WireGuard Setup

Manual WireGuard configuration without the DataCork CLI. Use this when you need to configure the tunnel at the OS level or integrate with an existing WireGuard manager.

When to use manual config vs native client

Use the DataCork CLI (quickstart) when:

You want the MCP agent interface (recommended for AI agents)
You need automatic key rotation and session management
You want x402 billing handled automatically

Use manual WireGuard config when:

You're on a router or embedded device where the CLI can't run
You need persistent tunnel config baked into an image
You're integrating with an existing WireGuard manager (NetworkManager, wg-quick, etc.)

Download your WireGuard config

From the dashboard at datacork.com/app/wireguard/config, or via the API:

# Get config for a German exit node
curl -sX POST https://api.datacork.com/v1/wireguard/config \
  -H "Authorization: Bearer $DATACORK_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"country": "DE", "duration_hours": 24}' \
  -o datacork.conf

The downloaded file looks like a standard WireGuard config:

[Interface]
PrivateKey = <your-ephemeral-private-key>
Address = 10.100.0.42/32
DNS = 1.1.1.1

[Peer]
PublicKey = <datacork-node-public-key>
PresharedKey = <session-psk>
Endpoint = de-fra-01.datacork.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Post-quantum note: This config is PQ-enabled. DataCork exit nodes run Rosenpass alongside WireGuard. The Rosenpass ML-KEM-768 key exchange happens automatically during the WireGuard handshake — no additional configuration on your end. You benefit from post-quantum forward secrecy without changing anything. The PresharedKey above is the Rosenpass-derived shared secret, rotated every session.

Bring up the tunnel

# Linux / macOS (requires wireguard-tools)
sudo wg-quick up ./datacork.conf

# Verify tunnel is up
wg show datacork
# Output:
# interface: datacork
#   public key: <your-pub-key>
#   private key: (hidden)
#   listening port: 51820
#
# peer: <datacork-node-pub-key>
#   endpoint: de-fra-01.datacork.com:51820
#   allowed ips: 0.0.0.0/0
#   latest handshake: 3 seconds ago
#   transfer: 84 B received, 212 B sent

# Verify egress IP
curl -s https://api.ipify.org
# Should return de-fra-01 exit IP

Tear down

sudo wg-quick down ./datacork.conf

systemd unit (persistent tunnel)

# Copy config to WireGuard directory
sudo cp datacork.conf /etc/wireguard/datacork.conf

# Enable on boot
sudo systemctl enable wg-quick@datacork
sudo systemctl start wg-quick@datacork

# Status
sudo systemctl status wg-quick@datacork

Config expiry: Configs downloaded via the API are valid for the duration_hours you specify (max 168 hours / 7 days for Pro+). After expiry, the tunnel drops and you need a new config. For long-lived tunnels, use the DataCork CLI which handles rotation automatically.