| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | .\" $NetBSD: wg.4,v 1.9 2024/03/23 21:34:07 riastradh Exp $ | | 1 | .\" $NetBSD: wg.4,v 1.10 2024/03/24 00:45:06 uwe Exp $ |
2 | .\" | | 2 | .\" |
3 | .\" Copyright (c) 2020 The NetBSD Foundation, Inc. | | 3 | .\" Copyright (c) 2020 The NetBSD Foundation, Inc. |
4 | .\" All rights reserved. | | 4 | .\" All rights reserved. |
5 | .\" | | 5 | .\" |
6 | .\" Redistribution and use in source and binary forms, with or without | | 6 | .\" Redistribution and use in source and binary forms, with or without |
7 | .\" modification, are permitted provided that the following conditions | | 7 | .\" modification, are permitted provided that the following conditions |
8 | .\" are met: | | 8 | .\" are met: |
9 | .\" 1. Redistributions of source code must retain the above copyright | | 9 | .\" 1. Redistributions of source code must retain the above copyright |
10 | .\" notice, this list of conditions and the following disclaimer. | | 10 | .\" notice, this list of conditions and the following disclaimer. |
11 | .\" 2. Redistributions in binary form must reproduce the above copyright | | 11 | .\" 2. Redistributions in binary form must reproduce the above copyright |
12 | .\" notice, this list of conditions and the following disclaimer in the | | 12 | .\" notice, this list of conditions and the following disclaimer in the |
13 | .\" documentation and/or other materials provided with the distribution. | | 13 | .\" documentation and/or other materials provided with the distribution. |
14 | .\" | | 14 | .\" |
| @@ -64,91 +64,91 @@ an optional listen port, | | | @@ -64,91 +64,91 @@ an optional listen port, |
64 | and a collection of peers. | | 64 | and a collection of peers. |
65 | .Pp | | 65 | .Pp |
66 | Each peer configured on an | | 66 | Each peer configured on an |
67 | .Nm | | 67 | .Nm |
68 | interface has a public key and a range of IP addresses the peer is | | 68 | interface has a public key and a range of IP addresses the peer is |
69 | allowed to use for its | | 69 | allowed to use for its |
70 | .Nm | | 70 | .Nm |
71 | interface inside the tunnel. | | 71 | interface inside the tunnel. |
72 | Each peer may also optionally have a preshared secret key and a fixed | | 72 | Each peer may also optionally have a preshared secret key and a fixed |
73 | endpoint IP address outside the tunnel. | | 73 | endpoint IP address outside the tunnel. |
74 | .\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" | | 74 | .\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" |
75 | .Sh EXAMPLES | | 75 | .Sh EXAMPLES |
76 | Typical network topology: | | 76 | Typical network topology: |
77 | .Bd -literal -offset abcd | | 77 | .Bd -literal -offset 4n |
78 | Stationary server: Roaming client: | | 78 | Stationary server: Roaming client: |
79 | +---------+ +---------+ | | 79 | +---------+ +---------+ |
80 | | A | | B | | | 80 | | A | | B | |
81 | |---------| |---------| | | 81 | |---------| |---------| |
82 | | | 192.0.2.123 198.51.100.45 | | | | 82 | | | 192.0.2.123 198.51.100.45 | | |
83 | | [wm0]----------internet-----------[bge0] | | | 83 | | [wm0]----------internet-----------[bge0] | |
84 | | [wg0] port 1234 - - - (tunnel) - - - - - - [wg0] | | | 84 | | [wg0] port 1234 - - - (tunnel) - - - - - - [wg0] | |
85 | | 10.2.0.1 | 10.2.0.42 | | | 85 | | 10.2.0.1 | 10.2.0.42 | |
86 | | fd00:2::1 | fd00:2::42 | | | 86 | | fd00:2::1 | fd00:2::42 | |
87 | | | | | | | | 87 | | | | | | |
88 | +--[wm1]--+ +-----------------+ +---------+ | | 88 | +--[wm1]--+ +-----------------+ +---------+ |
89 | | 10.1.0.1 | VPN 10.2.0.0/24 | | | 89 | | 10.1.0.1 | VPN 10.2.0.0/24 | |
90 | | | fd00:2::/64 | | | 90 | | | fd00:2::/64 | |
91 | | +-----------------+ | | 91 | | +-----------------+ |
92 | +-----------------+ | | 92 | +-----------------+ |
93 | | LAN 10.1.0.0/24 | | | 93 | | LAN 10.1.0.0/24 | |
94 | | fd00:1::/64 | | | 94 | | fd00:1::/64 | |
95 | +-----------------+ | | 95 | +-----------------+ |
96 | .Ed | | 96 | .Ed |
97 | .Pp | | 97 | .Pp |
98 | Generate key pairs on A and B: | | 98 | Generate key pairs on A and B: |
99 | .Bd -literal -offset abcd | | 99 | .Bd -literal -offset 4n |
100 | A# (umask 0077; wg-keygen > /etc/wg/wg0) | | 100 | A# (umask 0077; wg-keygen > /etc/wg/wg0) |
101 | A# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub | | 101 | A# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub |
102 | A# cat /etc/wg/wg0.pub | | 102 | A# cat /etc/wg/wg0.pub |
103 | N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y= | | 103 | N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y= |
104 | | | 104 | |
105 | B# (umask 0077; wg-keygen > /etc/wg/wg0) | | 105 | B# (umask 0077; wg-keygen > /etc/wg/wg0) |
106 | B# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub | | 106 | B# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub |
107 | B# cat /etc/wg/wg0.pub | | 107 | B# cat /etc/wg/wg0.pub |
108 | X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU= | | 108 | X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU= |
109 | .Ed | | 109 | .Ed |
110 | .Pp | | 110 | .Pp |
111 | Generate a pre-shared key on A and copy it to B to defend against | | 111 | Generate a pre-shared key on A and copy it to B to defend against |
112 | potential future quantum cryptanalysis (not necessary for | | 112 | potential future quantum cryptanalysis (not necessary for |
113 | functionality): | | 113 | functionality): |
114 | .Bd -literal -offset abcd | | 114 | .Bd -literal -offset 4n |
115 | A# (umask 0077; wg-keygen > /etc/wg/wg0.A-B) | | 115 | A# (umask 0077; wg-keygen > /etc/wg/wg0.A-B) |
116 | .Ed | | 116 | .Ed |
117 | .Pp | | 117 | .Pp |
118 | Configure A to listen on port 1234 and allow connections from B to | | 118 | Configure A to listen on port 1234 and allow connections from B to |
119 | appear in the 10.2.0.0/24 and fd00:2::/64 subnets: | | 119 | appear in the 10.2.0.0/24 and fd00:2::/64 subnets: |
120 | .Bd -literal -offset abcd | | 120 | .Bd -literal -offset 4n |
121 | A# ifconfig wg0 create | | 121 | A# ifconfig wg0 create |
122 | A# ifconfig wg0 inet 10.2.0.1/24 | | 122 | A# ifconfig wg0 inet 10.2.0.1/24 |
123 | A# ifconfig wg0 inet6 fd00:2::1/64 | | 123 | A# ifconfig wg0 inet6 fd00:2::1/64 |
124 | A# wgconfig wg0 set private-key /etc/wg/wg0 | | 124 | A# wgconfig wg0 set private-key /etc/wg/wg0 |
125 | A# wgconfig wg0 set listen-port 1234 | | 125 | A# wgconfig wg0 set listen-port 1234 |
126 | A# wgconfig wg0 add peer B \e | | 126 | A# wgconfig wg0 add peer B \e |
127 | X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU= \e | | 127 | X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU= \e |
128 | --preshared-key=/etc/wg/wg0.A-B \e | | 128 | --preshared-key=/etc/wg/wg0.A-B \e |
129 | --allowed-ips=10.2.0.42/32,fd00:2::42/128 | | 129 | --allowed-ips=10.2.0.42/32,fd00:2::42/128 |
130 | A# ifconfig wg0 up | | 130 | A# ifconfig wg0 up |
131 | A# ifconfig wg0 | | 131 | A# ifconfig wg0 |
132 | wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420 | | 132 | wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420 |
133 | status: active | | 133 | status: active |
134 | inet6 fe80::22f7:d6ff:fe3a:1e60%wg0/64 flags 0 scopeid 0x3 | | 134 | inet6 fe80::22f7:d6ff:fe3a:1e60%wg0/64 flags 0 scopeid 0x3 |
135 | inet6 fd00:2::1/64 flags 0 | | 135 | inet6 fd00:2::1/64 flags 0 |
136 | inet 10.2.0.1/24 flags 0 | | 136 | inet 10.2.0.1/24 flags 0 |
137 | .Ed | | 137 | .Ed |
138 | .Pp | | 138 | .Pp |
139 | Configure B to connect to A at 192.0.2.123 on port 1234 and the packets | | 139 | Configure B to connect to A at 192.0.2.123 on port 1234 and the packets |
140 | can begin to flow: | | 140 | can begin to flow: |
141 | .Bd -literal -offset abcd | | 141 | .Bd -literal -offset 4n |
142 | B# ifconfig wg0 create | | 142 | B# ifconfig wg0 create |
143 | B# ifconfig wg0 inet 10.2.0.42/24 | | 143 | B# ifconfig wg0 inet 10.2.0.42/24 |
144 | B# ifconfig wg0 inet6 fd00:2::42/64 | | 144 | B# ifconfig wg0 inet6 fd00:2::42/64 |
145 | B# wgconfig wg0 set private-key /etc/wg/wg0 | | 145 | B# wgconfig wg0 set private-key /etc/wg/wg0 |
146 | B# wgconfig wg0 add peer A \e | | 146 | B# wgconfig wg0 add peer A \e |
147 | N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y= \e | | 147 | N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y= \e |
148 | --preshared-key=/etc/wg/wg0.A-B \e | | 148 | --preshared-key=/etc/wg/wg0.A-B \e |
149 | --allowed-ips=10.2.0.1/32,fd00:2::1/128 \e | | 149 | --allowed-ips=10.2.0.1/32,fd00:2::1/128 \e |
150 | --endpoint=192.0.2.123:1234 | | 150 | --endpoint=192.0.2.123:1234 |
151 | B# ifconfig wg0 up | | 151 | B# ifconfig wg0 up |
152 | B# ifconfig wg0 | | 152 | B# ifconfig wg0 |
153 | wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420 | | 153 | wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420 |
154 | status: active | | 154 | status: active |