diff --git a/distrib/sets/lists/base/shl.mi b/distrib/sets/lists/base/shl.mi index 0530c654d652..68b23a2609fa 100644 --- a/distrib/sets/lists/base/shl.mi +++ b/distrib/sets/lists/base/shl.mi @@ -1,4 +1,4 @@ -# $NetBSD: shl.mi,v 1.896 2020/08/20 21:28:00 riastradh Exp $ +# $NetBSD: shl.mi,v 1.897 2020/08/26 16:03:40 riastradh Exp $ # # Note: Don't delete entries from here - mark them as "obsolete" instead, # unless otherwise stated below. @@ -832,9 +832,12 @@ ./usr/lib/librumpnet_vlan.so base-rump-shlib rump ./usr/lib/librumpnet_vlan.so.0 base-rump-shlib rump ./usr/lib/librumpnet_vlan.so.0.0 base-rump-shlib rump -./usr/lib/librumpnet_wireguard.so base-rump-shlib rump -./usr/lib/librumpnet_wireguard.so.0 base-rump-shlib rump -./usr/lib/librumpnet_wireguard.so.0.0 base-rump-shlib rump +./usr/lib/librumpnet_wg.so base-rump-shlib rump +./usr/lib/librumpnet_wg.so.0 base-rump-shlib rump +./usr/lib/librumpnet_wg.so.0.0 base-rump-shlib rump +./usr/lib/librumpnet_wireguard.so base-obsolete obsolete +./usr/lib/librumpnet_wireguard.so.0 base-obsolete obsolete +./usr/lib/librumpnet_wireguard.so.0.0 base-obsolete obsolete ./usr/lib/librumpres.so base-rumpclient-shlib compatfile,rump ./usr/lib/librumpres.so.0 base-rumpclient-shlib compatfile,rump ./usr/lib/librumpres.so.0.0 base-rumpclient-shlib compatfile,rump diff --git a/distrib/sets/lists/comp/mi b/distrib/sets/lists/comp/mi index c003cb6a2925..b5520ac13b8a 100644 --- a/distrib/sets/lists/comp/mi +++ b/distrib/sets/lists/comp/mi @@ -1,4 +1,4 @@ -# $NetBSD: mi,v 1.2344 2020/08/20 21:28:00 riastradh Exp $ +# $NetBSD: mi,v 1.2345 2020/08/26 16:03:40 riastradh Exp $ # # Note: don't delete entries from here - mark them as "obsolete" instead. ./etc/mtree/set.comp comp-sys-root @@ -3867,8 +3867,10 @@ ./usr/lib/librumpnet_virtif_p.a comp-c-proflib rump,profile ./usr/lib/librumpnet_vlan.a comp-c-lib rump ./usr/lib/librumpnet_vlan_p.a comp-c-proflib rump,profile -./usr/lib/librumpnet_wireguard.a comp-c-lib rump -./usr/lib/librumpnet_wireguard_p.a comp-c-proflib rump,profile +./usr/lib/librumpnet_wg.a comp-c-lib rump +./usr/lib/librumpnet_wg_p.a comp-c-proflib rump,profile +./usr/lib/librumpnet_wireguard.a comp-obsolete obsolete +./usr/lib/librumpnet_wireguard_p.a comp-obsolete obsolete ./usr/lib/librumpres.a comp-c-lib compatfile,rump ./usr/lib/librumpres_p.a comp-c-proflib compatfile,rump,profile ./usr/lib/librumpuser.a comp-c-lib compatfile,rump diff --git a/distrib/sets/lists/comp/shl.mi b/distrib/sets/lists/comp/shl.mi index 7a3f50c9957e..674720f87bb4 100644 --- a/distrib/sets/lists/comp/shl.mi +++ b/distrib/sets/lists/comp/shl.mi @@ -1,4 +1,4 @@ -# $NetBSD: shl.mi,v 1.337 2020/08/20 21:28:00 riastradh Exp $ +# $NetBSD: shl.mi,v 1.338 2020/08/26 16:03:40 riastradh Exp $ # # Note: don't delete entries from here - mark them as "obsolete" instead. # @@ -248,7 +248,8 @@ ./usr/lib/librumpnet_tun_pic.a comp-c-piclib picinstall,rump ./usr/lib/librumpnet_virtif_pic.a comp-c-piclib picinstall,rump ./usr/lib/librumpnet_vlan_pic.a comp-c-piclib picinstall,rump -./usr/lib/librumpnet_wireguard_pic.a comp-c-piclib picinstall,rump +./usr/lib/librumpnet_wg_pic.a comp-c-piclib picinstall,rump +./usr/lib/librumpnet_wireguard_pic.a comp-obsolete obsolete ./usr/lib/librumpres_pic.a comp-c-piclib compatfile,picinstall,rump ./usr/lib/librumpuser_pic.a comp-c-piclib compatfile,picinstall,rump ./usr/lib/librumpvfs_aio_pic.a comp-c-piclib picinstall,rump diff --git a/distrib/sets/lists/debug/mi b/distrib/sets/lists/debug/mi index 518948df0232..71ead7b0e8b5 100644 --- a/distrib/sets/lists/debug/mi +++ b/distrib/sets/lists/debug/mi @@ -1,4 +1,4 @@ -# $NetBSD: mi,v 1.329 2020/08/20 21:28:01 riastradh Exp $ +# $NetBSD: mi,v 1.330 2020/08/26 16:03:41 riastradh Exp $ ./etc/mtree/set.debug comp-sys-root ./usr/lib comp-sys-usr compatdir ./usr/lib/i18n/libBIG5_g.a comp-c-debuglib debuglib,compatfile @@ -237,7 +237,8 @@ ./usr/lib/librumpnet_tun_g.a comp-c-debuglib debuglib,rump ./usr/lib/librumpnet_virtif_g.a comp-c-debuglib debuglib,rump ./usr/lib/librumpnet_vlan_g.a comp-c-debuglib debuglib,rump -./usr/lib/librumpnet_wireguard_g.a comp-c-debuglib debuglib,rump +./usr/lib/librumpnet_wg_g.a comp-c-debuglib debuglib,rump +./usr/lib/librumpnet_wireguard_g.a comp-obsolete obsolete ./usr/lib/librumpres_g.a comp-c-debuglib debuglib,compatfile,rump ./usr/lib/librumpuser_g.a comp-c-debuglib debuglib,compatfile,rump ./usr/lib/librumpvfs_aio_g.a comp-c-debuglib debuglib,rump diff --git a/distrib/sets/lists/debug/shl.mi b/distrib/sets/lists/debug/shl.mi index de4bfd01e9bc..3dc34a128d0a 100644 --- a/distrib/sets/lists/debug/shl.mi +++ b/distrib/sets/lists/debug/shl.mi @@ -1,4 +1,4 @@ -# $NetBSD: shl.mi,v 1.258 2020/08/20 21:28:01 riastradh Exp $ +# $NetBSD: shl.mi,v 1.259 2020/08/26 16:03:41 riastradh Exp $ ./usr/lib/libbfd_g.a comp-c-debuglib debuglib,compatfile,binutils ./usr/libdata/debug/lib base-sys-usr debug,dynamicroot,compatdir ./usr/libdata/debug/lib/libavl.so.0.0.debug comp-zfs-debug debug,dynamicroot,zfs @@ -290,7 +290,8 @@ ./usr/libdata/debug/usr/lib/librumpnet_tun.so.0.0.debug comp-rump-debug debug,rump ./usr/libdata/debug/usr/lib/librumpnet_virtif.so.0.0.debug comp-rump-debug debug,rump ./usr/libdata/debug/usr/lib/librumpnet_vlan.so.0.0.debug comp-rump-debug debug,rump -./usr/libdata/debug/usr/lib/librumpnet_wireguard.so.0.0.debug