WireGuard’s PostUp and PostDown directives are powerful features that allow you to execute shell commands automatically when your VPN tunnel is established or torn down. These scripts enable advanced routing configurations, automated firewall rule management, and dynamic network setup that responds to your VPN connection state.

Understanding PostUp and PostDown

In your WireGuard configuration file (wg0.conf), the PostUp and PostDown options let you define commands that run after the interface is brought up or down, respectively. This automation is essential for complex network topologies where you need to configure routes, DNS servers, or firewall rules dynamically.

[Interface]
PrivateKey = <your-private-key>
Address = 10.0.0.2/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT

[Peer]
PublicKey = <peer-public-key>
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0

Basic Firewall Configuration

One of the most common uses for PostUp/PostDown is managing iptables rules. This ensures your firewall adapts to your VPN connection automatically.

Allowing Forward Traffic

[Interface]
Address = 10.0.0.2/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -A FORWARD -o wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -D FORWARD -o wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

This configuration enables IP forwarding through your VPN interface and sets up NAT for outgoing traffic.

DNS Configuration Automation

You can automatically change your DNS servers when the VPN connects, ensuring all DNS queries go through your VPN’s DNS resolver.

[Interface]
Address = 10.0.0.2/24
PostUp = resolvectl dns wg0 10.0.0.1 && resolvectl domain wg0 ~.
PostDown = resolvectl revert wg0

[Peer]
# ...

Split Tunneling with Custom Routes

PostUp scripts enable sophisticated split tunneling by adding specific routes only when the VPN is active.

[Interface]
Address = 10.0.0.2/24
PostUp = ip route add 192.168.50.0/24 via 10.0.0.1 dev wg0
PostUp = ip route add 10.8.0.0/16 via 10.0.0.1 dev wg0
PostDown = ip route del 192.168.50.0/24 via 10.0.0.1 dev wg0
PostDown = ip route del 10.8.0.0/16 via 10.0.0.1 dev wg0

This routes specific private network ranges through the VPN while keeping other traffic on your default connection.

Kill Switch Implementation

A VPN kill switch prevents data leaks by blocking all traffic when the VPN disconnects unexpectedly.

[Interface]
Address = 10.0.0.2/24
PostUp = iptables -I OUTPUT ! -o wg0 -j DROP
PostDown = iptables -D OUTPUT ! -o wg0 -j DROP

This iptables rule drops all outgoing traffic that doesn’t go through the wg0 interface when the VPN is active.

WireGuard with NFTables

For systems using nftables instead of iptables, the syntax is similar but uses the nft command.

[Interface]
Address = 10.0.0.2/24
PostUp = nft add rule ip filter FORWARD iif wg0 counter accept
PostUp = nft add rule ip filter FORWARD oif wg0 counter accept
PostUp = nft add rule ip nat postrouting oif eth0 masquerade
PostDown = nft delete rule ip filter FORWARD iif wg0 counter accept
PostDown = nft delete rule ip filter FORWARD oif wg0 counter accept
PostDown = nft delete rule ip nat postrouting oif eth0 masquerade

Advanced: IPv6 Support

Managing both IPv4 and IPv6 requires additional rules.

[Interface]
Address = 10.0.0.2/24, fd00::2/64
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Multiple Peers with Different Rules

When managing multiple WireGuard peers, you can use environment variables to identify which peer connected.

# Home Network Peer
[Peer]
PublicKey = <home-peer-key>
AllowedIPs = 192.168.1.0/24
PostUp = ip route add 192.168.1.0/24 via 10.0.0.1 dev wg0
PostDown = ip route del 192.168.1.0/24 via 10.0.0.1 dev wg0

# Office Network Peer
[Peer]
PublicKey = <office-peer-key>
AllowedIPs = 10.20.0.0/16
PostUp = ip route add 10.20.0.0/16 via 10.0.0.2 dev wg0
PostDown = ip route del 10.20.0.0/16 via 10.0.0.2 dev wg0

Troubleshooting PostUp/PostDown Issues

When your PostUp or PostDown commands fail, WireGuard may not provide detailed error messages. Here are debugging strategies:

1. Test commands manually: Run your PostUp commands in a terminal to verify they work.

2. Use absolute paths: Always use full paths like /usr/sbin/iptables instead of just iptables.

3. Redirect output to logs: Add logging to your scripts.

PostUp = /bin/sh -c 'iptables -A FORWARD -i wg0 -j ACCEPT >> /var/log/wg-setup.log 2>&1'

1. Check WireGuard logs:

sudo wg show
sudo journalctl -u wg-quick@wg0 -f

Best Practices

• Always clean up: Ensure your PostDown commands exactly reverse what PostUp does.
• Use iptables-save/iptables-restore for complex rule sets to avoid rule duplication on restarts.
• Test thoroughly: Verify your configuration works after system reboots and network changes.
• Consider failures: Design your scripts to handle cases where some commands might fail.

Conclusion

WireGuard’s PostUp and PostDown directives transform a simple VPN tunnel into a fully programmable network solution. By automating routing, firewall rules, and DNS configuration, you can create sophisticated VPN setups that adapt dynamically to connection states while maintaining security and privacy.

Whether you need a simple kill switch or complex multi-peer routing, these scripts provide the flexibility to customize your WireGuard deployment to your exact requirements.