the WireGuard network from all other networks. Leave blank unless using the host as a WireGuard gateway.

This setting is used only on Linux, and only if the host is running the Pro Custodibus agent 1.6.0 or newer. Also, note that this may conflict with custom firewall rules you have set up on the host.

Save Config

Optionally check the Overwrite config file with temporary settings checkbox to overwrite the interface’s configuration file with the interface’s current state when it is shut down. This setting is usually not desirable when using Pro Custodibus to manage the interface.

Pre Up Script

Optionally enter a list of commands to run before the interface starts up, like “sysctl -w net.ipv4.ip_forward=1”, in the Pre Up Script field. Enter each command on a separate line. Each command will be run as root in its own subshell. If a command fails (that is, exits with a non-zero exit code), the interface will not start up.

WireGuard does not support any of the script fields on Android, iOS, or macOS hosts; leave them blank.

Post Up Script

Optionally enter a list of commands to run after the interface starts up in the Post Up Script field. Enter each command on a separate line. Each command will be run as root in its own subshell. If a command fails (that is, exits with a non-zero exit code), the interface will shut down immediately, without running any pre- or post-down scripts.

Pre Down Script

Optionally enter a list of commands to run before the interface shuts down in the Pre Down Script field. Enter each command on a separate line. Each command will be run as root in its own subshell. If a command fails (that is, exits with a non-zero exit code), the interface will not shut down.

Post Down Script

Optionally enter a list of commands to run after the interface shuts down in the Post Down Script field. Enter each command on a separate line. Each command will be run as root in its own subshell. If a command fails (that is, exits with a non-zero exit code), it will have no effect on the interface shutting down.

Form Submit

Click the Update button to submit the form and queue the changes for the interface.

The next time the Pro Custodibus agent on the host pings the Pro Custodibus servers, the agent will receive the information about the interface update, and execute it.