Clarify wg(4)'s relation to WireGuard, pending further discussion.
Still planning to replace wgconfig(8) and wg-keygen(8) by one wg(8) tool compatible with wireguard-tools; update wg(4) for the minor changes from the 2018-06-30 spec to the 2020-06-01 spec; &c. This just clarifies the current state of affairs as it exists in the development tree for now. Mark the man page EXPERIMENTAL for extra clarity.
This commit is contained in:
parent
14c8a2247f
commit
25154f5f0c
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: shl.mi,v 1.896 2020/08/20 21:28:00 riastradh Exp $
|
||||
# $NetBSD: shl.mi,v 1.897 2020/08/26 16:03:40 riastradh Exp $
|
||||
#
|
||||
# Note: Don't delete entries from here - mark them as "obsolete" instead,
|
||||
# unless otherwise stated below.
|
||||
|
@ -832,9 +832,12 @@
|
|||
./usr/lib/librumpnet_vlan.so base-rump-shlib rump
|
||||
./usr/lib/librumpnet_vlan.so.0 base-rump-shlib rump
|
||||
./usr/lib/librumpnet_vlan.so.0.0 base-rump-shlib rump
|
||||
./usr/lib/librumpnet_wireguard.so base-rump-shlib rump
|
||||
./usr/lib/librumpnet_wireguard.so.0 base-rump-shlib rump
|
||||
./usr/lib/librumpnet_wireguard.so.0.0 base-rump-shlib rump
|
||||
./usr/lib/librumpnet_wg.so base-rump-shlib rump
|
||||
./usr/lib/librumpnet_wg.so.0 base-rump-shlib rump
|
||||
./usr/lib/librumpnet_wg.so.0.0 base-rump-shlib rump
|
||||
./usr/lib/librumpnet_wireguard.so base-obsolete obsolete
|
||||
./usr/lib/librumpnet_wireguard.so.0 base-obsolete obsolete
|
||||
./usr/lib/librumpnet_wireguard.so.0.0 base-obsolete obsolete
|
||||
./usr/lib/librumpres.so base-rumpclient-shlib compatfile,rump
|
||||
./usr/lib/librumpres.so.0 base-rumpclient-shlib compatfile,rump
|
||||
./usr/lib/librumpres.so.0.0 base-rumpclient-shlib compatfile,rump
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: mi,v 1.2344 2020/08/20 21:28:00 riastradh Exp $
|
||||
# $NetBSD: mi,v 1.2345 2020/08/26 16:03:40 riastradh Exp $
|
||||
#
|
||||
# Note: don't delete entries from here - mark them as "obsolete" instead.
|
||||
./etc/mtree/set.comp comp-sys-root
|
||||
|
@ -3867,8 +3867,10 @@
|
|||
./usr/lib/librumpnet_virtif_p.a comp-c-proflib rump,profile
|
||||
./usr/lib/librumpnet_vlan.a comp-c-lib rump
|
||||
./usr/lib/librumpnet_vlan_p.a comp-c-proflib rump,profile
|
||||
./usr/lib/librumpnet_wireguard.a comp-c-lib rump
|
||||
./usr/lib/librumpnet_wireguard_p.a comp-c-proflib rump,profile
|
||||
./usr/lib/librumpnet_wg.a comp-c-lib rump
|
||||
./usr/lib/librumpnet_wg_p.a comp-c-proflib rump,profile
|
||||
./usr/lib/librumpnet_wireguard.a comp-obsolete obsolete
|
||||
./usr/lib/librumpnet_wireguard_p.a comp-obsolete obsolete
|
||||
./usr/lib/librumpres.a comp-c-lib compatfile,rump
|
||||
./usr/lib/librumpres_p.a comp-c-proflib compatfile,rump,profile
|
||||
./usr/lib/librumpuser.a comp-c-lib compatfile,rump
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: shl.mi,v 1.337 2020/08/20 21:28:00 riastradh Exp $
