wg.4: Document kernel config option

wg(4) can be compiled into the kernel (device wg), but the wg.4 manpage
does not document this. Adjust it to mention this like other drivers do.

MFC after: 3 day

wg.4: Document kernel config option

wg(4) can be compiled into the kernel (device wg), but the wg.4 manpage
does not document this. Adjust it to mention this like other drivers do.

MFC after: 3 days
Reviewed by: carlavilla, kevans, ziaee
Approved by: carlavilla (mentor)
Pull Request: https://github.com/freebsd/freebsd-src/pull/1597

show more ...

wg: Add netmap support

When in netmap (emulated) mode, wireguard interfaces prepend or strip a
dummy ethernet header when interfacing with netmap. The netmap
application thus sees unencrypted, de-e

wg: Add netmap support

When in netmap (emulated) mode, wireguard interfaces prepend or strip a
dummy ethernet header when interfacing with netmap. The netmap
application thus sees unencrypted, de-encapsulated frames with a fixed
header.

In this mode, netmap hooks the if_input and if_transmit routines of the
ifnet. Packets from the host TX ring are handled by wg_if_input(),
which simply hands them to the netisr layer; packets which would
otherwise be tunneled are intercepted in wg_output() and placed in the
host RX ring.

The "physical" TX ring is processed by wg_transmit(), which behaves
identically to wg_output() when netmap is not enabled, and packets
appear in the "physical" RX ring by hooking wg_deliver_in().

Reviewed by: vmaffione
MFC after: 1 month
Sponsored by: Klara, Inc.
Sponsored by: Zenarmor
Differential Revision: https://reviews.freebsd.org/D43460

show more ...

Fix typos in man pages under /share/man

Found using: devel/py-proselint

Remove $FreeBSD$: two-line nroff pattern

Remove /^\.\\"\n\.\\"\s*\$FreeBSD\$$\n/

wg(4): add Matt Macy back to AUTHORS section

Matt did the initial in-kernel FreeBSD driver port. The driver would
not exist without that work and some of it remains, even if the driver
was largely

wg(4): add Matt Macy back to AUTHORS section

Matt did the initial in-kernel FreeBSD driver port. The driver would
not exist without that work and some of it remains, even if the driver
was largely rewritten and reworked before being added back to the tree.

Authors remain in alphabetical order by surname.

Sponsored by: The FreeBSD Foundation

show more ...

wg.4: Update first appeared release to 13.2.

MFC after: 3 days

wg.4: Update the SPDX License Identifier

The following License Identifier
'BSD-2-Clause-FreeBSD' is not allowed
for new code so use the correct on.

Reported by: imp

wg.4: Add some enhancements

- add a SPDX-License-Identifier
- rename the title of the man page
- use better grammar in some places
- reword 'IPs' to 'IP addresses'
- add a missing word in the AUTHOR

wg.4: Add some enhancements

- add a SPDX-License-Identifier
- rename the title of the man page
- use better grammar in some places
- reword 'IPs' to 'IP addresses'
- add a missing word in the AUTHORS section
- use '.An -nosplit' in the AUTHORS section
- Xr ipsec and ovpn

Reviewed by: pauamma, mhorne
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D37205

show more ...

Import the WireGuard driver from zx2c4.com.

This commit brings back the driver from FreeBSD commit
f187d6dfbf633665ba6740fe22742aec60ce02a2 plus subsequent fixes from
upstream.

Relative to upstream

Import the WireGuard driver from zx2c4.com.

This commit brings back the driver from FreeBSD commit
f187d6dfbf633665ba6740fe22742aec60ce02a2 plus subsequent fixes from
upstream.

Relative to upstream this commit includes a few other small fixes such
as additional INET and INET6 #ifdef's, #include cleanups, and updates
for recent API changes in main.

Reviewed by: pauamma, gbe, kevans, emaste
Obtained from: git@git.zx2c4.com:wireguard-freebsd @ 3cc22b2
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36909

show more ...

if_wg: import latest fixup work from the wireguard-freebsd project

This is the culmination of about a week of work from three developers to
fix a number of functional and security issues. This patc

if_wg: import latest fixup work from the wireguard-freebsd project

This is the culmination of about a week of work from three developers to
fix a number of functional and security issues. This patch consists of
work done by the following folks:

- Jason A. Donenfeld <Jason@zx2c4.com>
- Matt Dunwoodie <ncon@noconroy.net>
- Kyle Evans <kevans@FreeBSD.org>

Notable changes include:
- Packets are now correctly staged for processing once the handshake has
completed, resulting in less packet loss in the interim.
- Various race conditions have been resolved, particularly w.r.t. socket
and packet lifetime (panics)
- Various tests have been added to assure correct functionality and
tooling conformance
- Many security issues have been addressed
- if_wg now maintains jail-friendly semantics: sockets are created in
the interface's home vnet so that it can act as the sole network
connection for a jail
- if_wg no longer fails to remove peer allowed-ips of 0.0.0.0/0
- if_wg now exports via ioctl a format that is future proof and
complete. It is additionally supported by the upstream
wireguard-tools (which we plan to merge in to base soon)
- if_wg now conforms to the WireGuard protocol and is more closely
aligned with security auditing guidelines

Note that the driver has been rebased away from using iflib. iflib
poses a number of challenges for a cloned device trying to operate in a
vnet that are non-trivial to solve and adds complexity to the
implementation for little gain.

The crypto implementation that was previously added to the tree was a
super complex integration of what previously appeared in an old out of
tree Linux module, which has been reduced to crypto.c containing simple
boring reference implementations. This is part of a near-to-mid term
goal to work with FreeBSD kernel crypto folks and take advantage of or
improve accelerated crypto already offered elsewhere.

There's additional test suite effort underway out-of-tree taking
advantage of the aforementioned jail-friendly semantics to test a number
of real-world topologies, based on netns.sh.

Also note that this is still a work in progress; work going further will
be much smaller in nature.

MFC after: 1 month (maybe)

show more ...

wg(4): note the persistent-keepalive ifconfig(8) option

MFC after: 3 days
Fixes: b3dac3913dc9

wg(4): Fix an example in the manual page

The example in the manual page of wg(4) for connecting to a
peer was missing the 'public-key' ifconfig(8) keyword and for the
addressed peer the port must be

wg(4): Fix an example in the manual page

The example in the manual page of wg(4) for connecting to a
peer was missing the 'public-key' ifconfig(8) keyword and for the
addressed peer the port must be specified.

PR: 253866
Reported by: Sergey Akhmatov <sergey at akhmatov dot ru>
Reviewed by: debdrup
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D29115

show more ...

wg(4): Add authors of the wg(4) driver to the manual page

Glen (@gjb) noticed that I am haven't mentioned the authors of the
WireGuard device driver in the manual page.

This is commit addressed thi

wg(4): Add authors of the wg(4) driver to the manual page

Glen (@gjb) noticed that I am haven't mentioned the authors of the
WireGuard device driver in the manual page.

This is commit addressed this commit.

Reviewed by: gjb, brueffer
Differential Revision: https://reviews.freebsd.org/D28464
X-MFC-with: e59d9cb412846cb5d2bc4c641d3cc44d243cd52d

show more ...

wg(4): Fix Copyright statement in man page

Add a wg(4) manual page

Reviewed by: brueffer, donner, debdrup, ygy
MFC after: 2 days