| wg.4 (74ae3f3e33b810248da19004c58b3581cd367843) | wg.4 (744bfb213144c63cbaf38d91a1c4f7aebb9b9fbc) |
|---|---|
| 1.\" Copyright (c) 2020 Gordon Bergling <gbe@FreeBSD.org> 2.\" 3.\" Redistribution and use in source and binary forms, with or without 4.\" modification, are permitted provided that the following conditions 5.\" are met: 6.\" 1. Redistributions of source code must retain the above copyright 7.\" notice, this list of conditions and the following disclaimer. 8.\" 2. Redistributions in binary form must reproduce the above copyright --- 9 unchanged lines hidden (view full) --- 18.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 19.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 20.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 21.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 22.\" SUCH DAMAGE. 23.\" 24.\" $FreeBSD$ 25.\" | 1.\" Copyright (c) 2020 Gordon Bergling <gbe@FreeBSD.org> 2.\" 3.\" Redistribution and use in source and binary forms, with or without 4.\" modification, are permitted provided that the following conditions 5.\" are met: 6.\" 1. Redistributions of source code must retain the above copyright 7.\" notice, this list of conditions and the following disclaimer. 8.\" 2. Redistributions in binary form must reproduce the above copyright --- 9 unchanged lines hidden (view full) --- 18.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 19.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 20.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 21.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 22.\" SUCH DAMAGE. 23.\" 24.\" $FreeBSD$ 25.\" |
| 26.Dd March 12, 2021 | 26.Dd October 28, 2022 |
| 27.Dt WG 4 28.Os 29.Sh NAME 30.Nm wg 31.Nd "WireGuard - pseudo-device" 32.Sh SYNOPSIS 33To load the driver as a module at boot time, place the following line in 34.Xr loader.conf 5 : --- 12 unchanged lines hidden (view full) --- 47interface recognises one or more peers, establishes a secure tunnel with 48each on demand, and tracks each peer's UDP endpoint for exchanging encrypted 49traffic with. 50.Pp 51The interfaces can be created at runtime using the 52.Ic ifconfig Cm wg Ns Ar N Cm create 53command. 54The interface itself can be configured with | 27.Dt WG 4 28.Os 29.Sh NAME 30.Nm wg 31.Nd "WireGuard - pseudo-device" 32.Sh SYNOPSIS 33To load the driver as a module at boot time, place the following line in 34.Xr loader.conf 5 : --- 12 unchanged lines hidden (view full) --- 47interface recognises one or more peers, establishes a secure tunnel with 48each on demand, and tracks each peer's UDP endpoint for exchanging encrypted 49traffic with. 50.Pp 51The interfaces can be created at runtime using the 52.Ic ifconfig Cm wg Ns Ar N Cm create 53command. 54The interface itself can be configured with |
| 55.Xr ifconfig 8 . | 55.Xr wg 8 . |
| 56.Pp | 56.Pp |
| 57The following parameters are available: 58.Bl -tag -width indent 59.It Cm listen-port 60The listing port of the 61.Nm 62interface. 63.It Cm public-key 64The public key of the 65.Nm 66interface. 67.It Cm private-key 68The private key of the 69.Nm 70interface. 71.It Cm preshared-key 72Defines a pre-shared key for the 73.Nm 74interface. 75.It Cm allowed-ips 76A list of allowed IP addresses. 77.It Cm endpoint 78The IP address of the WiredGuard to connect to. 79.It Cm peers 80A list of peering IP addresses to connect to. 81.It Cm persistent-keepalive-interval 82Interval, in seconds, at which to send persistent keepalive packets. 83.El 84.Pp 85The 86.Nm 87interfaces support the following 88.Xr ioctl 2 Ns s : 89.Bl -tag -width Ds -offset indent 90.It Dv SIOCSWG Fa "struct wg_device_io *" 91Set the device configuration. 92.It Dv SIOCGWG Fa "struct wg_device_io *" 93Get the device configuration. 94.El 95.Pp | |
| 96The following glossary provides a brief overview of WireGuard 97terminology: 98.Bl -tag -width indent -offset 3n 99.It Peer 100Peers exchange IPv4 or IPv6 traffic over secure tunnels. 101Each 102.Nm 103interface may be configured to recognise one or more peers. --- 43 unchanged lines hidden (view full) --- 147.El 148.Ss Keys 149Private keys for WireGuard can be generated from any sufficiently 150secure random source. 151The Curve25519 keys and the pre-shared keys are both 32 bytes 152long and are commonly encoded in base64 for ease of use. 153.Pp 154Keys can be generated with | 57The following glossary provides a brief overview of WireGuard 58terminology: 59.Bl -tag -width indent -offset 3n 60.It Peer 61Peers exchange IPv4 or IPv6 traffic over secure tunnels. 62Each 63.Nm 64interface may be configured to recognise one or more peers. --- 43 unchanged lines hidden (view full) --- 108.El 109.Ss Keys 110Private keys for WireGuard can be generated from any sufficiently 111secure random source. 112The Curve25519 keys and the pre-shared keys are both 32 bytes 113long and are commonly encoded in base64 for ease of use. 114.Pp 115Keys can be generated with |