|
||||
# $NetBSD: shl.mi,v 1.338 2020/08/26 16:03:40 riastradh Exp $
|
||||
#
|
||||
# Note: don't delete entries from here - mark them as "obsolete" instead.
|
||||
#
|
||||
|
@ -248,7 +248,8 @@
|
|||
./usr/lib/librumpnet_tun_pic.a comp-c-piclib picinstall,rump
|
||||
./usr/lib/librumpnet_virtif_pic.a comp-c-piclib picinstall,rump
|
||||
./usr/lib/librumpnet_vlan_pic.a comp-c-piclib picinstall,rump
|
||||
./usr/lib/librumpnet_wireguard_pic.a comp-c-piclib picinstall,rump
|
||||
./usr/lib/librumpnet_wg_pic.a comp-c-piclib picinstall,rump
|
||||
./usr/lib/librumpnet_wireguard_pic.a comp-obsolete obsolete
|
||||
./usr/lib/librumpres_pic.a comp-c-piclib compatfile,picinstall,rump
|
||||
./usr/lib/librumpuser_pic.a comp-c-piclib compatfile,picinstall,rump
|
||||
./usr/lib/librumpvfs_aio_pic.a comp-c-piclib picinstall,rump
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: mi,v 1.329 2020/08/20 21:28:01 riastradh Exp $
|
||||
# $NetBSD: mi,v 1.330 2020/08/26 16:03:41 riastradh Exp $
|
||||
./etc/mtree/set.debug comp-sys-root
|
||||
./usr/lib comp-sys-usr compatdir
|
||||
./usr/lib/i18n/libBIG5_g.a comp-c-debuglib debuglib,compatfile
|
||||
|
@ -237,7 +237,8 @@
|
|||
./usr/lib/librumpnet_tun_g.a comp-c-debuglib debuglib,rump
|
||||
./usr/lib/librumpnet_virtif_g.a comp-c-debuglib debuglib,rump
|
||||
./usr/lib/librumpnet_vlan_g.a comp-c-debuglib debuglib,rump
|
||||
./usr/lib/librumpnet_wireguard_g.a comp-c-debuglib debuglib,rump
|
||||
./usr/lib/librumpnet_wg_g.a comp-c-debuglib debuglib,rump
|
||||
./usr/lib/librumpnet_wireguard_g.a comp-obsolete obsolete
|
||||
./usr/lib/librumpres_g.a comp-c-debuglib debuglib,compatfile,rump
|
||||
./usr/lib/librumpuser_g.a comp-c-debuglib debuglib,compatfile,rump
|
||||
./usr/lib/librumpvfs_aio_g.a comp-c-debuglib debuglib,rump
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: shl.mi,v 1.258 2020/08/20 21:28:01 riastradh Exp $
|
||||
# $NetBSD: shl.mi,v 1.259 2020/08/26 16:03:41 riastradh Exp $
|
||||
./usr/lib/libbfd_g.a comp-c-debuglib debuglib,compatfile,binutils
|
||||
./usr/libdata/debug/lib base-sys-usr debug,dynamicroot,compatdir
|
||||
./usr/libdata/debug/lib/libavl.so.0.0.debug comp-zfs-debug debug,dynamicroot,zfs
|
||||
|
@ -290,7 +290,8 @@
|
|||
./usr/libdata/debug/usr/lib/librumpnet_tun.so.0.0.debug comp-rump-debug debug,rump
|
||||
./usr/libdata/debug/usr/lib/librumpnet_virtif.so.0.0.debug comp-rump-debug debug,rump
|
||||
./usr/libdata/debug/usr/lib/librumpnet_vlan.so.0.0.debug comp-rump-debug debug,rump
|
||||
./usr/libdata/debug/usr/lib/librumpnet_wireguard.so.0.0.debug comp-rump-debug debug,rump
|
||||
./usr/libdata/debug/usr/lib/librumpnet_wg.so.0.0.debug comp-rump-debug debug,rump
|
||||
./usr/libdata/debug/usr/lib/librumpnet_wireguard.so.0.0.debug comp-obsolete obsolete
|
||||
./usr/libdata/debug/usr/lib/librumpres.so.0.0.debug comp-rump-debug debug,compatfile,rump
|
||||
./usr/libdata/debug/usr/lib/librumpuser.so.0.1.debug comp-rump-debug debug,compatfile,rump
|
||||
./usr/libdata/debug/usr/lib/librumpvfs.so.0.0.debug comp-rump-debug debug,compatfile,rump
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: mi,v 1.906 2020/08/24 18:41:22 riastradh Exp $
