Thu Apr 18 15:44:37 2024 UTC (22d)

Pull up following revision(s) (requested by riastradh in ticket #658):

	share/man/man4/wg.4: revision 1.8
	share/man/man4/wg.4: revision 1.9

wg(4): Rework example numbering for clarity and add IPv6.

Let's avoid triggering unease with host number 0.
PR misc/58015

wg(4): Fix IPv6 numbering in example diagram.

This way it matches the configuration suggested below (which avoids
host number zero on the subnet).

PR misc/58015


(martin)

diff -r1.6.6.1 -r1.6.6.2 src/share/man/man4/wg.4

--- src/share/man/man4/wg.4 2024/03/11 19:39:23	1.6.6.1
+++ src/share/man/man4/wg.4 2024/04/18 15:44:37	1.6.6.2

 @@ -1,14 +1,14 @@
-.\"	$NetBSD: wg.4,v 1.6.6.1 2024/03/11 19:39:23 martin Exp $
+.\"	$NetBSD: wg.4,v 1.6.6.2 2024/04/18 15:44:37 martin Exp $
 .\"
 .\" Copyright (c) 2020 The NetBSD Foundation, Inc.
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1. Redistributions of source code must retain the above copyright
 .\"    notice, this list of conditions and the following disclaimer.
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
 .\"
 @@ -65,99 +65,113 @@ and a collection of peers.
 .Pp
 Each peer configured on an
 .Nm
 interface has a public key and a range of IP addresses the peer is
 allowed to use for its
 .Nm
 interface inside the tunnel.
 Each peer may also optionally have a preshared secret key and a fixed
 endpoint IP address outside the tunnel.
 .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
 .Sh EXAMPLES
 Typical network topology:
 .Bd -literal -offset abcd
 wm0 = 192.0.2.123                     bge0 = 198.51.100.45
 Stationary server:                         Roaming client:
 +---------+                                    +---------+
 |    A    |                                    |    B    |
 |---------|                                    |---------|
-|        [wm0]-------------internet--------[bge0]        |
+|         | 192.0.2.123          198.51.100.45 |         |
 |        [wm0]----------internet-----------[bge0]        |
 |    [wg0] port 1234 - - - (tunnel) - - - - - - [wg0]    |
-|   10.0.1.0                  |               10.0.1.1   |
+|   10.2.0.1                  |               10.2.0.42  |
 |   fd00:2::1                 |              fd00:2::42  |
 |         |                   |                |         |
 +--[wm1]--+          +-----------------+       +---------+
-     |               | VPN 10.0.1.0/24 |
+     | 10.1.0.1      | VPN 10.2.0.0/24 |
      |               |     fd00:2::/64 |
      |               +-----------------+
 +-----------------+
-| LAN 10.0.0.0/24 |
+| LAN 10.1.0.0/24 |
 |     fd00:1::/64 |
 +-----------------+
 .Ed
 .Pp
 Generate key pairs on A and B:
 .Bd -literal -offset abcd
 A# (umask 0077; wg-keygen > /etc/wg/wg0)
 A# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub
 A# cat /etc/wg/wg0.pub
 N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y=
 B# (umask 0077; wg-keygen > /etc/wg/wg0)
 B# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub
 B# cat /etc/wg/wg0.pub
 X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU=
 .Ed
 .Pp
 Generate a pre-shared key on A and copy it to B to defend against
 potential future quantum cryptanalysis (not necessary for
 functionality):
 .Bd -literal -offset abcd
 A# (umask 0077; wg-keygen > /etc/wg/wg0.A-B)
 .Ed
 .Pp
 Configure A to listen on port 1234 and allow connections from B to
-appear in the 10.0.1.0/24 subnet:
+appear in the 10.2.0.0/24 and fd00:2::/64 subnets:
 .Bd -literal -offset abcd
-A# ifconfig wg0 create 10.0.1.0/24
+A# ifconfig wg0 create
 A# ifconfig wg0 inet 10.2.0.1/24
 A# ifconfig wg0 inet6 fd00:2::1/64
 A# wgconfig wg0 set private-key /etc/wg/wg0
 A# wgconfig wg0 set listen-port 1234
 A# wgconfig wg0 add peer B \e
     X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU= \e
     --preshared-key=/etc/wg/wg0.A-B \e
-    --allowed-ips=10.0.1.1/32
+    --allowed-ips=10.2.0.42/32,fd00:2::42/128
 A# ifconfig wg0 up
 A# ifconfig wg0
 wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420
-        inet 10.0.1.0/24 flags 0
+        status: active
         inet6 fe80::22f7:d6ff:fe3a:1e60%wg0/64 flags 0 scopeid 0x3
         inet6 fd00:2::1/64 flags 0
         inet 10.2.0.1/24 flags 0
 .Ed
 .Pp
 Configure B to connect to A at 192.0.2.123 on port 1234 and the packets
 can begin to flow:
 .Bd -literal -offset abcd
-B# ifconfig wg0 create 10.0.1.1/24
+B# ifconfig wg0 create
 B# ifconfig wg0 inet 10.2.0.42/24
 B# ifconfig wg0 inet6 fd00:2::42/64
 B# wgconfig wg0 set private-key /etc/wg/wg0
 B# wgconfig wg0 add peer A \e
     N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y= \e
     --preshared-key=/etc/wg/wg0.A-B \e
-    --allowed-ips=10.0.1.0/32 \e
+    --allowed-ips=10.2.0.1/32,fd00:2::1/128 \e
     --endpoint=192.0.2.123:1234
 B# ifconfig wg0 up
 B# ifconfig wg0
 wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420
-        inet 10.0.1.1/24 flags 0
+        status: active
         inet6 fe80::56eb:59ff:fe3d:d413%wg0/64 flags 0 scopeid 0x3
-B# ping -n 10.0.1.0
+        inet6 fd00:2::42/64 flags 0
-PING 10.0.1.0 (10.0.1.0): 56 data bytes
+        inet 10.2.0.42/24 flags 0
-bytes from 10.0.1.0: icmp_seq=0 ttl=255 time=2.721110 ms
+B# ping -n 10.2.0.1
 PING 10.2.0.1 (10.2.0.1): 56 data bytes
 bytes from 10.2.0.1: icmp_seq=0 ttl=255 time=2.721110 ms
 \&...
 B# ping6 -n fd00:2::1
 PING6(56=40+8+8 bytes) fd00:2::42 --> fd00:2::1
 bytes from fd00:2::1, icmp_seq=0 hlim=64 time=2.634 ms
 \&...
 .Ed
 .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
 .Sh SEE ALSO
 .Xr wg-keygen 8 ,
 .Xr wgconfig 8
 .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
 .Sh COMPATIBILITY
 The
 .Nm
 interface aims to be compatible with the WireGuard protocol, as
 described in:
 .Pp