comp-rump-debug debug,rump +./usr/libdata/debug/usr/lib/librumpnet_wg.so.0.0.debug comp-rump-debug debug,rump +./usr/libdata/debug/usr/lib/librumpnet_wireguard.so.0.0.debug comp-obsolete obsolete ./usr/libdata/debug/usr/lib/librumpres.so.0.0.debug comp-rump-debug debug,compatfile,rump ./usr/libdata/debug/usr/lib/librumpuser.so.0.1.debug comp-rump-debug debug,compatfile,rump ./usr/libdata/debug/usr/lib/librumpvfs.so.0.0.debug comp-rump-debug debug,compatfile,rump diff --git a/distrib/sets/lists/tests/mi b/distrib/sets/lists/tests/mi index c53e412b4d8f..6e8b0bb450e7 100644 --- a/distrib/sets/lists/tests/mi +++ b/distrib/sets/lists/tests/mi @@ -1,4 +1,4 @@ -# $NetBSD: mi,v 1.906 2020/08/24 18:41:22 riastradh Exp $ +# $NetBSD: mi,v 1.907 2020/08/26 16:03:41 riastradh Exp $ # # Note: don't delete entries from here - mark them as "obsolete" instead. # @@ -3866,13 +3866,20 @@ ./usr/tests/net/if_vlan/Kyuafile tests-net-tests atf,rump,kyua ./usr/tests/net/if_vlan/siocXmulti tests-net-tests atf,rump ./usr/tests/net/if_vlan/t_vlan tests-net-tests atf,rump -./usr/tests/net/wireguard tests-net-tests compattestfile,atf -./usr/tests/net/wireguard/Atffile tests-net-tests atf,rump -./usr/tests/net/wireguard/Kyuafile tests-net-tests atf,rump,kyua -./usr/tests/net/wireguard/t_basic tests-net-tests atf,rump -./usr/tests/net/wireguard/t_interoperability tests-net-tests atf,rump -./usr/tests/net/wireguard/t_misc tests-net-tests atf,rump -./usr/tests/net/wireguard/t_tunnel tests-net-tests atf,rump +./usr/tests/net/if_wg tests-net-tests compattestfile,atf +./usr/tests/net/if_wg/Atffile tests-net-tests atf,rump +./usr/tests/net/if_wg/Kyuafile tests-net-tests atf,rump,kyua +./usr/tests/net/if_wg/t_basic tests-net-tests atf,rump +./usr/tests/net/if_wg/t_interoperability tests-net-tests atf,rump +./usr/tests/net/if_wg/t_misc tests-net-tests atf,rump +./usr/tests/net/if_wg/t_tunnel tests-net-tests atf,rump +./usr/tests/net/wireguard tests-obsolete obsolete +./usr/tests/net/wireguard/Atffile tests-obsolete obsolete +./usr/tests/net/wireguard/Kyuafile tests-obsolete obsolete +./usr/tests/net/wireguard/t_basic tests-obsolete obsolete +./usr/tests/net/wireguard/t_interoperability tests-obsolete obsolete +./usr/tests/net/wireguard/t_misc tests-obsolete obsolete +./usr/tests/net/wireguard/t_tunnel tests-obsolete obsolete ./usr/tests/net/in_cksum tests-net-tests compattestfile,atf ./usr/tests/net/in_cksum/Atffile tests-net-tests compattestfile,atf ./usr/tests/net/in_cksum/Kyuafile tests-net-tests compattestfile,atf,kyua @@ -3953,10 +3960,14 @@ ./usr/tests/net/sys/t_listen tests-obsolete obsolete ./usr/tests/net/sys/t_rfc6056 tests-net-tests compattestfile,atf ./usr/tests/net/sys/t_socketpair tests-obsolete obsolete -./usr/tests/net/wireguard tests-net-tests compattestfile,atf -./usr/tests/net/wireguard/Atffile tests-net-tests compattestfile,atf -./usr/tests/net/wireguard/Kyuafile tests-net-tests compattestfile,atf,kyua -./usr/tests/net/wireguard/t_basic tests-net-tests atf,rump +./usr/tests/net/if_wg tests-net-tests compattestfile,atf +./usr/tests/net/if_wg/Atffile tests-net-tests compattestfile,atf +./usr/tests/net/if_wg/Kyuafile tests-net-tests compattestfile,atf,kyua +./usr/tests/net/if_wg/t_basic tests-net-tests atf,rump +./usr/tests/net/wireguard tests-obsolete obsolete +./usr/tests/net/wireguard/Atffile tests-obsolete obsolete +./usr/tests/net/wireguard/Kyuafile tests-obsolete obsolete +./usr/tests/net/wireguard/t_basic tests-obsolete obsolete ./usr/tests/opencrypto tests-obsolete obsolete ./usr/tests/rump tests-rump-tests compattestfile,atf ./usr/tests/rump/Atffile tests-rump-tests atf,rump diff --git a/doc/CHANGES b/doc/CHANGES index 20d09653183d..8280734e4b3a 100644 --- a/doc/CHANGES +++ b/doc/CHANGES @@ -1,4 +1,4 @@ -# LIST OF CHANGES FROM LAST RELEASE: <$Revision: 1.2732 $> +# LIST OF CHANGES FROM LAST RELEASE: <$Revision: 1.2733 $> # # # [Note: This file does not mention every change made to the NetBSD source tree. @@ -273,4 +273,4 @@ Changes from NetBSD 9.0 to NetBSD 10.0: kernel: Add getrandom system call. [riastradh 20200813] kernel: Disable COMPAT_LINUX by default [jdolecek 20200816] mips: Port crash(8) to mips. [mrg 20200816] - wg(4): Add support for WireGuard. [ozaki-r 20200820] + wg(4): Add implementation of WireGuard protocol. [ozaki-r 20200820] diff --git a/etc/mtree/NetBSD.dist.tests b/etc/mtree/NetBSD.dist.tests index 76501966947b..7d747038d747 100644 --- a/etc/mtree/NetBSD.dist.tests +++ b/etc/mtree/NetBSD.dist.tests @@ -1,4 +1,4 @@ -# $NetBSD: NetBSD.dist.tests,v 1.175 2020/08/20 21:28:01 riastradh Exp $ +# $NetBSD: NetBSD.dist.tests,v 1.176 2020/08/26 16:03:41 riastradh Exp $ ./usr/libdata/debug/usr/tests ./usr/libdata/debug/usr/tests/atf @@ -358,6 +358,7 @@ ./usr/tests/net/if_tap ./usr/tests/net/if_tun ./usr/tests/net/if_vlan +./usr/tests/net/if_wg ./usr/tests/net/in_cksum ./usr/tests/net/ipsec ./usr/tests/net/mcast @@ -367,7 +368,6 @@ ./usr/tests/net/npf ./usr/tests/net/route ./usr/tests/net/sys -./usr/tests/net/wireguard ./usr/tests/rump ./usr/tests/rump/modautoload ./usr/tests/rump/rumpkern diff --git a/share/man/man4/wg.4 b/share/man/man4/wg.4 index 07d7863c75cc..edb65d6bcab4 100644 --- a/share/man/man4/wg.4 +++ b/share/man/man4/wg.4 @@ -1,4 +1,4 @@ -.