Sun Mar 24 00:45:06 2024 UTC (57d)
wg(4): specify 4 space offsets as 4n


(uwe)
diff -r1.9 -r1.10 src/share/man/man4/wg.4
cvs diff -r1.9 -r1.10 src/share/man/man4/wg.4 (expand / switch to unified diff)

--- src/share/man/man4/wg.4 2024/03/23 21:34:07 1.9
+++ src/share/man/man4/wg.4 2024/03/24 00:45:06 1.10
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1.\" $NetBSD: wg.4,v 1.9 2024/03/23 21:34:07 riastradh Exp $ 1.\" $NetBSD: wg.4,v 1.10 2024/03/24 00:45:06 uwe Exp $
2.\" 2.\"
3.\" Copyright (c) 2020 The NetBSD Foundation, Inc. 3.\" Copyright (c) 2020 The NetBSD Foundation, Inc.
4.\" All rights reserved. 4.\" All rights reserved.
5.\" 5.\"
6.\" Redistribution and use in source and binary forms, with or without 6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions 7.\" modification, are permitted provided that the following conditions
8.\" are met: 8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright 9.\" 1. Redistributions of source code must retain the above copyright
10.\" notice, this list of conditions and the following disclaimer. 10.\" notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\" notice, this list of conditions and the following disclaimer in the 12.\" notice, this list of conditions and the following disclaimer in the
13.\" documentation and/or other materials provided with the distribution. 13.\" documentation and/or other materials provided with the distribution.
14.\" 14.\"
@@ -64,91 +64,91 @@ an optional listen port, @@ -64,91 +64,91 @@ an optional listen port,
64and a collection of peers. 64and a collection of peers.
65.Pp 65.Pp
66Each peer configured on an 66Each peer configured on an
67.Nm 67.Nm
68interface has a public key and a range of IP addresses the peer is 68interface has a public key and a range of IP addresses the peer is
69allowed to use for its 69allowed to use for its
70.Nm 70.Nm
71interface inside the tunnel. 71interface inside the tunnel.
72Each peer may also optionally have a preshared secret key and a fixed 72Each peer may also optionally have a preshared secret key and a fixed
73endpoint IP address outside the tunnel. 73endpoint IP address outside the tunnel.
74.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 74.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
75.Sh EXAMPLES 75.Sh EXAMPLES
76Typical network topology: 76Typical network topology:
77.Bd -literal -offset abcd 77.Bd -literal -offset 4n
78Stationary server: Roaming client: 78Stationary server: Roaming client:
79+---------+ +---------+ 79+---------+ +---------+
80| A | | B | 80| A | | B |
81|---------| |---------| 81|---------| |---------|
82| | 192.0.2.123 198.51.100.45 | | 82| | 192.0.2.123 198.51.100.45 | |
83| [wm0]----------internet-----------[bge0] | 83| [wm0]----------internet-----------[bge0] |
84| [wg0] port 1234 - - - (tunnel) - - - - - - [wg0] | 84| [wg0] port 1234 - - - (tunnel) - - - - - - [wg0] |
85| 10.2.0.1 | 10.2.0.42 | 85| 10.2.0.1 | 10.2.0.42 |
86| fd00:2::1 | fd00:2::42 | 86| fd00:2::1 | fd00:2::42 |
87| | | | | 87| | | | |
88+--[wm1]--+ +-----------------+ +---------+ 88+--[wm1]--+ +-----------------+ +---------+
89 | 10.1.0.1 | VPN 10.2.0.0/24 | 89 | 10.1.0.1 | VPN 10.2.0.0/24 |
90 | | fd00:2::/64 | 90 | | fd00:2::/64 |
91 | +-----------------+ 91 | +-----------------+
92+-----------------+ 92+-----------------+
93| LAN 10.1.0.0/24 | 93| LAN 10.1.0.0/24 |
94| fd00:1::/64 | 94| fd00:1::/64 |
95+-----------------+ 95+-----------------+
96.Ed 96.Ed
97.Pp 97.Pp
98Generate key pairs on A and B: 98Generate key pairs on A and B:
99.Bd -literal -offset abcd 99.Bd -literal -offset 4n
100A# (umask 0077; wg-keygen > /etc/wg/wg0) 100A# (umask 0077; wg-keygen > /etc/wg/wg0)
101A# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub 101A# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub
