Fill out WireGuard man pages.
This commit is contained in:
parent
7b6ff34c76
commit
0252686c58
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: mi,v 1.1698 2020/08/20 21:28:01 riastradh Exp $
|
||||
# $NetBSD: mi,v 1.1699 2020/08/20 21:35:59 riastradh Exp $
|
||||
#
|
||||
# Note: don't delete entries from here - mark them as "obsolete" instead.
|
||||
#
|
||||
|
@ -2032,6 +2032,7 @@
|
|||
./usr/share/man/cat4/wds.0 man-sys-catman .cat
|
||||
./usr/share/man/cat4/we.0 man-sys-catman .cat
|
||||
./usr/share/man/cat4/wedge.0 man-sys-catman .cat
|
||||
./usr/share/man/cat4/wg.0 man-sys-catman .cat
|
||||
./usr/share/man/cat4/wi.0 man-sys-catman .cat
|
||||
./usr/share/man/cat4/wm.0 man-sys-catman .cat
|
||||
./usr/share/man/cat4/wmidell.0 man-sys-catman .cat
|
||||
|
@ -5165,6 +5166,7 @@
|
|||
./usr/share/man/html4/wds.html man-sys-htmlman html
|
||||
./usr/share/man/html4/we.html man-sys-htmlman html
|
||||
./usr/share/man/html4/wedge.html man-sys-htmlman html
|
||||
./usr/share/man/html4/wg.html man-sys-htmlman html
|
||||
./usr/share/man/html4/wi.html man-sys-htmlman html
|
||||
./usr/share/man/html4/wm.html man-sys-htmlman html
|
||||
./usr/share/man/html4/wmidell.html man-sys-htmlman html
|
||||
|
@ -8230,6 +8232,7 @@
|
|||
./usr/share/man/man4/wds.4 man-sys-man .man
|
||||
./usr/share/man/man4/we.4 man-sys-man .man
|
||||
./usr/share/man/man4/wedge.4 man-sys-man .man
|
||||
./usr/share/man/man4/wg.4 man-sys-man .man
|
||||
./usr/share/man/man4/wi.4 man-sys-man .man
|
||||
./usr/share/man/man4/wm.4 man-sys-man .man
|
||||
./usr/share/man/man4/wmidell.4 man-sys-man .man
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: Makefile,v 1.706 2020/07/26 15:13:09 jdolecek Exp $
|
||||
# $NetBSD: Makefile,v 1.707 2020/08/20 21:36:00 riastradh Exp $
|
||||
# @(#)Makefile 8.1 (Berkeley) 6/18/93
|
||||
|
||||
MAN= aac.4 ac97.4 acardide.4 aceride.4 acphy.4 \
|
||||
|
@ -70,7 +70,7 @@ MAN= aac.4 ac97.4 acardide.4 aceride.4 acphy.4 \
|
|||
vald.4 valz.4 veriexec.4 vga.4 vge.4 viaide.4 video.4 \
|
||||
vio9p.4 vioif.4 viomb.4 viornd.4 vioscsi.4 virt.4 virtio.4 \
|
||||
vlan.4 vmmon.4 vmnet.4 vnd.4 voodoofb.4 vr.4 vte.4 \
|
||||
wapbl.4 wb.4 wbsio.4 wd.4 wdc.4 wi.4 wm.4 wpi.4 \
|
||||
wapbl.4 wb.4 wbsio.4 wd.4 wdc.4 wg.4 wi.4 wm.4 wpi.4 \
|
||||
wsbell.4 wscons.4 wsdisplay.4 wsfont.4 wskbd.4 wsmouse.4 wsmux.4 \
|
||||
xbox.4 xge.4 \
|
||||
yds.4 ym.4 \
|
||||
|
|
|
@ -0,0 +1,157 @@
|
|||
.\" $NetBSD: wg.4,v 1.1 2020/08/20 21:36:00 riastradh Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2020 The NetBSD Foundation, Inc.
|
||||
.\" All rights reserved.