|
||||
# $NetBSD: mi,v 1.907 2020/08/26 16:03:41 riastradh Exp $
|
||||
#
|
||||
# Note: don't delete entries from here - mark them as "obsolete" instead.
|
||||
#
|
||||
|
@ -3866,13 +3866,20 @@
|
|||
./usr/tests/net/if_vlan/Kyuafile tests-net-tests atf,rump,kyua
|
||||
./usr/tests/net/if_vlan/siocXmulti tests-net-tests atf,rump
|
||||
./usr/tests/net/if_vlan/t_vlan tests-net-tests atf,rump
|
||||
./usr/tests/net/wireguard tests-net-tests compattestfile,atf
|
||||
./usr/tests/net/wireguard/Atffile tests-net-tests atf,rump
|
||||
./usr/tests/net/wireguard/Kyuafile tests-net-tests atf,rump,kyua
|
||||
./usr/tests/net/wireguard/t_basic tests-net-tests atf,rump
|
||||
./usr/tests/net/wireguard/t_interoperability tests-net-tests atf,rump
|
||||
./usr/tests/net/wireguard/t_misc tests-net-tests atf,rump
|
||||
./usr/tests/net/wireguard/t_tunnel tests-net-tests atf,rump
|
||||
./usr/tests/net/if_wg tests-net-tests compattestfile,atf
|
||||
./usr/tests/net/if_wg/Atffile tests-net-tests atf,rump
|
||||
./usr/tests/net/if_wg/Kyuafile tests-net-tests atf,rump,kyua
|
||||
./usr/tests/net/if_wg/t_basic tests-net-tests atf,rump
|
||||
./usr/tests/net/if_wg/t_interoperability tests-net-tests atf,rump
|
||||
./usr/tests/net/if_wg/t_misc tests-net-tests atf,rump
|
||||
./usr/tests/net/if_wg/t_tunnel tests-net-tests atf,rump
|
||||
./usr/tests/net/wireguard tests-obsolete obsolete
|
||||
./usr/tests/net/wireguard/Atffile tests-obsolete obsolete
|
||||
./usr/tests/net/wireguard/Kyuafile tests-obsolete obsolete
|
||||
./usr/tests/net/wireguard/t_basic tests-obsolete obsolete
|
||||
./usr/tests/net/wireguard/t_interoperability tests-obsolete obsolete
|
||||
./usr/tests/net/wireguard/t_misc tests-obsolete obsolete
|
||||
./usr/tests/net/wireguard/t_tunnel tests-obsolete obsolete
|
||||
./usr/tests/net/in_cksum tests-net-tests compattestfile,atf
|
||||
./usr/tests/net/in_cksum/Atffile tests-net-tests compattestfile,atf
|
||||
./usr/tests/net/in_cksum/Kyuafile tests-net-tests compattestfile,atf,kyua
|
||||
|
@ -3953,10 +3960,14 @@
|
|||
./usr/tests/net/sys/t_listen tests-obsolete obsolete
|
||||
./usr/tests/net/sys/t_rfc6056 tests-net-tests compattestfile,atf
|
||||
./usr/tests/net/sys/t_socketpair tests-obsolete obsolete
|
||||
./usr/tests/net/wireguard tests-net-tests compattestfile,atf
|
||||
./usr/tests/net/wireguard/Atffile tests-net-tests compattestfile,atf
|
||||
./usr/tests/net/wireguard/Kyuafile tests-net-tests compattestfile,atf,kyua
|
||||
./usr/tests/net/wireguard/t_basic tests-net-tests atf,rump
|
||||
./usr/tests/net/if_wg tests-net-tests compattestfile,atf
|
||||
./usr/tests/net/if_wg/Atffile tests-net-tests compattestfile,atf
|
||||
./usr/tests/net/if_wg/Kyuafile tests-net-tests compattestfile,atf,kyua
|
||||
./usr/tests/net/if_wg/t_basic tests-net-tests atf,rump
|
||||
./usr/tests/net/wireguard tests-obsolete obsolete
|
||||
./usr/tests/net/wireguard/Atffile tests-obsolete obsolete
|
||||
./usr/tests/net/wireguard/Kyuafile tests-obsolete obsolete
|
||||
./usr/tests/net/wireguard/t_basic tests-obsolete obsolete
|
||||
./usr/tests/opencrypto tests-obsolete obsolete
|
||||
./usr/tests/rump tests-rump-tests compattestfile,atf
|
||||
./usr/tests/rump/Atffile tests-rump-tests atf,rump
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# LIST OF CHANGES FROM LAST RELEASE: <$Revision: 1.2732 $>
