How to set up Wireguard client in macos via scripting?

Question

We have a standard config (tunnel.conf) for Wireguard that we want to push to clients (via JAMF Pro).

We do not want the end user to have to open the Wireguard UI to import the config, we want to do this via scripting.

Given I can place the tunnel.conf file anywhere on the end user's system, where do I have to place it, and what command do I need to run to import it?

And conversely, how can I delete a tunnel config from Wireguard, via scripting?

Answer 1

So, as it turns out, Wireguard has a unique key-pair per tunnel - which means each user has their own keys.

Managing that via JAMF sounds like a nightmare, and it'll be easier to point users at their accounts in the VPN to pull down their config, than to manage it for them. Documentation and handholding time!

But it seems to be possible to manage applying a profile via automation. The kind support people at my VPN provider pointed me to this article on JAMF community board: https://community.jamf.com/t5/jamf-pro/wireguard-configuration-file-distribution/m-p/264747

There's a related page on the wireguard-apple repository: https://github.com/WireGuard/wireguard-apple/blob/master/MOBILECONFIG.md

If we do end up trying to manage the users configs, I'll update here.