\" $NetBSD: wg.4,v 1.4 2020/08/21 08:09:55 wiz Exp $ +.\" $NetBSD: wg.4,v 1.5 2020/08/26 16:03:41 riastradh Exp $ .\" .\" Copyright (c) 2020 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -30,7 +30,7 @@ .\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" .Sh NAME .Nm wg -.Nd WireGuard virtual private network +.Nd virtual private network tunnel (EXPERIMENTAL) .\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" .Sh SYNOPSIS .Cd pseudo-device wg @@ -38,12 +38,16 @@ .Sh DESCRIPTION The .Nm -interface implements the WireGuard point-to-point roaming-capable -virtual private network tunnel, configured with +interface implements a point-to-point roaming-capable virtual private +network tunnel, configured with .Xr ifconfig 8 and .Xr wgconfig 8 . .Pp +.Sy WARNING: +.Nm +is experimental. +.Pp Packets exchanged on a .Nm interface are authenticated and encrypted with a secret key negotiated @@ -91,14 +95,14 @@ Stationary server: Roaming client: .Pp Generate key pairs on A and B: .Bd -literal -offset abcd -A# wg-keygen > /etc/wireguard/wg0 -A# wg-keygen --pub < /etc/wireguard/wg0 > /etc/wireguard/wg0.pub -A# cat /etc/wireguard/wg0.pub +A# wg-keygen > /etc/wg/wg0 +A# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub +A# cat /etc/wg/wg0.pub N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y= -B# wg-keygen > /etc/wireguard/wg0 -B# wg-keygen --pub < /etc/wireguard/wg0 > /etc/wireguard/wg0.pub -B# cat /etc/wireguard/wg0.pub +B# wg-keygen > /etc/wg/wg0 +B# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub +B# cat /etc/wg/wg0.pub X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU= .Ed .Pp @@ -106,7 +110,7 @@ Configure A to listen on port 1234 and allow connections from B to appear in the 10.0.1.0/24 subnet: .Bd -literal -offset abcd A# ifconfig wg0 create 10.0.1.0/24 -A# wgconfig wg0 set private-key /etc/wireguard/wg0 +A# wgconfig wg0 set private-key /etc/wg/wg0 A# wgconfig wg0 set listen-port 1234 A# wgconfig wg0 add peer B \e X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU= \e @@ -121,7 +125,7 @@ Configure B to connect to A at 1.2.3.4 on port 1234 and the packets can begin to flow: .Bd -literal -offset abcd B# ifconfig wg0 create 10.0.1.1/24 -B# wgconfig wg0 set private-key /etc/wireguard/wg0 +B# wgconfig wg0 set private-key /etc/wg/wg0 B# wgconfig wg0 add peer A \e N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y= \e --allowed-ips=10.0.1.0/32 \e @@ -139,9 +143,19 @@ PING 10.0.1.0 (10.0.1.0): 56 data bytes .Sh SEE ALSO .Xr wg-keygen 8 , .Xr wgconfig 8 +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.Sh COMPATIBILITY +The +.Nm +interface aims to be compatible with the WireGuard protocol, as +described in: +.Pp .Rs -.%T WireGuard: fast, modern, secure VPN tunnel -.%U https://www.wireguard.com/ +.%A Jason A. Donenfeld +.%T WireGuard: Next Generation Kernel Network Tunnel +.%U https://web.archive.org/web/20180805103233/https://www.wireguard.com/papers/wireguard.pdf +.%O Document ID: 4846ada1492f5d92198df154f48c3d54205657bc +.%D 2018-06-30 .Re .\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" .Sh HISTORY diff --git a/sys/arch/amd64/conf/ALL b/sys/arch/amd64/conf/ALL index ec2938bec3b3..bc12ceba0b9f 100644 --- a/sys/arch/amd64/conf/ALL +++ b/sys/arch/amd64/conf/ALL @@ -1,4 +1,4 @@ -# $NetBSD: ALL,v 1.161 2020/08/20 21:36:11 riastradh Exp $ +# $NetBSD: ALL,v 1.162 2020/08/26 16:03:41 riastradh Exp $ # From NetBSD: GENERIC,v 1.787 2006/10/01 18:37:54 bouyer Exp # # ALL machine description file @@ -17,7 +17,7 @@ include "arch/amd64/conf/std.amd64" options INCLUDE_CONFIG_FILE # embed config file in kernel binary -#ident "ALL-$Revision: 1.161 $" +#ident "ALL-$Revision: 1.162 $" maxusers 64 # estimated number of users @@ -1641,7 +1641,7 @@ pseudo-device npf # NPF packet filter pseudo-device kttcp # srt is EXPERIMENTAL pseudo-device srt # source-address-based routing -pseudo-device wg # WireGuard +pseudo-device wg # VPN tunnel compatible with WireGuard pseudo-device canloop # CAN loopback interface diff --git a/sys/net/if_types.h b/sys/net/if_types.h index d928a10fb9b2..9ef394b4f805 100644 --- a/sys/net/if_types.h +++ b/sys/net/if_types.h @@ -1,4 +1,4 @@ -/* $NetBSD: if_types.h,v 1.30 2020/08/20 21:21:32 riastradh Exp $ */ +/* $NetBSD: if_types.h,v 1.31 2020/08/26 16:03:41 riastradh Exp $ */ /* * Copyright (c) 1989, 1993, 1994 @@ -267,6 +267,5 @@ #define IFT_CARP 0xf8 /* Common Address Redundancy Protocol */ #define IFT_IPSEC 0xf9 /* IPsec I/F */ #define IFT_MBIM 0xfa /* Mobile Broadband Interface Model */ -#define IFT_WIREGUARD 0xfb /* WireGuard */ #endif /* !