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
.\" modification, are permitted provided that the following conditions
|
||||
.\" are met:
|
||||
.\" 1. Redistributions of source code must retain the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer.
|
||||
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer in the
|
||||
.\" documentation and/or other materials provided with the distribution.
|
||||
.\"
|
||||
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
||||
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
||||
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
||||
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd August 20, 2020
|
||||
.Dt WG 4
|
||||
.Os
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh NAME
|
||||
.Nm wg
|
||||
.Nd WireGuard virtual private network
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh SYNOPSIS
|
||||
.Cd pseudo-device wg
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh DESCRIPTION
|
||||
The
|
||||
.Nm
|
||||
interface implements the WireGuard point-to-point roaming-capable
|
||||
virtual private network tunnel, configured with
|
||||
.Xr ifconfig 8
|
||||
and
|
||||
.Xr wgconfig 8 .
|
||||
.Pp
|
||||
Packets exchanged on a
|
||||
.Nm
|
||||
interface are authenticated and encrypted with a secret key negotiated
|
||||
with the peer, and the encapsulation is exchanged over IP or IPv6 using
|
||||
UDP.
|
||||
.Pp
|
||||
Every
|
||||
.Xr wg 4
|
||||
interface can be configured with an IP address using
|
||||
.Xr ifconfig 8 ,
|
||||
a private key generated with
|
||||
.Xr wg-keygen 8 ,
|
||||
an optional listen port,
|
||||
and a collection of peers.
|
||||
.Pp
|
||||
Each peer configured on an
|
||||
.Nm
|
||||
interface has a public key and a range of IP addresses the peer is
|
||||
allowed to use for its
|
||||
.Nm
|
||||
interface inside the tunnel.
|
||||
Each peer may also optionally have a preshared secret key and a fixed
|
||||
endpoint IP address outside the tunnel.
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh EXAMPLES
|
||||
Typical network topology:
|
||||
.Bd -literal
|
||||
wm0 = 1.2.3.4 bge0 = 4.3.2.1
|
||||
|
||||
Stationary server: Roaming client:
|
||||
+---------+ +---------+
|
||||
| A | | B |
|
||||
|---------| |---------|
|
||||
| [wm0]-------------internet--------[bge0] |
|
||||
| [wg0] port 1234 - - - (tunnel) - - - - - - [wg0] |
|
||||
| 10.0.1.0 | 10.0.1.1 |
|
||||
| | | | |
|
||||
+--[wm1]--+ +-----------------+ +---------+
|
||||
| | VPN 10.0.1.0/24 |
|
||||
| +-----------------+
|
||||
+-----------------+
|
||||
| LAN 10.0.0.0/24 |
|
||||
+-----------------+
|
||||
.Ed
|
||||
.Pp
|
||||
Generate key pairs on A and B:
|
||||
.Bd -literal
|
||||
A# wg-keygen > /etc/wireguard/wg0
|
||||
A# wg-keygen --pub < /etc/wireguard/wg0 > /etc/wireguard/wg0.pub
|
||||
A# cat /etc/wireguard/wg0.pub
|
||||
N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y=
|
||||
|
||||
B# wg-keygen > /etc/wireguard/wg0
|
||||
B# wg-keygen --pub < /etc/wireguard/wg0 > /etc/wireguard/wg0.pub
|
||||
B# cat /etc/wireguard/wg0.pub
|
||||
X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU=
|
||||
.Ed
|
||||
.Pp
|
||||
Configure A to listen on port 1234 and allow connections from B to
|
||||
appear in the 10.0.1.0/24 subnet:
|
||||
.Bd -literal
|
||||
A# ifconfig wg0 create 10.0.1.0/24
|
||||
A# wgconfig wg0 set private-key /etc/wireguard/wg0
|
||||
A# wgconfig wg0 set listen-port 1234
|
||||
A# wgconfig wg0 add peer B \e
|
||||
X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU= \e
|
||||
--allowed-ips=10.0.1.1/32
|
||||
A# ifconfig wg0 up
|
||||
A# ifconfig wg0
|
||||
wg0: flags=0x51<UP,POINTOPOINT,RUNNING> mtu 1420
|
||||
inet 10.0.1.0/24 -> flags 0
|
||||
.Ed
|
||||
.Pp
|
||||
Configure B to connect to A at 1.2.3.4 on port 1234 and the packets can
|
||||
begin to flow:
|
||||
.Bd -literal
|
||||
B# ifconfig wg0 create 10.0.1.1/24
|
||||
B# wgconfig wg0 set private-key /etc/wireguard/wg0
|
||||
B# wgconfig wg0 add peer A \e
|
||||
N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y= \e
|
||||
--allowed-ips=10.0.1.0/32 \e
|
||||
--endpoint=1.2.3.4:1234
|
||||
B# ifconfig wg0 up
|
||||
B# ifconfig wg0
|
||||
wg0: flags=0x51<UP,POINTOPOINT,RUNNING> mtu 1420
|
||||
inet 10.0.1.1/24 -> flags 0
|
||||
B# ping -n 10.0.1.0
|
||||
PING 10.0.1.0 (10.0.1.0): 56 data bytes
|
||||
64 bytes from 10.0.1.0: icmp_seq=0 ttl=255 time=2.721110 ms
|
||||
...
|
||||
.Ed
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh SEE ALSO
|
||||
.Xr wg-keygen 8 ,
|
||||
.Xr wgconfig 8
|
||||
.Rs
|
||||
.%T WireGuard: fast, modern, secure VPN tunnel
|
||||
.%U https://www.wireguard.com/
|
||||
.Re
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh HISTORY
|
||||
The
|
||||
.Nm
|
||||
interface first appeared in
|
||||
.Nx 10.0 .
