It will be super cool if ip/netmask functionality will be addressed by wgconf Currently we testing this systemd units for wireguard ppa: : wireguard.service # This service is actually a systemd target, # but we are using a service since targets cannot be reloaded. [Unit] Description=WireGuard service After=network.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/bin/true ExecReload=/bin/true [Install] WantedBy=multi-user.target :wireguard@.service [Unit] Description=WireGuard connection to %i PartOf=wireguard.service ReloadPropagatedFrom=wireguard.service Before=systemd-user-sessions.service [Service] Type=oneshot EnvironmentFile=-/etc/default/wireguard # %i is your connection name created from .conf files in /etc/wireguard # For ex.: Use systemctl enable wireguard@server.service to enable server example setup # You can store unlimited amount of various connections in /etc/wireguard ExecStart=/bin/ip link add dev wg%i type wireguard ExecStartPre=/bin/sh -c "/bin/systemctl set-environment ip=$(/usr/bin/head -1 /etc/wireguard/%i.conf | awk '{print $2}')" ExecStart=/bin/ip address add ${ip} dev wg%i ExecStart=/usr/bin/wg setconf wg%i /etc/wireguard/%i.conf ExecStart=/bin/ip link set up dev wg%i # We can't predict routing in your environment, but we can make it easier to setup in /etc/default/wireguard #ExecStart=/bin/ip route add $0_1 dev wg%i #ExecStart=/bin/ip route add $128_1 dev wg%i #ExecStart=/bin/ip add $demo via $common_router dev eth0 #ExecStart=/bin/ip route add #ExecStart=/bin/ip route add #ExecStart=/bin/ip route add #ExecStart=/bin/ip route add ExecReload=/bin/ip link del dev wg%i [Install] WantedBy=multi-user.target :/etc/default/wireguard # Common values could help you setup routing faster # You can set routing rules in /lib/systemd/wireguard@.service file 0_1="0.0.0.0/1" 128_1="128.0.0.0/1" # demo.wireguard.io demo="163.172.161.0/32" common_router="192.168.1.1" And test files: : server.conf # 192.168.177.1/24 # Since you need to set ip address manually with ip or ifconfig we use workaround and read ip/netmask from first line of every config file [Interface] # You can generate own public and private keys with: wg genkey | tee privatekey | wg pubkey > publickey # Its strongly recomended for you to generate own keys! PrivateKey = qFstR3l2HG5WQJ0qoQG0G87c039kXR5zN7vV+bUKb0Q= ListenPort = 41414 [Peer] PublicKey = 40UuwEq4H1gaY1rpmwuW0hUyOnGvXuoQIMctOyOrEAs= # Outside world access blocked in example setup AllowedIPs = 127.0.0.1/32 #AllowedIPs = 0.0.0.0/0 :client.conf # 192.168.4.5/24 # Since you need to set ip address manually with ip or ifconfig we use workaround and read ip/netmask from first line of every config file [Interface] # You can generate own public and private keys with: wg genkey | tee privatekey | wg pubkey > publickey PrivateKey = WEAuaVuhdyscyTCXVfBDJR6nf9zxD75jmJzrfhkyE3Y= [Peer] PublicKey = Uha1fHzOY6hPhq54fcrElVdNF/XQDzQ90rDT7+IqIgA= Endpoint = demo.wireguard.io:12912 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25 After some talking with ">Egbert, I think to move routing to separate unit, but still read routing configuration from conf files. I just like ovpn way, when for user is just enough to copy single configuration file. If ip/netmask and routing will be done with wgconf, and will be located inside single config file, this will be huge success for all users.