_NET_IF_TYPES_H_ */ diff --git a/sys/net/if_wg.c b/sys/net/if_wg.c index 01cb6403109a..6e934c6203f2 100644 --- a/sys/net/if_wg.c +++ b/sys/net/if_wg.c @@ -1,4 +1,4 @@ -/* $NetBSD: if_wg.c,v 1.23 2020/08/23 18:52:53 riastradh Exp $ */ +/* $NetBSD: if_wg.c,v 1.24 2020/08/26 16:03:41 riastradh Exp $ */ /* * Copyright (C) Ryota Ozaki @@ -30,20 +30,18 @@ */ /* - * This is an implementation of WireGuard, a fast, modern, secure VPN protocol, - * for the NetBSD kernel and rump kernels. - * - * The implementation is based on the paper of WireGuard as of 2018-06-30 [1]. - * The paper is referred in the source code with label [W]. Also the - * specification of the Noise protocol framework as of 2018-07-11 [2] is - * referred with label [N]. + * This network interface aims to implement the WireGuard protocol. + * The implementation is based on the paper of WireGuard as of + * 2018-06-30 [1]. The paper is referred in the source code with label + * [W]. Also the specification of the Noise protocol framework as of + * 2018-07-11 [2] is referred with label [N]. * * [1] https://www.wireguard.com/papers/wireguard.pdf * [2] http://noiseprotocol.org/noise.pdf */ #include -__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.23 2020/08/23 18:52:53 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.24 2020/08/26 16:03:41 riastradh Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -120,7 +118,7 @@ __KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.23 2020/08/23 18:52:53 riastradh Exp $") * Data structures * - struct wg_softc is an instance of wg interfaces * - It has a list of peers (struct wg_peer) - * - It has a kthread that sends/receives WireGuard handshake messages and + * - It has a kthread that sends/receives handshake messages and * runs event handlers * - It has its own two routing tables: one is for IPv4 and the other IPv6 * - struct wg_peer is a representative of a peer @@ -3346,7 +3344,7 @@ wg_if_attach(struct wg_softc *wg) wg->wg_if.if_output = wg_output; wg->wg_if.if_init = wg_init; wg->wg_if.if_stop = wg_stop; - wg->wg_if.if_type = IFT_WIREGUARD; + wg->wg_if.if_type = IFT_OTHER; wg->wg_if.if_dlt = DLT_NULL; wg->wg_if.if_softc = wg; IFQ_SET_READY(&wg->wg_if.if_snd); @@ -4399,14 +4397,14 @@ wg_stop(struct ifnet *ifp, int disable) } #ifdef WG_DEBUG_PARAMS -SYSCTL_SETUP(sysctl_net_wireguard_setup, "sysctl net.wireguard setup") +SYSCTL_SETUP(sysctl_net_wg_setup, "sysctl net.wg setup") { const struct sysctlnode *node = NULL; sysctl_createv(clog, 0, NULL, &node, CTLFLAG_PERMANENT, - CTLTYPE_NODE, "wireguard", - SYSCTL_DESCR("WireGuard"), + CTLTYPE_NODE, "wg", + SYSCTL_DESCR("wg(4)"), NULL, 0, NULL, 0, CTL_NET, CTL_CREATE, CTL_EOL); sysctl_createv(clog, 0, &node, NULL, diff --git a/sys/rump/net/Makefile.rumpnetcomp b/sys/rump/net/Makefile.rumpnetcomp index 9dda4f800073..8edabbd352aa 100644 --- a/sys/rump/net/Makefile.rumpnetcomp +++ b/sys/rump/net/Makefile.rumpnetcomp @@ -1,11 +1,11 @@ -# $NetBSD: Makefile.rumpnetcomp,v 1.21 2020/08/20 21:21:32 riastradh Exp $ +# $NetBSD: Makefile.rumpnetcomp,v 1.22 2020/08/26 16:03:41 riastradh Exp $ # .include RUMPNETCOMP= agr bridge net net80211 netbt netcan netinet netinet6 netipsec RUMPNETCOMP+= gif ipsec netmpls npf l2tp local pppoe shmif tap tun vlan -RUMPNETCOMP+= wireguard +RUMPNETCOMP+= wg .if ${MKSLJIT} != "no" || make(rumpdescribe) RUMPNETCOMP+= bpfjit diff --git a/sys/rump/net/lib/libwireguard/Makefile b/sys/rump/net/lib/libwg/Makefile similarity index 78% rename from sys/rump/net/lib/libwireguard/Makefile rename to sys/rump/net/lib/libwg/Makefile index 405e1cc88d85..7b21d257aa4a 100644 --- a/sys/rump/net/lib/libwireguard/Makefile +++ b/sys/rump/net/lib/libwg/Makefile @@ -1,11 +1,11 @@ -# $NetBSD: Makefile,v 1.1 2020/08/20 21:28:01 riastradh Exp $ +# $NetBSD: Makefile,v 1.1 2020/08/26 16:03:42 riastradh Exp $ # .PATH: ${.CURDIR}/../../../../net ${.CURDIR}/../../../../netinet \ ${.CURDIR}/../../../../netinet6 -LIB= rumpnet_wireguard -COMMENT= WireGuard +LIB= rumpnet_wg +COMMENT= virtual private network tunnel IOCONF= WG.ioconf SRCS= if_wg.c diff --git a/sys/rump/net/lib/libwg/WG.ioconf b/sys/rump/net/lib/libwg/WG.ioconf new file mode 100644 index 000000000000..bfc25888735d --- /dev/null +++ b/sys/rump/net/lib/libwg/WG.ioconf @@ -0,0 +1,7 @@ +# $NetBSD: WG.ioconf,v 1.1 2020/08/26 16:03:42 riastradh Exp $ + +ioconf wg + +include "conf/files" + +pseudo-device wg diff --git a/sys/rump/net/lib/libwireguard/wg_component.c b/sys/rump/net/lib/libwg/wg_component.c similarity index 90% rename from sys/rump/net/lib/libwireguard/wg_component.c rename to sys/rump/net/lib/libwg/wg_component.c index dfc6a6150f70..24b08a9bafe6 100644 --- a/sys/rump/net/lib/libwireguard/wg_component.c +++ b/sys/rump/net/lib/libwg/wg_component.c @@ -1,4 +1,4 @@ -/* $NetBSD: wg_component.c,v 1.1 2020/08/20 21:28:01 riastradh Exp $ */ +/* $NetBSD: wg_component.c,v 1.1 2020/08/26 16:03:42 riastradh Exp $ */ /* * Copyright (c) 2015 Internet Initiative Japan Inc. @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: wg_component.c,v 1.1 2020/08/20 21:28:01 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: wg_component.c,v 1.1 2020/08/26 16:03:42 riastradh Exp $"); #include diff --git a/sys/rump/net/lib/libwireguard/wg_user.c b/sys/rump/net/lib/libwg/wg_user.c similarity index 98% rename from sys/rump/net/lib/libwireguard/wg_user.c rename to sys/rump/net/lib/libwg/wg_user.c index 911b9220373c..6eab9bc1d02f 100644 --- a/sys/rump/net/lib/libwireguard/wg_user.c +++ b/sys/rump/net/lib/libwg/wg_user.c @@ -1,4 +1,4 @@ -/* $NetBSD: wg_user.c,v 1.1 2020/08/20 21:28:01 riastradh Exp $ */ +/* $NetBSD: wg_user.c,v 1.1 2020/08/26 16:03:42 riastradh Exp $ */ /* * Copyright (C) Ryota Ozaki @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: wg_user.c,v 1.1 2020/08/20 21:28:01 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: wg_user.c,v 1.1 2020/08/26 16:03:42 riastradh Exp $"); #ifndef _KERNEL #include diff --git a/sys/rump/net/lib/libwireguard/wg_user.h b/sys/rump/net/lib/libwg/wg_user.h similarity index 97% rename from