Restarting wg-quick drops every peer. To add one client without disturbing the others, apply the change live.

Option A — edit the conf, then syncconf (recommended)

Add the new [Peer] to /etc/wireguard/wg0.conf:

[Peer]
PublicKey = NEW_CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.5/32

Apply it without touching existing peers:

sudo wg syncconf wg0 <(wg-quick strip wg0)

wg-quick strip prints just the WireGuard-relevant lines; syncconf reconciles the running interface to match — adding the new peer, leaving the rest connected.

Option B — add it live, then persist

Add immediately, then save back to the file so it survives a reboot:

sudo wg set wg0 peer NEW_CLIENT_PUBLIC_KEY allowed-ips 10.0.0.5/32
sudo wg-quick save wg0

Remove a peer live

sudo wg set wg0 peer SOME_PUBLIC_KEY remove
sudo wg-quick save wg0

Verify

sudo wg show wg0 peers

Don’t use wg-quick down/up for this — it tears down all peers. syncconf (or wg set) is the no-downtime path. Give each client a unique /32 in AllowedIPs so they don’t collide.

Add a WireGuard Peer Without Restarting the Tunnel

Option A — edit the conf, then syncconf (recommended)

Option B — add it live, then persist

Remove a peer live

Verify