Add a Peer

In order to add a new interface or endpoint with Pro Custodibus, you must first add a record for peer identity that the interface or endpoint will use.

What is a WireGuard Peer?

The identity of a member of a WireGuard network. The same host may be a member of many distinct networks, appearing as a different peer to different remote endpoints.

See the Terminology page for a fuller explanation.

Add Peer Page

Follow these steps to navigate to the Add Peer page:

  1. Click the Admin link in the app header.

  2. Click the Peers link in the Administration panel.

  3. Click the “plus” icon on the right side of the Peers panel.

You can also add peers directly from the Add Interface, Edit Interface, and Add Endpoint forms.

Name

Enter a descriptive name for the peer, like “Grace’s UNIVAC”, in the Name field. This name will be used as the display name for the peer in the UI. There are no character restrictions, and you can change it later.

Public Key

Enter the public key for the peer, like “/TOE4TKtAqVsePRVR+5AA43HkAK5DSntkOCO7nYq5xU=”, in the Public Key field. This value should be the base64-encoded 256-bit public key of an X25519 (aka Curve25519) public-key pair. As a base64-encoded string, it will be 44 characters long, and end with an equals sign.

The public key of a peer uniquely identifies the peer, and cannot be changed later. (You can, however, later change the peer used by an interface for its local identity; or later add or remove endpoints for different peers to an interface, representing the different remote identities to which the interface can connect.)

If you haven’t already created an public-key pair for the peer, you can create one by clicking the Generate button next to the Private Key field.

If you have already created a private key, you can calculate the public key from a private key with the following WireGuard command:

$ echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEE= | wg pubkey
/TOE4TKtAqVsePRVR+5AA43HkAK5DSntkOCO7nYq5xU=

Private Key

Optionally enter the private key for the peer, like “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEE=”, in the Private Key field. This value should be the base64-encoded 256-bit private key of an X25519 (aka Curve25519) public-key pair. As a base64-encoded string, it will be 44 characters long, and end with an equals sign.

If you haven’t already created an public-key pair for the peer, you can create one by clicking the Generate button next to the Private Key field. You can also generate a new private key with the following WireGuard command:

$ wg genkey
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEE=

(But do not use the above example key, as it is essentially all zeros.)

You don’t have to reveal your WireGuard private keys to Pro Custodibus in order for Pro Custodibus to monitor or update the WireGuard interfaces on a host. However, Pro Custodibus will not be able to create a new interface for you without access to the interface’s private key — you’ll have to manually create the interface on the host with the private key first (and then Pro Custodibus can update it).

If you don’t want to reveal your WireGuard private keys to Pro Custodibus, make sure you set RedactSecrets = true in your agent configuration file (restart the agent after making that change).

Form Submit

Click the Add button to submit the form and create an entry for the peer.

Next Steps