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh AUTHORS
|
||||
The
|
||||
.Nm
|
||||
interface was implemented by
|
||||
.An Ryota Ozaki Aq Mt ozaki.ryota@gmail.com .
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: wg-keygen.8,v 1.1 2020/08/20 21:28:02 riastradh Exp $
|
||||
.\" $NetBSD: wg-keygen.8,v 1.2 2020/08/20 21:36:00 riastradh Exp $
|
||||
.\"
|
||||
.\" Copyright (C) Ryota Ozaki <ozaki.ryota@gmail.com>
|
||||
.\" All rights reserved.
|
||||
|
@ -27,29 +27,50 @@
|
|||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd December 12, 2018
|
||||
.Dd August 20, 2020
|
||||
.Dt WG-KEYGEN 8
|
||||
.Os
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh NAME
|
||||
.Nm wg-keygen
|
||||
.Nd generates keys used by WireGuard interfaces.
|
||||
.Nd generate keys for WireGuard interfaces
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh SYNOPSIS
|
||||
.Nm
|
||||
.Nm Fl Fl pub
|
||||
.Nm Fl Fl psk
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
generates a private key and a preshared key used by a WireGuard interface.
|
||||
It also generates a public key from a given private key.
|
||||
generates keys for WireGuard.
|
||||
.Bl -tag -width abcd
|
||||
.It Nm
|
||||
Generate a private key and print it to standard output.
|
||||
.It Nm Fl Fl pub
|
||||
Read a private key from standard input, and print the corresponding
|
||||
public key to standard output.
|
||||
.It Nm Fl Fl psk
|
||||
Generate a preshared key and print it to standard output.
|
||||
.El
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh EXAMPLES
|
||||
See
|
||||
.Xr wg 4
|
||||
for example usage.
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh SEE ALSO
|
||||
.Xr wg 4 ,
|
||||
.Xr wgconfig 8
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh HISTORY
|
||||
The
|
||||
.Nm
|
||||
command first appeared in
|
||||
.Nx 9.0 .
|
||||
.Nx 10.0 .
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh AUTHORS
|
||||
The
|
||||
.Nm
|
||||
command is written by
|
||||
command was written by
|
||||
.An Ryota Ozaki
|
||||
.Aq ozaki.ryota@gmail.com .
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: wgconfig.8,v 1.1 2020/08/20 21:28:02 riastradh Exp $
|
||||
.\" $NetBSD: wgconfig.8,v 1.2 2020/08/20 21:36:00 riastradh Exp $
|
||||
.\"
|
||||
.\" Copyright (C) Ryota Ozaki <ozaki.ryota@gmail.com>
|
||||
.\" All rights reserved.
|
||||
|
@ -27,29 +27,135 @@
|
|||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd December 12, 2018
|
||||
.Dd August 20, 2020
|
||||
.Dt WGCONFIG 8
|
||||
.Os
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh NAME
|
||||
.Nm wgconfig
|
||||
.Nd configure WireGuard interface parameters
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh SYNOPSIS
|
||||
.Nm
|
||||
.Ar interface
|
||||
.Nm Ar wgN Op Cm "show all"
|
||||
.\"
|
||||
.Nm Ar wgN Cm "show peer" Ar name Op Fl Fl show-preshared-key
|
||||
.\"
|
||||
.Nm Ar wgN Cm "show private-key"
|
||||
.\"
|
||||
.Nm Ar wgN Cm "set private-key" Ar "filename"
|
||||
.\"
|
||||
.Nm Ar wgN Cm "set listen-port" Ar port
|
||||
.\"
|
||||
.Nm Ar wgN Cm "add peer" Ar name Ar pubkey
|
||||
.Op Fl Fl preshared-key Ns = Ns Ar filename
|
||||
.Op Fl Fl endpoint Ns = Ns Ar ip : Ns Ar port
|
||||
.Op Fl Fl allowed-ips Ns = Ns Ar ip1 Ns / Ns Ar cidr1 Ns Op , Ns Ar ip2 Ns / Ns Ar cidr2 Ns ,...