|
||||
# LIST OF CHANGES FROM LAST RELEASE: <$Revision: 1.2733 $>
|
||||
#
|
||||
#
|
||||
# [Note: This file does not mention every change made to the NetBSD source tree.
|
||||
|
@ -273,4 +273,4 @@ Changes from NetBSD 9.0 to NetBSD 10.0:
|
|||
kernel: Add getrandom system call. [riastradh 20200813]
|
||||
kernel: Disable COMPAT_LINUX by default [jdolecek 20200816]
|
||||
mips: Port crash(8) to mips. [mrg 20200816]
|
||||
wg(4): Add support for WireGuard. [ozaki-r 20200820]
|
||||
wg(4): Add implementation of WireGuard protocol. [ozaki-r 20200820]
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: NetBSD.dist.tests,v 1.175 2020/08/20 21:28:01 riastradh Exp $
|
||||
# $NetBSD: NetBSD.dist.tests,v 1.176 2020/08/26 16:03:41 riastradh Exp $
|
||||
|
||||
./usr/libdata/debug/usr/tests
|
||||
./usr/libdata/debug/usr/tests/atf
|
||||
|
@ -358,6 +358,7 @@
|
|||
./usr/tests/net/if_tap
|
||||
./usr/tests/net/if_tun
|
||||
./usr/tests/net/if_vlan
|
||||
./usr/tests/net/if_wg
|
||||
./usr/tests/net/in_cksum
|
||||
./usr/tests/net/ipsec
|
||||
./usr/tests/net/mcast
|
||||
|
@ -367,7 +368,6 @@
|
|||
./usr/tests/net/npf
|
||||
./usr/tests/net/route
|
||||
./usr/tests/net/sys
|
||||
./usr/tests/net/wireguard
|
||||
./usr/tests/rump
|
||||
./usr/tests/rump/modautoload
|
||||
./usr/tests/rump/rumpkern
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: wg.4,v 1.4 2020/08/21 08:09:55 wiz Exp $
|
||||
.\" $NetBSD: wg.4,v 1.5 2020/08/26 16:03:41 riastradh Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2020 The NetBSD Foundation, Inc.
|
||||
.\" All rights reserved.
|
||||
|
@ -30,7 +30,7 @@
|
|||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh NAME
|
||||
.Nm wg
|
||||
.Nd WireGuard virtual private network
|
||||
.Nd virtual private network tunnel (EXPERIMENTAL)
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh SYNOPSIS
|
||||
.Cd pseudo-device wg
|
||||
|
@ -38,12 +38,16 @@
|
|||
.Sh DESCRIPTION
|
||||
The
|
||||
.Nm
|
||||
interface implements the WireGuard point-to-point roaming-capable
|
||||
virtual private network tunnel, configured with
|
||||
interface implements a point-to-point roaming-capable virtual private
|
||||
network tunnel, configured with
|
||||
.Xr ifconfig 8
|
||||
and
|
||||
.Xr wgconfig 8 .
|
||||
.Pp
|
||||
.Sy WARNING:
|
||||
.Nm
|
||||
is experimental.