102A# cat /etc/wg/wg0.pub 102A# cat /etc/wg/wg0.pub
103N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y= 103N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y=
104 104
105B# (umask 0077; wg-keygen > /etc/wg/wg0) 105B# (umask 0077; wg-keygen > /etc/wg/wg0)
106B# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub 106B# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub
107B# cat /etc/wg/wg0.pub 107B# cat /etc/wg/wg0.pub
108X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU= 108X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU=
109.Ed 109.Ed
110.Pp 110.Pp
111Generate a pre-shared key on A and copy it to B to defend against 111Generate a pre-shared key on A and copy it to B to defend against
112potential future quantum cryptanalysis (not necessary for 112potential future quantum cryptanalysis (not necessary for
113functionality): 113functionality):
114.Bd -literal -offset abcd 114.Bd -literal -offset 4n
115A# (umask 0077; wg-keygen > /etc/wg/wg0.A-B) 115A# (umask 0077; wg-keygen > /etc/wg/wg0.A-B)
116.Ed 116.Ed
117.Pp 117.Pp
118Configure A to listen on port 1234 and allow connections from B to 118Configure A to listen on port 1234 and allow connections from B to
119appear in the 10.2.0.0/24 and fd00:2::/64 subnets: 119appear in the 10.2.0.0/24 and fd00:2::/64 subnets:
120.Bd -literal -offset abcd 120.Bd -literal -offset 4n
121A# ifconfig wg0 create 121A# ifconfig wg0 create
122A# ifconfig wg0 inet 10.2.0.1/24 122A# ifconfig wg0 inet 10.2.0.1/24
123A# ifconfig wg0 inet6 fd00:2::1/64 123A# ifconfig wg0 inet6 fd00:2::1/64
124A# wgconfig wg0 set private-key /etc/wg/wg0 124A# wgconfig wg0 set private-key /etc/wg/wg0
125A# wgconfig wg0 set listen-port 1234 125A# wgconfig wg0 set listen-port 1234
126A# wgconfig wg0 add peer B \e 126A# wgconfig wg0 add peer B \e
127 X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU= \e 127 X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU= \e
128 --preshared-key=/etc/wg/wg0.A-B \e 128 --preshared-key=/etc/wg/wg0.A-B \e
129 --allowed-ips=10.2.0.42/32,fd00:2::42/128 129 --allowed-ips=10.2.0.42/32,fd00:2::42/128
130A# ifconfig wg0 up 130A# ifconfig wg0 up
131A# ifconfig wg0 131A# ifconfig wg0
132wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420 132wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420
133 status: active 133 status: active
134 inet6 fe80::22f7:d6ff:fe3a:1e60%wg0/64 flags 0 scopeid 0x3 134 inet6 fe80::22f7:d6ff:fe3a:1e60%wg0/64 flags 0 scopeid 0x3
135 inet6 fd00:2::1/64 flags 0 135 inet6 fd00:2::1/64 flags 0
136 inet 10.2.0.1/24 flags 0 136 inet 10.2.0.1/24 flags 0
137.Ed 137.Ed
138.Pp 138.Pp
139Configure B to connect to A at 192.0.2.123 on port 1234 and the packets 139Configure B to connect to A at 192.0.2.123 on port 1234 and the packets
140can begin to flow: 140can begin to flow:
141.Bd -literal -offset abcd 141.Bd -literal -offset 4n
142B# ifconfig wg0 create 142B# ifconfig wg0 create
143B# ifconfig wg0 inet 10.2.0.42/24 143B# ifconfig wg0 inet 10.2.0.42/24
144B# ifconfig wg0 inet6 fd00:2::42/64 144B# ifconfig wg0 inet6 fd00:2::42/64
145B# wgconfig wg0 set private-key /etc/wg/wg0 145B# wgconfig wg0 set private-key /etc/wg/wg0
146B# wgconfig wg0 add peer A \e 146B# wgconfig wg0 add peer A \e
147 N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y= \e 147 N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y= \e
148 --preshared-key=/etc/wg/wg0.A-B \e 148 --preshared-key=/etc/wg/wg0.A-B \e
149 --allowed-ips=10.2.0.1/32,fd00:2::1/128 \e 149 --allowed-ips=10.2.0.1/32,fd00:2::1/128 \e
150 --endpoint=192.0.2.123:1234 150 --endpoint=192.0.2.123:1234
151B# ifconfig wg0 up 151B# ifconfig wg0 up
152B# ifconfig wg0 152B# ifconfig wg0
153wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420 153wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420
154 status: active 154 status: active