sys/rump/net/lib/libwireguard/wg_user.h rename to sys/rump/net/lib/libwg/wg_user.h index 836424129112..34f244e05705 100644 --- a/sys/rump/net/lib/libwireguard/wg_user.h +++ b/sys/rump/net/lib/libwg/wg_user.h @@ -1,4 +1,4 @@ -/* $NetBSD: wg_user.h,v 1.1 2020/08/20 21:28:01 riastradh Exp $ */ +/* $NetBSD: wg_user.h,v 1.1 2020/08/26 16:03:42 riastradh Exp $ */ /* * Copyright (C) Ryota Ozaki diff --git a/sys/rump/net/lib/libwireguard/WG.ioconf b/sys/rump/net/lib/libwireguard/WG.ioconf deleted file mode 100644 index 2171259e6282..000000000000 --- a/sys/rump/net/lib/libwireguard/WG.ioconf +++ /dev/null @@ -1,7 +0,0 @@ -# $NetBSD: WG.ioconf,v 1.1 2020/08/20 21:28:01 riastradh Exp $ - -ioconf wg - -include "conf/files" - -pseudo-device wg diff --git a/tests/net/Makefile b/tests/net/Makefile index eacc5fe75c6a..eeab3bbb3fb4 100644 --- a/tests/net/Makefile +++ b/tests/net/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.35 2020/08/20 21:21:32 riastradh Exp $ +# $NetBSD: Makefile,v 1.36 2020/08/26 16:03:42 riastradh Exp $ .include @@ -8,7 +8,7 @@ TESTS_SUBDIRS= fdpass in_cksum net sys .if (${MKRUMP} != "no") && !defined(BSD_MK_COMPAT_FILE) TESTS_SUBDIRS+= arp bpf bpfilter can carp icmp if if_bridge if_gif TESTS_SUBDIRS+= if_ipsec if_l2tp if_loop if_pppoe if_tap if_tun ipsec -TESTS_SUBDIRS+= mcast mpls ndp npf route if_vlan wireguard +TESTS_SUBDIRS+= mcast mpls ndp npf route if_vlan if_wg .if (${MKSLJIT} != "no") TESTS_SUBDIRS+= bpfjit .endif diff --git a/tests/net/wireguard/Makefile b/tests/net/if_wg/Makefile similarity index 66% rename from tests/net/wireguard/Makefile rename to tests/net/if_wg/Makefile index 8950dd21ac7c..4ef1d41f20fd 100644 --- a/tests/net/wireguard/Makefile +++ b/tests/net/if_wg/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.1 2020/08/20 21:28:01 riastradh Exp $ +# $NetBSD: Makefile,v 1.1 2020/08/26 16:03:42 riastradh Exp $ # .include -TESTSDIR= ${TESTSBASE}/net/wireguard +TESTSDIR= ${TESTSBASE}/net/if_wg .for name in basic interoperability misc tunnel TESTS_SH+= t_${name} diff --git a/tests/net/wireguard/common.sh b/tests/net/if_wg/common.sh similarity index 96% rename from tests/net/wireguard/common.sh rename to tests/net/if_wg/common.sh index 9c1c3775b056..74ad865748fa 100644 --- a/tests/net/wireguard/common.sh +++ b/tests/net/if_wg/common.sh @@ -1,4 +1,4 @@ -# $NetBSD: common.sh,v 1.1 2020/08/20 21:28:01 riastradh Exp $ +# $NetBSD: common.sh,v 1.1 2020/08/26 16:03:42 riastradh Exp $ # # Copyright (c) 2018 Ryota Ozaki # All rights reserved. @@ -34,10 +34,10 @@ escape_key() setup_servers() { - rump_server_crypto_start $SOCK_LOCAL netinet6 wireguard + rump_server_crypto_start $SOCK_LOCAL netinet6 wg rump_server_add_iface $SOCK_LOCAL shmif0 $BUS - rump_server_crypto_start $SOCK_PEER netinet6 wireguard + rump_server_crypto_start $SOCK_PEER netinet6 wg rump_server_add_iface $SOCK_PEER shmif0 $BUS } diff --git a/tests/net/wireguard/t_basic.sh b/tests/net/if_wg/t_basic.sh similarity index 95% rename from tests/net/wireguard/t_basic.sh rename to tests/net/if_wg/t_basic.sh index 5b0857cd4aad..2af699537066 100644 --- a/tests/net/wireguard/t_basic.sh +++ b/tests/net/if_wg/t_basic.sh @@ -1,4 +1,4 @@ -# $NetBSD: t_basic.sh,v 1.1 2020/08/20 21:28:01 riastradh Exp $ +# $NetBSD: t_basic.sh,v 1.1 2020/08/26 16:03:42 riastradh Exp $ # # Copyright (c) 2018 Ryota Ozaki # All rights reserved. @@ -118,14 +118,14 @@ atf_test_case wg_create_destroy cleanup wg_create_destroy_head() { - atf_set "descr" "tests to create/destroy WireGuard interfaces" + atf_set "descr" "tests to create/destroy wg(4) interfaces" atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" } wg_create_destroy_body() { - rump_server_crypto_start $SOCK_LOCAL netinet6 wireguard + rump_server_crypto_start $SOCK_LOCAL netinet6 wg test_create_destroy_common $SOCK_LOCAL wg0 true } @@ -167,7 +167,7 @@ wg_create_destroy_peers_common() inner_prefixall=128 fi - rump_server_crypto_start $SOCK_LOCAL netinet6 wireguard + rump_server_crypto_start $SOCK_LOCAL netinet6 wg rump_server_add_iface $SOCK_LOCAL shmif0 $BUS # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer @@ -232,7 +232,7 @@ add_basic_test() local ipv6=inet6 name="wg_basic_${inner}_over_${outer}" - fulldesc="Test WireGuard with ${inner} over ${outer}" + fulldesc="Test wg(4) with ${inner} over ${outer}" eval inner=\$$inner eval outer=\$$outer @@ -262,7 +262,7 @@ add_payload_sizes_test() local ipv6=inet6 name="wg_payload_sizes_${inner}_over_${outer}" - fulldesc="Test WireGuard with ${inner} over ${outer} with various payload sizes" + fulldesc="Test wg(4) with ${inner} over ${outer} with various payload sizes" eval inner=\$$inner eval outer=\$$outer @@ -288,7 +288,7 @@ atf_test_case wg_multiple_interfaces cleanup wg_multiple_interfaces_head() { - atf_set "descr" "tests multiple WireGuard interfaces" + atf_set "descr" "tests multiple wg(4) interfaces" atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" } @@ -314,7 +314,7 @@ wg_multiple_interfaces_body() setup_servers rump_server_add_iface $SOCK_LOCAL shmif1 $BUS - rump_server_crypto_start $SOCK_PEER2 netinet6 wireguard + rump_server_crypto_start $SOCK_PEER2 netinet6 wg rump_server_add_iface $SOCK_PEER2 shmif0 $BUS # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer @@ -381,7 +381,7 @@ atf_test_case wg_multiple_peers cleanup