WireGuard import is still broken in Ubuntu 26.04

I just hit a familiar bug on a fresh Ubuntu 26.04 install: import a WireGuard .conf through the GUI VPN settings, the connection shows up — and silently does nothing. The peer section gets dropped on the floor, every time.

The symptom

You import myvpn.conf through Settings → Network → VPN → +. The dialog accepts the file, the connection appears in the list, and you can toggle it on. It looks fine.

Then you check nmcli connection show myvpn and notice — nothing under [Peer]. No wireguard.peers, no public key, no endpoint, no allowed-ips. The [Interface] section made it across (private key, address, DNS) but the peer is gone.

Bringing it up "succeeds" because NetworkManager happily activates a peerless WireGuard interface. It just has nowhere to send packets. Your tunnel is a brick.

Confirming it

Easiest test once it's up:

sudo wg show <conn-name>

If you see only interface: and no peer: block, this bug bit you. Compare against the source .conf — it'll have a [Peer] section the GUI silently ate.

The workaround

nmcli's import path doesn't have this bug. So skip the GUI and go through the CLI:

# Stage the conf where NM expects it (root-owned, mode 0600)
sudo install -d -m 0700 /etc/wireguard
sudo install -m 0600 ~/path/to/myvpn.conf /etc/wireguard/myvpn.conf

# If the GUI already created a broken connection, delete it first
sudo nmcli connection delete myvpn

# Import properly
sudo nmcli connection import type wireguard file /etc/wireguard/myvpn.conf

That's it. The connection now shows up in the GUI exactly the same way (you can toggle it from the network indicator), but with the peer actually attached. Verify:

sudo nmcli connection up myvpn
sudo wg show myvpn

You should see your peer's public key, endpoint, allowed-ips, and a recent handshake.

Why I care

wg-quick up myvpn works fine from the terminal. So why fight the GUI at all?

Because the GUI gives you two things the CLI doesn't:

1. A visual indicator of VPN state. The network applet in the system tray tells me at a glance whether I'm tunneled or not. No wg show in a terminal, no doubt about whether I remembered to bring it up before opening that internal dashboard.
2. One-click switching between profiles. I keep several WireGuard configs around — a full-tunnel for travel, a split-tunnel into a homelab, a jump network for work. Picking one from the network menu is faster than sudo wg-quick down old && sudo wg-quick up new.

The activation path through NetworkManager is fine. It's only the import that's broken. So I import once via nmcli, then live in the GUI exactly the way I wanted to in the first place.

State of the bug

This isn't new. The same defect has been kicking around through multiple Ubuntu releases — the GUI's WireGuard handling treats [Peer] as optional and skips it when it doesn't fit the expected shape. Yet here we are at 26.04 and the fix still hasn't shipped.

If you maintain bootstrap scripts or onboarding docs for a team, just bake the nmcli workaround in and stop telling people to use the GUI importer. It's been "still broken" for long enough that I doubt the next release will be different.