|
||||
.Pp
|
||||
Packets exchanged on a
|
||||
.Nm
|
||||
interface are authenticated and encrypted with a secret key negotiated
|
||||
|
@ -91,14 +95,14 @@ Stationary server: Roaming client:
|
|||
.Pp
|
||||
Generate key pairs on A and B:
|
||||
.Bd -literal -offset abcd
|
||||
A# wg-keygen > /etc/wireguard/wg0
|
||||
A# wg-keygen --pub < /etc/wireguard/wg0 > /etc/wireguard/wg0.pub
|
||||
A# cat /etc/wireguard/wg0.pub
|
||||
A# wg-keygen > /etc/wg/wg0
|
||||
A# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub
|
||||
A# cat /etc/wg/wg0.pub
|
||||
N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y=
|
||||
|
||||
B# wg-keygen > /etc/wireguard/wg0
|
||||
B# wg-keygen --pub < /etc/wireguard/wg0 > /etc/wireguard/wg0.pub
|
||||
B# cat /etc/wireguard/wg0.pub
|
||||
B# wg-keygen > /etc/wg/wg0
|
||||
B# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub
|
||||
B# cat /etc/wg/wg0.pub
|
||||
X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU=
|
||||
.Ed
|
||||
.Pp
|
||||
|
@ -106,7 +110,7 @@ Configure A to listen on port 1234 and allow connections from B to
|
|||
appear in the 10.0.1.0/24 subnet:
|
||||
.Bd -literal -offset abcd
|
||||
A# ifconfig wg0 create 10.0.1.0/24
|
||||
A# wgconfig wg0 set private-key /etc/wireguard/wg0
|
||||
A# wgconfig wg0 set private-key /etc/wg/wg0
|
||||
A# wgconfig wg0 set listen-port 1234
|
||||
A# wgconfig wg0 add peer B \e
|
||||
X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU= \e
|
||||
|
@ -121,7 +125,7 @@ Configure B to connect to A at 1.2.3.4 on port 1234 and the packets can
|
|||
begin to flow:
|
||||
.Bd -literal -offset abcd
|
||||
B# ifconfig wg0 create 10.0.1.1/24
|
||||
B# wgconfig wg0 set private-key /etc/wireguard/wg0
|
||||
B# wgconfig wg0 set private-key /etc/wg/wg0
|
||||
B# wgconfig wg0 add peer A \e
|
||||
N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y= \e
|
||||
--allowed-ips=10.0.1.0/32 \e
|
||||
|
@ -139,9 +143,19 @@ PING 10.0.1.0 (10.0.1.0): 56 data bytes
|
|||
.Sh SEE ALSO
|
||||
.Xr wg-keygen 8 ,
|
||||
.Xr wgconfig 8
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh COMPATIBILITY
|
||||
The
|
||||
.Nm
|
||||
interface aims to be compatible with the WireGuard protocol, as
|
||||
described in:
|
||||
.Pp
|
||||
.Rs
|
||||
.%T WireGuard: fast, modern, secure VPN tunnel
|
||||
.%U https://www.wireguard.com/
|
||||
.%A Jason A. Donenfeld
|
||||
.%T WireGuard: Next Generation Kernel Network Tunnel
|
||||
.%U https://web.archive.org/web/20180805103233/https://www.wireguard.com/papers/wireguard.pdf
|
||||
.%O Document ID: 4846ada1492f5d92198df154f48c3d54205657bc
|
||||
.%D 2018-06-30
|
||||
.Re
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh HISTORY
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: ALL,v 1.161 2020/08/20 21:36:11 riastradh Exp $
|
||||
# $NetBSD: ALL,v 1.162 2020/08/26 16:03:41 riastradh Exp $
|
||||
# From NetBSD: GENERIC,v 1.787 2006/10/01 18:37:54 bouyer Exp
|
||||
#
|
||||
# ALL machine description file
|
||||
|
@ -17,7 +17,7 @@ include "arch/amd64/conf/std.amd64"
|
|||
|
||||
options INCLUDE_CONFIG_FILE # embed config file in kernel binary
|
||||
|
||||
#ident "ALL-$Revision: 1.161 $"
|
||||
#ident "ALL-$Revision: 1.162 $"
|
||||
|
