# Wireguard VPP API Changes The Wireguard implementation in VPP is imitating the implementation in the Linux Kernel. In terms of implementations on the wire, this is good. In terms of consumable APIs, it turns out to be deficient for the various ways folks would like to consume it. ## Motivation Currently we have three known uses cases for wireguard in vpp: 1. Network Service Mesh NSM which would like to be able to cross connect another interface using L3XC to a wireguard peer. This could be done either with per peer interfaces. 3. Calico-VPP 4. VPN GW ## Current Wireguard VPP CLI state The [Wireguard VPP CLI](https://docs.fd.io/vpp/21.01/d1/df4/clicmd_src_plugins_wireguard.html) is centered conceptually around two commands: ``` wireguard create listen-port <port> private-key <key> src <IP> [generate-key] ``` and ``` wireguard peer add <wg_int> public-key <pub_key_other> endpoint <ip4_dst> allowed-ip <prefix> dst-port [port_dst] persistent-keepalive [keepalive_interval]. ``` Conceptually we have two objects: 1. Wireguard Interface - created by the 'wireguard create' 2. Wireguard peer ## Proposed Wireguard VPP CLI ``` wireguard listener add ips <IPPrefix,...> port <port> private-key <key> ``` ``` wireguard peer add <listener_id> dst_ip [ip_dst] dst-port [port_dst] persistent-keepalive [keepalive_interval] ``` and ``` create interface wireguard peer <peer_id> ``` Conceptually we would have three objects: 1. Wireguard listener 2. Wireguard peer - attached to a listener 3. Wireguard interface - optional, attached to a peer We could achieve exactly the same effect as we currently do for wireguard with 'allowed-ips' by providing routes to the new wireguard interface.