wg_multiple_peers_head() { - atf_set "descr" "tests multiple WireGuard peers" + atf_set "descr" "tests multiple wg(4) peers" atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" } @@ -404,7 +404,7 @@ wg_multiple_peers_body() setup_servers rump_server_add_iface $SOCK_LOCAL shmif1 $BUS - rump_server_crypto_start $SOCK_PEER2 netinet6 wireguard + rump_server_crypto_start $SOCK_PEER2 netinet6 wg rump_server_add_iface $SOCK_PEER2 shmif0 $BUS # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer diff --git a/tests/net/wireguard/t_interoperability.sh b/tests/net/if_wg/t_interoperability.sh similarity index 88% rename from tests/net/wireguard/t_interoperability.sh rename to tests/net/if_wg/t_interoperability.sh index fd8c083b1d99..2b5e3912a0e8 100644 --- a/tests/net/wireguard/t_interoperability.sh +++ b/tests/net/if_wg/t_interoperability.sh @@ -1,4 +1,4 @@ -# $NetBSD: t_interoperability.sh,v 1.1 2020/08/20 21:28:01 riastradh Exp $ +# $NetBSD: t_interoperability.sh,v 1.1 2020/08/26 16:03:42 riastradh Exp $ # # Copyright (c) 2018 Ryota Ozaki # All rights reserved. @@ -34,12 +34,12 @@ atf_test_case wg_interoperability_basic cleanup wg_interoperability_basic_head() { - atf_set "descr" "tests of interoperability messages of the WireGuard protocol" + atf_set "descr" "tests of interoperability with the WireGuard protocol" atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" } # -# Set ATF_WIREGUARD_INTEROPERABILITY=yes to run the test. +# Set ATF_NET_IF_WG_INTEROPERABILITY=yes to run the test. # Also to run the test, the following setups are required on the host and a peer. # # [Host] @@ -78,12 +78,12 @@ wg_interoperability_basic_body() local port=52428 local outfile=./out - if [ "$ATF_WIREGUARD_INTEROPERABILITY" != yes ]; then - atf_skip "set ATF_WIREGUARD_INTEROPERABILITY=yes to run the test" + if [ "$ATF_NET_IF_WG_INTEROPERABILITY" != yes ]; then + atf_skip "set ATF_NET_IF_WG_INTEROPERABILITY=yes to run the test" fi export RUMP_SERVER=$SOCK_LOCAL - rump_server_crypto_start $SOCK_LOCAL virtif wireguard netinet6 + rump_server_crypto_start $SOCK_LOCAL virtif wg netinet6 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 atf_check -s exit:0 rump.ifconfig virt0 create atf_check -s exit:0 rump.ifconfig virt0 $ip_local/24 @@ -116,7 +116,7 @@ atf_test_case wg_interoperability_cookie cleanup wg_interoperability_cookie_head() { - atf_set "descr" "tests of interoperability messages of the WireGuard protocol" + atf_set "descr" "tests of interoperability with the WireGuard protocol" atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" } @@ -137,12 +137,12 @@ wg_interoperability_cookie_body() local outfile=./out local rekey_timeout=5 # default - if [ "$ATF_WIREGUARD_INTEROPERABILITY" != yes ]; then - atf_skip "set ATF_WIREGUARD_INTEROPERABILITY=yes to run the test" + if [ "$ATF_NET_IF_WG_INTEROPERABILITY" != yes ]; then + atf_skip "set ATF_NET_IF_WG_INTEROPERABILITY=yes to run the test" fi export RUMP_SERVER=$SOCK_LOCAL - rump_server_crypto_start $SOCK_LOCAL virtif wireguard netinet6 + rump_server_crypto_start $SOCK_LOCAL virtif wg netinet6 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 atf_check -s exit:0 rump.ifconfig virt0 create atf_check -s exit:0 rump.ifconfig virt0 $ip_local/24 @@ -159,7 +159,7 @@ wg_interoperability_cookie_body() # Emulate load to send back a cookie on receiving a response message atf_check -s exit:0 -o ignore \ - rump.sysctl -w net.wireguard.force_underload=1 + rump.sysctl -w net.wg.force_underload=1 add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 @@ -188,12 +188,12 @@ atf_test_case wg_userspace_basic cleanup wg_userspace_basic_head() { - atf_set "descr" "tests of userspace implementation of WireGuard" + atf_set "descr" "tests of userspace implementation of wg(4)" atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" } # -# Set ATF_WIREGUARD_USERSPACE=yes to run the test. +# Set ATF_NET_IF_WG_USERSPACE=yes to run the test. # Also to run the test, the following setups are required on the host and a peer. # # [Host] @@ -233,12 +233,12 @@ wg_userspace_basic_body() local port_peer=52428 local outfile=./out - if [ "$ATF_WIREGUARD_USERSPACE" != yes ]; then - atf_skip "set ATF_WIREGUARD_USERSPACE=yes to run the test" + if [ "$ATF_NET_IF_WG_USERSPACE" != yes ]; then + atf_skip "set ATF_NET_IF_WG_USERSPACE=yes to run the test" fi export RUMP_SERVER=$SOCK_LOCAL - rump_server_crypto_start $SOCK_LOCAL virtif wireguard netinet6 + rump_server_crypto_start $SOCK_LOCAL virtif wg netinet6 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 $DEBUG && netstat -nr -f inet diff --git a/tests/net/wireguard/t_misc.sh b/tests/net/if_wg/t_misc.sh similarity index 93% rename from tests/net/wireguard/t_misc.sh rename to tests/net/if_wg/t_misc.sh index f5f2f44ceb97..8f6936bec539 100644 --- a/tests/net/wireguard/t_misc.sh +++ b/tests/net/if_wg/t_misc.sh @@ -1,4 +1,4 @@ -# $NetBSD: t_misc.sh,v 1.1 2020/08/20 21:28:01 riastradh Exp $ +# $NetBSD: t_misc.sh,v 1.1 2020/08/26 16:03:42 riastradh Exp $ # # Copyright (c) 2018 Ryota Ozaki # All rights reserved. @@ -34,7 +34,7 @@ atf_test_case wg_rekey cleanup wg_rekey_head() { - atf_set "descr" "tests of rekeying of WireGuard" + atf_set "descr" "tests of rekeying of wg(4)" atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" } @@ -54,10 +54,10 @@ wg_rekey_body() export