diff options
Diffstat (limited to 'static/netbsd/man4/wg.4 4.html')
| -rw-r--r-- | static/netbsd/man4/wg.4 4.html | 189 |
1 files changed, 0 insertions, 189 deletions
diff --git a/static/netbsd/man4/wg.4 4.html b/static/netbsd/man4/wg.4 4.html deleted file mode 100644 index 9f210a62..00000000 --- a/static/netbsd/man4/wg.4 4.html +++ /dev/null @@ -1,189 +0,0 @@ -<table class="head"> - <tr> - <td class="head-ltitle">WG(4)</td> - <td class="head-vol">Device Drivers Manual</td> - <td class="head-rtitle">WG(4)</td> - </tr> -</table> -<div class="manual-text"> -<section class="Sh"> -<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1> -<p class="Pp"><code class="Nm">wg</code> — <span class="Nd">virtual - private network tunnel (EXPERIMENTAL)</span></p> -</section> -<section class="Sh"> -<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1> -<p class="Pp"><code class="Cd">pseudo-device wg</code></p> -</section> -<section class="Sh"> -<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1> -<p class="Pp">The <code class="Nm">wg</code> interface implements a - roaming-capable virtual private network tunnel, configured with - <a class="Xr">ifconfig(8)</a> and <a class="Xr">wgconfig(8)</a>.</p> -<p class="Pp" id="WARNING:"><a class="permalink" href="#WARNING:"><b class="Sy">WARNING:</b></a> - <code class="Nm">wg</code> is experimental.</p> -<p class="Pp">Packets exchanged on a <code class="Nm">wg</code> interface are - authenticated and encrypted with a secret key negotiated with the peer, and - the encapsulation is exchanged over IP or IPv6 using UDP.</p> -<p class="Pp">Every <code class="Nm">wg</code> interface can be configured with - an IP address using <a class="Xr">ifconfig(8)</a>, a private key generated - with <a class="Xr">wg-keygen(8)</a>, an optional listen port, and a - collection of peers.</p> -<p class="Pp">Each peer configured on an <code class="Nm">wg</code> interface - has a public key and a range of IP addresses the peer is allowed to use for - its <code class="Nm">wg</code> interface inside the tunnel. Each peer may - also optionally have a preshared secret key and a fixed endpoint IP address - outside the tunnel.</p> -</section> -<section class="Sh"> -<h1 class="Sh" id="EXAMPLES"><a class="permalink" href="#EXAMPLES">EXAMPLES</a></h1> -<p class="Pp">Typical network topology:</p> -<div class="Bd Pp Bd-indent Li"> -<pre>Stationary server: Roaming client: -+---------+ +---------+ -| A | | B | -|---------| |---------| -| | 192.0.2.123 198.51.100.45 | | -| [wm0]----------internet-----------[bge0] | -| [wg0] port 1234 - - - (tunnel) - - - - - - [wg0] | -| 10.2.0.1 | 10.2.0.42 | -| fd00:2::1 | fd00:2::42 | -| | | | | -+--[wm1]--+ +-----------------+ +---------+ - | 10.1.0.1 | VPN 10.2.0.0/24 | - | | fd00:2::/64 | - | +-----------------+ -+-----------------+ -| LAN 10.1.0.0/24 | -| fd00:1::/64 | -+-----------------+</pre> -</div> -<p class="Pp">Generate key pairs on A and B:</p> -<div class="Bd Pp Bd-indent Li"> -<pre>A# (umask 0077; wg-keygen > /etc/wg/wg0) -A# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub -A# cat /etc/wg/wg0.pub -N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y= - -B# (umask 0077; wg-keygen > /etc/wg/wg0) -B# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub -B# cat /etc/wg/wg0.pub -X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU=</pre> -</div> -<p class="Pp">Generate a pre-shared key on A and copy it to B to defend against - potential future quantum cryptanalysis (not necessary for - functionality):</p> -<div class="Bd Pp Bd-indent Li"> -<pre>A# (umask 0077; wg-keygen > /etc/wg/wg0.A-B)</pre> -</div> -<p class="Pp">Configure A to listen on port 1234 and allow connections from B to - appear in the 10.2.0.0/24 and fd00:2::/64 subnets:</p> -<div class="Bd Pp Bd-indent Li"> -<pre>A# ifconfig wg0 create -A# ifconfig wg0 inet 10.2.0.1/24 -A# ifconfig wg0 inet6 fd00:2::1/64 -A# wgconfig wg0 set private-key /etc/wg/wg0 -A# wgconfig wg0 set listen-port 1234 -A# wgconfig wg0 add peer B \ - X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU= \ - --preshared-key=/etc/wg/wg0.A-B \ - --allowed-ips=10.2.0.42/32,fd00:2::42/128 -A# ifconfig wg0 up -A# ifconfig wg0 -wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420 - status: active - inet6 fe80::22f7:d6ff:fe3a:1e60%wg0/64 flags 0 scopeid 0x3 - inet6 fd00:2::1/64 flags 0 - inet 10.2.0.1/24 flags 0</pre> -</div> -<p class="Pp">You can put all these commands in - <span class="Pa">/etc/ifconfig.wg0</span> so that the interface gets - configured automatically during startup:</p> -<div class="Bd Pp Bd-indent Li"> -<pre>A# cat /etc/ifconfig.wg0 -inet 10.2.0.1/24 -inet6 fd00:2::1/64 -!wgconfig $int set private-key /etc/wg/wg0 -!wgconfig $int set listen-port 1234 -!wgconfig $int add peer B X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU= \ - --preshared-key=/etc/wg/wg0.A-B \ - --allowed-ips=10.2.0.42/32,fd00:2::1/128 -up</pre> -</div> -<p class="Pp">Configure B to connect to A at 192.0.2.123 on port 1234 and the - packets can begin to flow:</p> -<div class="Bd Pp Bd-indent Li"> -<pre>B# ifconfig wg0 create -B# ifconfig wg0 inet 10.2.0.42/24 -B# ifconfig wg0 inet6 fd00:2::42/64 -B# wgconfig wg0 set private-key /etc/wg/wg0 -B# wgconfig wg0 add peer A \ - N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y= \ - --preshared-key=/etc/wg/wg0.A-B \ - --allowed-ips=10.2.0.1/32,fd00:2::1/128 \ - --endpoint=192.0.2.123:1234 -B# ifconfig wg0 up -B# ifconfig wg0 -wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420 - status: active - inet6 fe80::56eb:59ff:fe3d:d413%wg0/64 flags 0 scopeid 0x3 - inet6 fd00:2::42/64 flags 0 - inet 10.2.0.42/24 flags 0 -B# ping -n 10.2.0.1 -PING 10.2.0.1 (10.2.0.1): 56 data bytes -64 bytes from 10.2.0.1: icmp_seq=0 ttl=255 time=2.721110 ms -... -B# ping6 -n fd00:2::1 -PING6(56=40+8+8 bytes) fd00:2::42 --> fd00:2::1 -16 bytes from fd00:2::1, icmp_seq=0 hlim=64 time=2.634 ms -...</pre> -</div> -<p class="Pp">Same as before, you can put all these commands in - <span class="Pa">/etc/ifconfig.wg0</span> so that the interface gets - configured automatically during startup:</p> -<div class="Bd Pp Bd-indent Li"> -<pre>B# cat /etc/ifconfig.wg0 -inet 10.2.0.42/24 -inet6 fd00:2::42/64 -!wgconfig $int set private-key /etc/wg/wg0 -!wgconfig $int add peer A N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y= \ - --preshared-key=/etc/wg/wg0.A-B \ - --allowed-ips=10.2.0.1/32,fd00:2::1/128 \ - --endpoint=192.0.2.123:1234 -up</pre> -</div> -</section> -<section class="Sh"> -<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE - ALSO</a></h1> -<p class="Pp"><a class="Xr">wg-keygen(8)</a>, <a class="Xr">wgconfig(8)</a>, - <a class="Xr">wg-userspace(8)</a></p> -</section> -<section class="Sh"> -<h1 class="Sh" id="COMPATIBILITY"><a class="permalink" href="#COMPATIBILITY">COMPATIBILITY</a></h1> -<p class="Pp">The <code class="Nm">wg</code> interface aims to be compatible - with the WireGuard protocol, as described in:</p> -<p class="Pp"><cite class="Rs"><span class="RsA">Jason A. Donenfeld</span>, - <span class="RsT">WireGuard: Next Generation Kernel Network Tunnel</span>, - <a class="RsU" href="https://web.archive.org/web/20180805103233/https://www.wireguard.com/papers/wireguard.pdf">https://web.archive.org/web/20180805103233/https://www.wireguard.com/papers/wireguard.pdf</a>, - <span class="RsD">2018-06-30</span>, <span class="RsO">Document ID: - 4846ada1492f5d92198df154f48c3d54205657bc</span>.</cite></p> -</section> -<section class="Sh"> -<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1> -<p class="Pp">The <code class="Nm">wg</code> interface first appeared in - <span class="Ux">NetBSD 10.0</span>.</p> -</section> -<section class="Sh"> -<h1 class="Sh" id="AUTHORS"><a class="permalink" href="#AUTHORS">AUTHORS</a></h1> -<p class="Pp">The <code class="Nm">wg</code> interface was implemented by - <span class="An">Ryota Ozaki</span> - <<a class="Mt" href="mailto:ozaki.ryota@gmail.com">ozaki.ryota@gmail.com</a>>.</p> -</section> -</div> -<table class="foot"> - <tr> - <td class="foot-date">December 8, 2025</td> - <td class="foot-os">NetBSD 10.1</td> - </tr> -</table> |