The [WireGuard] section accepts the following keys:
PrivateKey=
The Base64 encoded private key for the interface. It can be
generated using the wg genkey command (see wg(8)). This
option or PrivateKeyFile= is mandatory to use WireGuard. Note
that because this information is secret, you may want to set
the permissions of the .netdev file to be owned by
"root:systemd-network" with a "0640" file mode.
PrivateKeyFile=
Takes an absolute path to a file which contains the Base64
encoded private key for the interface. When this option is
specified, then PrivateKey= is ignored. Note that the file
must be readable by the user "systemd-network", so it should
be, e.g., owned by "root:systemd-network" with a "0640" file
mode. If the path refers to an AF_UNIX stream socket in the
file system a connection is made to it and the key read from
it.
ListenPort=
Sets UDP port for listening. Takes either value between 1 and
65535 or "auto". If "auto" is specified, the port is
automatically generated based on interface name. Defaults to
"auto".
FirewallMark=
Sets a firewall mark on outgoing WireGuard packets from this
interface. Takes a number between 1 and 4294967295.