RUMP_SERVER=$SOCK_LOCAL atf_check -s exit:0 -o ignore \ - rump.sysctl -w net.wireguard.rekey_after_time=$rekey_after_time + rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time export RUMP_SERVER=$SOCK_PEER atf_check -s exit:0 -o ignore \ - rump.sysctl -w net.wireguard.rekey_after_time=$rekey_after_time + rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer generate_keys @@ -128,7 +128,7 @@ atf_test_case wg_handshake_timeout cleanup wg_handshake_timeout_head() { - atf_set "descr" "tests of handshake timeout of WireGuard" + atf_set "descr" "tests of handshake timeout of wg(4)" atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" } @@ -152,14 +152,14 @@ wg_handshake_timeout_body() export RUMP_SERVER=$SOCK_LOCAL atf_check -s exit:0 -o ignore \ - rump.sysctl -w net.wireguard.rekey_timeout=$rekey_timeout + rump.sysctl -w net.wg.rekey_timeout=$rekey_timeout atf_check -s exit:0 -o ignore \ - rump.sysctl -w net.wireguard.rekey_attempt_time=$rekey_attempt_time + rump.sysctl -w net.wg.rekey_attempt_time=$rekey_attempt_time export RUMP_SERVER=$SOCK_PEER atf_check -s exit:0 -o ignore \ - rump.sysctl -w net.wireguard.rekey_timeout=$rekey_timeout + rump.sysctl -w net.wg.rekey_timeout=$rekey_timeout atf_check -s exit:0 -o ignore \ - rump.sysctl -w net.wireguard.rekey_attempt_time=$rekey_attempt_time + rump.sysctl -w net.wg.rekey_attempt_time=$rekey_attempt_time # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer generate_keys @@ -220,7 +220,7 @@ atf_test_case wg_cookie cleanup wg_cookie_head() { - atf_set "descr" "tests of cookie messages of the WireGuard protocol" + atf_set "descr" "tests of cookie messages of the wg(4) protocol" atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" } @@ -259,7 +259,7 @@ wg_cookie_body() export RUMP_SERVER=$SOCK_PEER # Emulate load on the peer atf_check -s exit:0 -o ignore \ - rump.sysctl -w net.wireguard.force_underload=1 + rump.sysctl -w net.wg.force_underload=1 export RUMP_SERVER=$SOCK_LOCAL @@ -306,7 +306,7 @@ atf_test_case wg_mobility cleanup wg_mobility_head() { - atf_set "descr" "tests of the mobility of WireGuard" + atf_set "descr" "tests of the mobility of wg(4)" atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" } @@ -441,7 +441,7 @@ wg_keepalive_body() # Shorten keepalive_timeout of the peer atf_check -s exit:0 -o ignore \ - rump.sysctl -w net.wireguard.keepalive_timeout=$keepalive_timeout + rump.sysctl -w net.wg.keepalive_timeout=$keepalive_timeout export RUMP_SERVER=$SOCK_LOCAL @@ -505,10 +505,10 @@ wg_psk_body() export RUMP_SERVER=$SOCK_LOCAL atf_check -s exit:0 -o ignore \ - rump.sysctl -w net.wireguard.rekey_after_time=$rekey_after_time + rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time export RUMP_SERVER=$SOCK_PEER atf_check -s exit:0 -o ignore \ - rump.sysctl -w net.wireguard.rekey_after_time=$rekey_after_time + rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer generate_keys diff --git a/tests/net/wireguard/t_tunnel.sh b/tests/net/if_wg/t_tunnel.sh similarity index 97% rename from tests/net/wireguard/t_tunnel.sh rename to tests/net/if_wg/t_tunnel.sh index 6ab7fe18f09c..817ae6b5c1d8 100644 --- a/tests/net/wireguard/t_tunnel.sh +++ b/tests/net/if_wg/t_tunnel.sh @@ -1,4 +1,4 @@ -# $NetBSD: t_tunnel.sh,v 1.1 2020/08/20 21:28:01 riastradh Exp $ +# $NetBSD: t_tunnel.sh,v 1.1 2020/08/26 16:03:42 riastradh Exp $ # # Copyright (c) 2018 Ryota Ozaki # All rights reserved. @@ -45,11 +45,11 @@ setup_servers() rump_server_start $SOCK_LOCAL netinet6 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL - rump_server_crypto_start $SOCK_TUN_LOCAL netinet6 wireguard + rump_server_crypto_start $SOCK_TUN_LOCAL netinet6 wg rump_server_add_iface $SOCK_TUN_LOCAL shmif0 $BUS_LOCAL rump_server_add_iface $SOCK_TUN_LOCAL shmif1 $BUS_TUN - rump_server_crypto_start $SOCK_TUN_PEER netinet6 wireguard + rump_server_crypto_start $SOCK_TUN_PEER netinet6 wg rump_server_add_iface $SOCK_TUN_PEER shmif0 $BUS_PEER rump_server_add_iface $SOCK_TUN_PEER shmif1 $BUS_TUN @@ -300,7 +300,7 @@ add_tunnel_test() local ipv6=inet6 name="wg_tunnel_${inner}_over_${outer}" - fulldesc="Test WireGuard with ${inner} over ${outer}" + fulldesc="Test wg(4) with ${inner} over ${outer}" eval inner=\$$inner eval outer=\$$outer diff --git a/usr.sbin/wg-keygen/wg-keygen.8 b/usr.sbin/wg-keygen/wg-keygen.8 index ea6114c67a0c..c457b7bfda0c 100644 --- a/usr.sbin/wg-keygen/wg-keygen.8 +++ b/usr.sbin/wg-keygen/wg-keygen.8 @@ -1,4 +1,4 @@ -.\" $NetBSD: wg-keygen.8,v 1.2 2020/08/20 21:36:00 riastradh Exp $ +.\" $NetBSD: wg-keygen.8,v 1.3 2020/08/26 16:03:42 riastradh Exp $ .\" .\" Copyright (C) Ryota Ozaki .\" All rights reserved. @@ -33,7 +33,7 @@ .\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" .Sh NAME .Nm wg-keygen -.Nd generate keys for WireGuard interfaces +.Nd generate keys for wg interfaces .\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" .Sh SYNOPSIS .Nm @@ -42,7 +42,8 @@ .\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" .Sh DESCRIPTION .Nm -generates keys for WireGuard. +generates keys for +.Xr wg 4 . .Bl -tag -width abcd .It Nm Generate a private key and print it to standard output. diff --git a/usr.sbin/wg-userspace/wg-userspace.8 b/usr.sbin/wg-userspace/wg-userspace.8 index db86f14dd1c8..0cf814b83fa7 100644 --- a/usr.sbin/wg-userspace/wg-userspace.8 +++ b/usr.sbin/wg-userspace/wg-userspace.8 @@ -1,4 +1,4 @@ -.