From 45b9cfc49e69d0ecba94b2dff486c62b359aea93 Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 18:06:00 -0600
Subject: [PATCH] Update README

---
 README.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 05e83e7..f894e3b 100644
--- a/README.md
+++ b/README.md
@@ -39,6 +39,16 @@ For GitHub, at this time the contents would be:
 
 Don't take my word for it, see: https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
 
+**Optional: Generate a WireGuard key**
+
+You only need to do this if you are setting `wg_enabled`=1, for example when you want to service VPN clients from a "master" node. See **Wireguard Options** for more information on how to do that.
+
+See: https://www.wireguard.com/quickstart/
+```
+apk add -U wireguard-tools
+wg genkey | tee privatekey | wg pubkey > publickey
+```
+
 #### Install/Update:
 
 1. Read and follow the prerequisites above and make sure you are ready to install.
@@ -186,7 +196,7 @@ These settings are optional, and are already defaulted to general network common
  
  #### Wireguard options
 
-Keep in mind that Wireguard is presently an auxilliary satellite connection point. Because of this, you shouldn't re-use any IP addresses related to WG.  Consider planning a piece (/32, see `wg_prefix`) of your network (i.e. 172.31.1.z) where `z` is an unused address (or your ASN number, like 8, 16, so on) and setting that to `wg_address`. This is generally only desired on "master" or globally-reachable/hosted nodes to construct an overlay VPN.  If a node is hosting WireGuard clients, they can send traffic into other nodes but likely won't receive any traffic back unless `wg_routes` is set correctly so BIRD can export peer addresses into the BGP routing framework.
+Keep in mind that Wireguard is presently an auxilliary satellite connection point. Because of this, you shouldn't re-use any IP addresses related to WG.  Consider planning a piece (/32, see `wg_prefix`) of your network (i.e. 172.31.1.z) where `z` is an unused address (or your ASN number, like 8, 16, so on) and setting that to `wg_address`. This is generally only desired on "master" or globally-reachable/hosted nodes to construct an overlay VPN.  If a node is hosting WireGuard clients, they can send traffic into other nodes but likely won't receive any traffic back unless `wg_routes` is set so BIRD can export peer addresses into the BGP routing framework.
 
  * `wg_enabled`: Set to 1 to enable WireGuard. Defaults to 0/disabled.
  * `wg_key`: Required if `wg_enabled`=1. The private key to use for the Wireguard peering point.