||||
maxusers 64 # estimated number of users
|
||||
|
||||
|
@ -1641,7 +1641,7 @@ pseudo-device npf # NPF packet filter
|
|||
pseudo-device kttcp
|
||||
# srt is EXPERIMENTAL
|
||||
pseudo-device srt # source-address-based routing
|
||||
pseudo-device wg # WireGuard
|
||||
pseudo-device wg # VPN tunnel compatible with WireGuard
|
||||
|
||||
pseudo-device canloop # CAN loopback interface
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: if_types.h,v 1.30 2020/08/20 21:21:32 riastradh Exp $ */
|
||||
/* $NetBSD: if_types.h,v 1.31 2020/08/26 16:03:41 riastradh Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1989, 1993, 1994
|
||||
|
@ -267,6 +267,5 @@
|
|||
#define IFT_CARP 0xf8 /* Common Address Redundancy Protocol */
|
||||
#define IFT_IPSEC 0xf9 /* IPsec I/F */
|
||||
#define IFT_MBIM 0xfa /* Mobile Broadband Interface Model */
|
||||
#define IFT_WIREGUARD 0xfb /* WireGuard */
|
||||
|
||||
#endif /* !_NET_IF_TYPES_H_ */
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: if_wg.c,v 1.23 2020/08/23 18:52:53 riastradh Exp $ */
|
||||
/* $NetBSD: if_wg.c,v 1.24 2020/08/26 16:03:41 riastradh Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) Ryota Ozaki <ozaki.ryota@gmail.com>
|
||||
|
@ -30,20 +30,18 @@
|
|||
*/
|
||||
|
||||
/*
|
||||
* This is an implementation of WireGuard, a fast, modern, secure VPN protocol,
|
||||
* for the NetBSD kernel and rump kernels.
|
||||
*
|
||||
* The implementation is based on the paper of WireGuard as of 2018-06-30 [1].
|
||||
* The paper is referred in the source code with label [W]. Also the
|
||||
* specification of the Noise protocol framework as of 2018-07-11 [2] is
|
||||
* referred with label [N].
|
||||
* This network interface aims to implement the WireGuard protocol.
|
||||
* The implementation is based on the paper of WireGuard as of
|
||||
* 2018-06-30 [1]. The paper is referred in the source code with label
|
||||
* [W]. Also the specification of the Noise protocol framework as of
|
||||
* 2018-07-11 [2] is referred with label [N].
|
||||
*
|
||||
* [1] https://www.wireguard.com/papers/wireguard.pdf
|
||||
* [2] http://noiseprotocol.org/noise.pdf
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.23 2020/08/23 18:52:53 riastradh Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.24 2020/08/26 16:03:41 riastradh Exp $");
|
||||
|
||||
#ifdef _KERNEL_OPT
|
||||
#include "opt_inet.h"
|
||||
|
@ -120,7 +118,7 @@ __KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.23 2020/08/23 18:52:53 riastradh Exp $")
|
|||
* Data structures
|
||||
* - struct wg_softc is an instance of wg interfaces
|
||||
* - It has a list of peers (struct wg_peer)
|
||||
* - It has a kthread that sends/receives WireGuard handshake messages and
|
||||
* - It has a kthread that sends/receives handshake messages and
|
||||
* runs event handlers
|
||||
* - It has its own two routing tables: one is for IPv4 and the other IPv6
|
||||
* - struct wg_peer is a representative of a peer
|
||||
|
@ -3346,7 +3344,7 @@ wg_if_attach(struct wg_softc *wg)
|
|||
wg->wg_if.if_output = wg_output;
|
||||
wg->wg_if.if_init = wg_init;
|
||||
wg->wg_if.if_stop = wg_stop;
|
||||
wg->wg_if.if_type = IFT_WIREGUARD;
|
||||