|
||||
.\"
|
||||
.Nm Ar wgN Cm "delete peer" Ar name
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh DESCRIPTION
|
||||
The
|
||||
.Nm
|
||||
is used to configure a WireGuard interface parameters.
|
||||
utility is used to configure or display a WireGuard
|
||||
.Xr wg 4
|
||||
interface's parameters and status.
|
||||
Every
|
||||
.Xr wg 4
|
||||
interface can be configured with an IP address using
|
||||
.Xr ifconfig 8 ,
|
||||
a private key generated with
|
||||
.Xr wg-keygen 8 ,
|
||||
an optional listen port,
|
||||
and a collection of peers.
|
||||
Each peer has a public key and allowed IP addresses, and may optionally
|
||||
have a fixed endpoint IP address and a preshared secret key.
|
||||
.Pp
|
||||
The following commands are supported:
|
||||
.Bl -tag -width abcd
|
||||
.It Cm "show all"
|
||||
Show all WireGuard peers.
|
||||
No secret keys are included in the output.
|
||||
.It Cm "show peer" Ar name Op Fl Fl show-preshared-key
|
||||
Show the peer named
|
||||
.Ar name .
|
||||
By default, no secret keys are included in the output.
|
||||
With
|
||||
.Fl Fl show-preshared-key ,
|
||||
also display the secret preshared key that the peer was configured to
|
||||
have with the
|
||||
.Fl Fl preshared-key
|
||||
option to
|
||||
.Nm Ar wgN Cm "add peer" .
|
||||
.It Cm "show private-key"
|
||||
Show the private key that was set with
|
||||
.Nm Ar wgN Cm "set private-key" .
|
||||
.It Cm "set listen-port" Ar port
|
||||
Set the UDP port number that
|
||||
.Ar wgN
|
||||
listens for incoming WireGuard sessions on.
|
||||
This allows a peer to start a new session without having a specific
|
||||
endpoint IP address configured.
|
||||
.It Cm "add peer" Ar name Ar pubkey Op options...
|
||||
Add a peer.
|
||||
The argument
|
||||
.Ar name
|
||||
may be passed to
|
||||
.Nm Ar wgN Cm "show peer"
|
||||
and
|
||||
.Nm Ar wgN Cm "delete peer" .
|
||||
The argument
|
||||
.Ar pubkey
|
||||
is the peer's base64-encoded public key, as printed by
|
||||
.Nm wg-keygen Fl Fl pub .
|
||||
.Pp
|
||||
The following options may be specified:
|
||||
.Bl -tag -width abcd
|
||||
.It Fl Fl preshared-key-file Ns = Ns Ar filename
|
||||
Set a secret preshared key generated by
|
||||
.Nm wg-keygen Fl Fl psk .
|
||||
.Pp
|
||||
If the preshared key can be arranged in advance on a medium not subject
|
||||
to eavesdropping, then it defends against possible future quantum
|
||||
cryptanalysis of the X25519 key agreement.
|
||||
WireGuard still uses X25519 key agreements in order to erase past
|
||||
session keys so that past session transcripts remain secret should one
|
||||
of the endpoints be compromised in the future; the preshared key is an
|
||||
additional measure on top.
|
||||
.It Fl Fl endpoint Ns = Ns Ar ip : Ns Ar port
|
||||
Set the peer's endpoint address outside the tunnel.
|
||||
This is optional for a VPN server if the WireGuard interface is
|
||||
configured to listen on a port number.
|
||||
.It Fl Fl allowed-ips Ns = Ns Ar ip1 Ns / Ns Ar cidr1 Ns Op , Ns Ar ip2 Ns / Ns Ar cidr2 Ns ,...
|
||||
Set the IP address ranges that the peer is allowed to select inside the
|
||||
tunnel.
|
||||
.El
|
||||
.It Cm "delete peer" Ar name
|
||||
Delete the peer
|
||||
.Ar name
|
||||
previously added with
|
||||
.Nm Cm "add peer" Ar name .
|
||||
.El
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh EXAMPLES
|
||||
See
|
||||
.Xr wg 4
|
||||
for an example network topology and
|
||||
.Nm
|
||||
usage.
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh SEE ALSO
|
||||
.Xr wg 4 ,
|
||||
.Xr wg-keygen 8
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh HISTORY
|
||||
The
|
||||
.Nm
|
||||
command first appeared in
|
||||
.Nx 9.0 .
|
||||
.Nx 10.0 .
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh AUTHORS
|
||||
The
|
||||
.Nm
|
||||
command is written by
|
||||
command was written by
|
||||
.An Ryota Ozaki
|
||||
.Aq ozaki.ryota@gmail.com .
|
||||
|
|
Loading…
Reference in New Issue