← Back to helprecipe · network

Set up a WireGuard VPN tunnel

3 min · 5 steps

Paste a .conf or fill in the fields, save, then toggle the tunnel on.

Avery NXR will ask for your macOS password the first time you bring the tunnel up — that's the standard system dialog, used because `wg-quick` needs to configure a routing table.

Steps

  1. Open Settings → Network.

    The Network tab lives next to Appearance.

    Open Network settings

  2. Paste your .conf, or fill in the fields by hand.

    If your IT team sent you a WireGuard .conf, paste it into the 'Paste a .conf' box and click Auto-fill. Otherwise enter Private Key, Interface Address, Server Public Key, Server Endpoint, and Allowed IPs by hand.

  3. Save Configuration.

    Keys are encrypted with AES-256-GCM under ~/.nxr/wireguard-keystore/. The metadata (endpoint, allowed IPs, etc.) lives next to it in plaintext; no secret leaks even if you back up your home dir.

  4. Click Test Connection.

    macOS will ask for your password. The test brings the tunnel up briefly, confirms wg-quick succeeded, then brings it down. If it fails, the error message tells you whether the endpoint was unreachable or the handshake didn't complete (= probably wrong keys).

  5. Toggle the tunnel on.

    macOS caches your password for ~5 minutes, so a toggle-off in the same session typically won't reprompt. The Verified badge turns green when the tunnel is up.

Live recipes need the desktop

This article is a static preview. The in-app Help sidecar inside Avery NXR can fire each step against your live project — install the desktop to use it interactively.

Download desktop →