Nanami DocsGuide
Search docsFilter pages by title

WireGuard device config wizard

Use Nodes -> Node details -> WireGuard for all manual WireGuard exports.

Server config vs device config

  • Server config (read-only) is for diagnostics only.
  • It is explicitly marked NOT IMPORTABLE / SERVER SIDE ONLY.
  • It can be copied for troubleshooting.
  • Download is intentionally disabled so unusable files are not exported by accident.

Importable device config flow

Use Get device config and follow the 3-step wizard.

Step 1: Choose path

  • I already have a private key for this device
    • Paste/import the private key locally.
    • The key stays in browser storage only.
    • The private key is never sent to the Nanami server.
  • Generate a new key (rotate)
    • Requires explicit confirmation.
    • Rotation invalidates previously downloaded configs for this device.

Step 2: Preview importable config

  • Review the full config preview.
  • Available actions:
    • Copy
    • Download .conf
    • QR (for mobile WireGuard import)
  • QR is available only for the importable config preview.

Step 3: Import and verify

  1. Import the generated config into the WireGuard client.
  2. Activate the tunnel.
  3. Verify the node connectivity state in Nodes.

Local key handling

  • Manual private keys are stored in browser-only local storage.
  • Use Clear local key in the WireGuard tab to remove local key material.
  • If browser storage is cleared, old private keys cannot be recovered from server.

When to regenerate

  • If gateway endpoint or WireGuard UDP port changes, generate and re-import a new device config.
  • If you rotate keys, old configs stop working immediately.
Edit this page