\" $NetBSD: wg-userspace.8,v 1.2 2020/08/20 22:17:16 riastradh Exp $ +.\" $NetBSD: wg-userspace.8,v 1.3 2020/08/26 16:03:42 riastradh Exp $ .\" .\" Copyright (C) Ryota Ozaki .\" All rights reserved. @@ -33,7 +33,7 @@ .\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" .Sh NAME .Nm wg-userspace -.Nd manipulate WireGuard userspace instances +.Nd manipulate wg userspace instances (EXPERIMENTAL) .\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" .Sh SYNOPSIS .Ar id @@ -42,39 +42,45 @@ .\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" .Sh DESCRIPTION .Nm -is used to create, destroy and configure WireGuard userspace instances. +is used to create, destroy and configure +.Xr wg 4 +userspace instances. +.Pp +.Sy WARNING: +.Nm +is experimental. .Pp The following commands are supported: .Bl -tag -width "destroy" .It Cm create -Create a WireGuard interface. +Create an interface. The interface will appear as .Li tun Ns Ar id to the rest of the system, and will be served by a rump server in whose context the interface appears as .Li wg Ns Ar id . .It Cm destroy -Destroy a WireGuard interface and stop the rump server behind it. +Destroy an interface and stop the rump server behind it. .It Cm ifconfig Ar wgN Ar args... Run .Xr ifconfig 8 -in the context of the WireGuard interface's rump server. +in the context of the interface's rump server. For example, .Bd -literal -compact # wg-userspace 0 ifconfig wg0 10.0.1.0/24 .Ed -will set the WireGuard interface's IP address. +will set the interface's IP address. .It Cm wgconfig Ar wgN Ar args... Run .Xr wgconfig 8 -in the context of the WireGuard interface's rump server. +in the context of the interface's rump server. For example, .Bd -literal -compact # wg-userspace 0 wgconfig wg0 set listen-port 1234 .Ed -will set the WireGuard interface's listening port. +will set the interface's listening port. .It Cm debug Ar command Op Ar args... -Run an arbitrary command in the context of the WireGuard interface's +Run an arbitrary command in the context of the interface's rump server, using .Xr rumphijack 3 . .El diff --git a/usr.sbin/wg-userspace/wg-userspace.sh b/usr.sbin/wg-userspace/wg-userspace.sh index dbfe3907a8d7..caedce12f0d1 100644 --- a/usr.sbin/wg-userspace/wg-userspace.sh +++ b/usr.sbin/wg-userspace/wg-userspace.sh @@ -2,7 +2,7 @@ RUMPLIBS="-lrumpnet -lrumpnet_net -lrumpnet_netinet \ -lrumpdev -lrumpvfs -lrumpdev_opencrypto -lrumpkern_z \ - -lrumpkern_crypto -lrumpnet_wireguard -lrumpnet_netinet6" + -lrumpkern_crypto -lrumpnet_wg -lrumpnet_netinet6" HIJACKING="env LD_PRELOAD=/usr/lib/librumphijack.so \ RUMPHIJACK=path=/rump,socket=all:nolocal,sysctl=yes" diff --git a/usr.sbin/wgconfig/wgconfig.8 b/usr.sbin/wgconfig/wgconfig.8 index c687c8c0c04e..a4f5e3f6e488 100644 --- a/usr.sbin/wgconfig/wgconfig.8 +++ b/usr.sbin/wgconfig/wgconfig.8 @@ -1,4 +1,4 @@ -.\" $NetBSD: wgconfig.8,v 1.9 2020/08/21 03:44:58 uwe Exp $ +.\" $NetBSD: wgconfig.8,v 1.10 2020/08/26 16:03:42 riastradh Exp $ .\" .\" Copyright (C) Ryota Ozaki .\" All rights reserved. @@ -33,7 +33,7 @@ .\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" .Sh NAME .Nm wgconfig -.Nd configure WireGuard interface parameters +.Nd configure wg interface parameters .\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" .Sh SYNOPSIS .Nm @@ -74,7 +74,7 @@ .Sh DESCRIPTION The .Nm -utility is used to configure or display a WireGuard +utility is used to configure or display a .Xr wg 4 interface's parameters and status. Every @@ -91,7 +91,7 @@ have a fixed endpoint IP address and a preshared secret key. The following commands are supported: .Bl -tag -width abcd .It Cm "show all" -Show all WireGuard peers. +Show all peers. No secret keys are included in the output. .It Cm "show peer" Ar name Op Fl Fl show-preshared-key Show the peer named @@ -117,7 +117,7 @@ to the base64-encoded private key in the file at .It Cm "set listen-port" Ar port Set the UDP port number that .Li wg Ns Ar N\| -listens for incoming WireGuard sessions on. +listens for incoming sessions on. This allows a peer to start a new session without having a specific endpoint IP address configured. .It Cm "add peer" Ar name Ar pubkey Op Ar options ... @@ -146,14 +146,16 @@ Set a secret preshared key generated by If the preshared key can be arranged in advance on a medium not subject to eavesdropping, then it defends against possible future quantum cryptanalysis of the X25519 key agreement. -WireGuard still uses X25519 key agreements in order to erase past +.Nm +still uses X25519 key agreements in order to erase past session keys so that past session transcripts remain secret should one of the endpoints be compromised in the future; the preshared key is an additional measure on top. .It Fl Fl endpoint Ns Li \&= Ns Ar ip Ns Li \&: Ns Ar port Set the peer's endpoint address outside the tunnel. -This is optional for a VPN server if the WireGuard interface is -configured to listen on a port number. +This is optional for a VPN server if the +.Nm +interface is configured to listen on a port number. .It Fl Fl allowed-ips Ns Li \&= Ns Ar ip1 Ns Li \&/ Ns Ar cidr1 Ns \ Op Li \&, Ns Ar ip2 Ns Li \&/ Ns Ar cidr2 Ns Li \&, Ns Ar ... Set the IP address ranges that the peer is allowed to select inside the