wg->wg_if.if_type = IFT_OTHER;
|
||||
wg->wg_if.if_dlt = DLT_NULL;
|
||||
wg->wg_if.if_softc = wg;
|
||||
IFQ_SET_READY(&wg->wg_if.if_snd);
|
||||
|
@ -4399,14 +4397,14 @@ wg_stop(struct ifnet *ifp, int disable)
|
|||
}
|
||||
|
||||
#ifdef WG_DEBUG_PARAMS
|
||||
SYSCTL_SETUP(sysctl_net_wireguard_setup, "sysctl net.wireguard setup")
|
||||
SYSCTL_SETUP(sysctl_net_wg_setup, "sysctl net.wg setup")
|
||||
{
|
||||
const struct sysctlnode *node = NULL;
|
||||
|
||||
sysctl_createv(clog, 0, NULL, &node,
|
||||
CTLFLAG_PERMANENT,
|
||||
CTLTYPE_NODE, "wireguard",
|
||||
SYSCTL_DESCR("WireGuard"),
|
||||
CTLTYPE_NODE, "wg",
|
||||
SYSCTL_DESCR("wg(4)"),
|
||||
NULL, 0, NULL, 0,
|
||||
CTL_NET, CTL_CREATE, CTL_EOL);
|
||||
sysctl_createv(clog, 0, &node, NULL,
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
# $NetBSD: Makefile.rumpnetcomp,v 1.21 2020/08/20 21:21:32 riastradh Exp $
|
||||
# $NetBSD: Makefile.rumpnetcomp,v 1.22 2020/08/26 16:03:41 riastradh Exp $
|
||||
#
|
||||
|
||||
.include <bsd.own.mk>
|
||||
|
||||
RUMPNETCOMP= agr bridge net net80211 netbt netcan netinet netinet6 netipsec
|
||||
RUMPNETCOMP+= gif ipsec netmpls npf l2tp local pppoe shmif tap tun vlan
|
||||
RUMPNETCOMP+= wireguard
|
||||
RUMPNETCOMP+= wg
|
||||
|
||||
.if ${MKSLJIT} != "no" || make(rumpdescribe)
|
||||
RUMPNETCOMP+= bpfjit
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
# $NetBSD: Makefile,v 1.1 2020/08/20 21:28:01 riastradh Exp $
|
||||
# $NetBSD: Makefile,v 1.1 2020/08/26 16:03:42 riastradh Exp $
|
||||
#
|
||||
|
||||
.PATH: ${.CURDIR}/../../../../net ${.CURDIR}/../../../../netinet \
|
||||
${.CURDIR}/../../../../netinet6
|
||||
|
||||
LIB= rumpnet_wireguard
|
||||
COMMENT= WireGuard
|
||||
LIB= rumpnet_wg
|
||||
COMMENT= virtual private network tunnel
|
||||
|
||||
IOCONF= WG.ioconf
|
||||
SRCS= if_wg.c
|
|
@ -0,0 +1,7 @@
|
|||
# $NetBSD: WG.ioconf,v 1.1 2020/08/26 16:03:42 riastradh Exp $
|
||||
|
||||
ioconf wg
|
||||
|
||||
include "conf/files"
|
||||
|
||||
pseudo-device wg
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: wg_component.c,v 1.1 2020/08/20 21:28:01 riastradh Exp $ */
|
||||
/* $NetBSD: wg_component.c,v 1.1 2020/08/26 16:03:42 riastradh Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2015 Internet Initiative Japan Inc.
|
||||
|
@ -27,7 +27,7 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: wg_component.c,v 1.1 2020/08/20 21:28:01 riastradh Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: wg_component.c,v 1.1 2020/08/26 16:03:42 riastradh Exp $");
|
||||
|
||||
#include <sys/param.h>
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: wg_user.c,v 1.1 2020/08/20 21:28:01 riastradh Exp $ */
|
||||
/* $NetBSD: wg_user.c,v 1.1 2020/08/26 16:03:42 riastradh Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) Ryota Ozaki <ozaki.ryota@gmail.com>
|
||||
|
@ -29,7 +29,7 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: wg_user.c,v 1.1 2020/08/20 21:28:01 riastradh Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: wg_user.c,v 1.1 2020/08/26 16:03:42 riastradh Exp $");
|
||||
|
||||
#ifndef _KERNEL
|
||||
#include <sys/types.h>
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: wg_user.h,v 1.1 2020/08/20 21:28:01 riastradh Exp $ */