| 155.Xr openssl 1 | 116.Xr wg 8 |
| 156as follows: 157.Pp | 117as follows: 118.Pp |
| 158.Dl $ openssl rand -base64 32 | 119.Dl $ wg genkey |
| 159.Pp 160Although a valid Curve25519 key must have 5 bits set to 161specific values, this is done by the interface and so it 162will accept any random 32-byte base64 string. | 120.Pp 121Although a valid Curve25519 key must have 5 bits set to 122specific values, this is done by the interface and so it 123will accept any random 32-byte base64 string. |
| 163.Pp 164When an interface has a private key set with 165.Nm public-key , 166the corresponding 167public key is shown in the status output of the interface: 168.Bd -literal -offset indent 169# ifconfig wg0 | grep public-key 170 public-key: 7lWtsDdqaGB3EY9WNxRN3hVaHMtu1zXw71+bOjNOVUw= 171.Ed | |
| 172.Sh EXAMPLES 173Create a 174.Nm 175interface and set random private key. 176.Bd -literal -offset indent | 124.Sh EXAMPLES 125Create a 126.Nm 127interface and set random private key. 128.Bd -literal -offset indent |
| 177# ifconfig wg0 create listen-port 54321 private-key `openssl rand -base64 32` | 129# ifconfig wg0 create 130# wg genkey | wg set wg0 listen-port 54321 private-key /dev/stdin |
| 178.Ed 179.Pp 180Retrieve the associated public key from a 181.Nm 182interface. 183.Bd -literal -offset indent | 131.Ed 132.Pp 133Retrieve the associated public key from a 134.Nm 135interface. 136.Bd -literal -offset indent |
| 184$ ifconfig wg0 | awk '/public-key/ { print $2 }'` | 137$ wg show wg0 public-key |
| 185.Ed 186.Pp 187Connect to a specific endpoint using its public-key and set the allowed IP address 188.Bd -literal -offset indent | 138.Ed 139.Pp 140Connect to a specific endpoint using its public-key and set the allowed IP address 141.Bd -literal -offset indent |
| 189# ifconfig wg0 peer public-key '7lWtsDdqaGB3EY9WNxRN3hVaHMtu1zXw71+bOjNOVUw=' endpoint 10.0.1.100:54321 allowed-ips 192.168.2.100/32 | 142# wg set wg0 peer '7lWtsDdqaGB3EY9WNxRN3hVaHMtu1zXw71+bOjNOVUw=' endpoint 10.0.1.100:54321 allowed-ips 192.168.2.100/32 |
| 190.Ed 191.Pp 192Remove a peer 193.Bd -literal -offset indent | 143.Ed 144.Pp 145Remove a peer 146.Bd -literal -offset indent |
| 194# ifconfig wg0 -peer public-key '7lWtsDdqaGB3EY9WNxRN3hVaHMtu1zXw71+bOjNOVUw=' | 147# wg set wg0 peer '7lWtsDdqaGB3EY9WNxRN3hVaHMtu1zXw71+bOjNOVUw=' remove |
| 195.Ed 196.Sh DIAGNOSTICS 197The 198.Nm 199interface supports runtime debugging, which can be enabled with: 200.Pp 201.D1 Ic ifconfig Cm wg Ns Ar N Cm debug 202.Pp --- 24 unchanged lines hidden (view full) --- 227.El 228.Sh SEE ALSO 229.Xr inet 4 , 230.Xr ip 4 , 231.Xr netintro 4 , 232.Xr ipf 5 , 233.Xr pf.conf 5 , 234.Xr ifconfig 8 , | 148.Ed 149.Sh DIAGNOSTICS 150The 151.Nm 152interface supports runtime debugging, which can be enabled with: 153.Pp 154.D1 Ic ifconfig Cm wg Ns Ar N Cm debug 155.Pp --- 24 unchanged lines hidden (view full) --- 180.El 181.Sh SEE ALSO 182.Xr inet 4 , 183.Xr ip 4 , 184.Xr netintro 4 , 185.Xr ipf 5 , 186.Xr pf.conf 5 , 187.Xr ifconfig 8 , |
| 235.Xr ipfw 8 | 188.Xr ipfw 8 , 189.Xr wg 8 |
| 236.Rs 237.%T WireGuard whitepaper 238.%U https://www.wireguard.com/papers/wireguard.pdf 239.Re 240.Sh HISTORY 241The 242.Nm 243device driver first appeared in | 190.Rs 191.%T WireGuard whitepaper 192.%U https://www.wireguard.com/papers/wireguard.pdf 193.Re 194.Sh HISTORY 195The 196.Nm 197device driver first appeared in |
| 244.Fx 13.0 . | 198.Fx 14.0 . |
| 245.Sh AUTHORS 246The 247.Nm 248device driver written by 249.An Jason A. Donenfeld Aq Mt Jason@zx2c4.com , 250.An Matt Dunwoodie Aq Mt ncon@nconroy.net , 251and 252.An Kyle Evans Aq Mt kevans@FreeBSD.org . 253.Pp 254This manual page was written by 255.An Gordon Bergling Aq Mt gbe@FreeBSD.org 256and is based on the 257.Ox 258manual page written by 259.An David Gwynne Aq Mt dlg@openbsd.org . | 199.Sh AUTHORS 200The 201.Nm 202device driver written by 203.An Jason A. Donenfeld Aq Mt Jason@zx2c4.com , 204.An Matt Dunwoodie Aq Mt ncon@nconroy.net , 205and 206.An Kyle Evans Aq Mt kevans@FreeBSD.org . 207.Pp 208This manual page was written by 209.An Gordon Bergling Aq Mt gbe@FreeBSD.org 210and is based on the 211.Ox 212manual page written by 213.An David Gwynne Aq Mt dlg@openbsd.org . |