Network Configuration Reference
Named network attachments for elide serve.
Each network entry represents an independent tunnel with its own data plane, routing rules, and identity. Multiple networks can coexist — for example, a production tailnet alongside a staging one, or a raw WireGuard tunnel alongside a Tailscale-managed network.
Network names (the map keys) are used in log output and metrics labels, so choose short, stable identifiers.
Example
networks {
["production"] {
tailscale { direct = true; authKey = env("TS_PROD_KEY") }
tunnel { bridgeInbound = true }
}
["office-vpn"] {
wireguard { configFile = "./wg-office.conf" }
tunnel { bridgeOutbound = true }
}
}> This page is auto-generated from the PKL schema. See the guide for usage examples.
NetworkConfig
Open class — can be extended.
A named network attachment with its own data plane, routing, and identity.
Each entry in thenetworks mapping represents an independent tunnel.
Set exactly one of tailscale or wireguard per network — they are
mutually exclusive. Omit both to define a placeholder network that
can be filled in by an override layer.
| Field | Type | Default | Description |
|---|---|---|---|
tailscale | _tailscale.TailscaleConfig? | null | Tailscale-managed network configuration. |
wireguard | WireGuardConfig? | null | Raw WireGuard tunnel configuration. |
tunnel | _tunnel.TunnelConfig | (empty) | Tunnel bridging settings that control how traffic on this network |
tailscale
Tailscale-managed network configuration.
Connects this network to a Tailscale tailnet, either via a local
tailscaled daemon or in direct (embedded) mode. Mutually
exclusive with wireguard. See TailscaleConfig for all options.
wireguard
Raw WireGuard tunnel configuration.
Connects this network to standard WireGuard peers that are not
managed by Tailscale. Reads a WireGuard INI config file and
optionally overrides individual fields. Mutually exclusive with
tailscale. See WireGuardConfig for all options.
tunnel
Tunnel bridging settings that control how traffic on this network is forwarded to and from the HTTP server.
Defaults to bridging both inbound and outbound traffic.
See TunnelConfig for per-direction controls and port settings.
---
WireGuardConfig
Open class — can be extended.
Raw WireGuard tunnel configuration.
Connects to standard WireGuard peers that are not managed by Tailscale.
Provide a configFile to load a standard WireGuard INI config, then
optionally override individual fields below. Fields set explicitly here
take precedence over values parsed from the config file.
Example
wireguard {
configFile = "./wg-office.conf"
listenPort = 51820
addresses { "10.0.0.1/24" }
}| Field | Type | Default | Description |
|---|---|---|---|
configFile | String? | null | Path to a standard WireGuard INI config file. |
listenPort | UInt16? | null | UDP listen port for the WireGuard interface. |
addresses | Listing | null | IP addresses to assign to the WireGuard interface, in CIDR notation. |
configFile
Path to a standard WireGuard INI config file.
The file is parsed for [Interface] and [Peer] sections. Can be
an absolute path or relative to the working directory. When null,
all tunnel parameters must be set explicitly.
listenPort
UDP listen port for the WireGuard interface.
Overrides ListenPort from the config file. When null, uses the
port from configFile, or the kernel assigns a random ephemeral
port if neither is set.
addresses
IP addresses to assign to the WireGuard interface, in CIDR notation.
Overrides Address from the config file. When null, uses addresses
from configFile.
addresses { "10.0.0.1/24"; "fd00::1/128" }---