|
||||
/* $NetBSD: wg_user.h,v 1.1 2020/08/26 16:03:42 riastradh Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) Ryota Ozaki <ozaki.ryota@gmail.com>
|
|
@ -1,7 +0,0 @@
|
|||
# $NetBSD: WG.ioconf,v 1.1 2020/08/20 21:28:01 riastradh Exp $
|
||||
|
||||
ioconf wg
|
||||
|
||||
include "conf/files"
|
||||
|
||||
pseudo-device wg
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: Makefile,v 1.35 2020/08/20 21:21:32 riastradh Exp $
|
||||
# $NetBSD: Makefile,v 1.36 2020/08/26 16:03:42 riastradh Exp $
|
||||
|
||||
.include <bsd.own.mk>
|
||||
|
||||
|
@ -8,7 +8,7 @@ TESTS_SUBDIRS= fdpass in_cksum net sys
|
|||
.if (${MKRUMP} != "no") && !defined(BSD_MK_COMPAT_FILE)
|
||||
TESTS_SUBDIRS+= arp bpf bpfilter can carp icmp if if_bridge if_gif
|
||||
TESTS_SUBDIRS+= if_ipsec if_l2tp if_loop if_pppoe if_tap if_tun ipsec
|
||||
TESTS_SUBDIRS+= mcast mpls ndp npf route if_vlan wireguard
|
||||
TESTS_SUBDIRS+= mcast mpls ndp npf route if_vlan if_wg
|
||||
.if (${MKSLJIT} != "no")
|
||||
TESTS_SUBDIRS+= bpfjit
|
||||
.endif
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
# $NetBSD: Makefile,v 1.1 2020/08/20 21:28:01 riastradh Exp $
|
||||
# $NetBSD: Makefile,v 1.1 2020/08/26 16:03:42 riastradh Exp $
|
||||
#
|
||||
|
||||
.include <bsd.own.mk>
|
||||
|
||||
TESTSDIR= ${TESTSBASE}/net/wireguard
|
||||
TESTSDIR= ${TESTSBASE}/net/if_wg
|
||||
|
||||
.for name in basic interoperability misc tunnel
|
||||
TESTS_SH+= t_${name}
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: common.sh,v 1.1 2020/08/20 21:28:01 riastradh Exp $
|
||||
# $NetBSD: common.sh,v 1.1 2020/08/26 16:03:42 riastradh Exp $
|
||||
#
|
||||
# Copyright (c) 2018 Ryota Ozaki <ozaki.ryota@gmail.com>
|
||||
# All rights reserved.
|
||||
|
@ -34,10 +34,10 @@ escape_key()
|
|||
setup_servers()
|
||||
{
|
||||
|
||||
rump_server_crypto_start $SOCK_LOCAL netinet6 wireguard
|
||||
rump_server_crypto_start $SOCK_LOCAL netinet6 wg
|
||||
rump_server_add_iface $SOCK_LOCAL shmif0 $BUS
|
||||
|
||||
rump_server_crypto_start $SOCK_PEER netinet6 wireguard
|
||||
rump_server_crypto_start $SOCK_PEER netinet6 wg
|
||||
rump_server_add_iface $SOCK_PEER shmif0 $BUS
|
||||
}
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: t_basic.sh,v 1.1 2020/08/20 21:28:01 riastradh Exp $
|
||||
# $NetBSD: t_basic.sh,v 1.1 2020/08/26 16:03:42 riastradh Exp $
|
||||
#
|
||||
# Copyright (c) 2018 Ryota Ozaki <ozaki.ryota@gmail.com>
|
||||
# All rights reserved.
|
||||
|
@ -118,14 +118,14 @@ atf_test_case wg_create_destroy cleanup
|
|||
wg_create_destroy_head()
|
||||
{
|
||||
|
||||
atf_set "descr" "tests to create/destroy WireGuard interfaces"
|
||||
atf_set "descr" "tests to create/destroy wg(4) interfaces"
|
||||
atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen"
|
||||
}
|
||||
|
||||
wg_create_destroy_body()
|
||||
{
|
||||
|
||||
rump_server_crypto_start $SOCK_LOCAL netinet6 wireguard
|
||||
rump_server_crypto_start $SOCK_LOCAL netinet6 wg
|
||||
|
||||
test_create_destroy_common $SOCK_LOCAL wg0 true
|
||||
}
|
||||
|
@ -167,7 +167,7 @@ wg_create_destroy_peers_common()
|
|||
inner_prefixall=128
|
||||
fi
|
||||
|
||||
rump_server_crypto_start $SOCK_LOCAL netinet6 wireguard
|
||||
rump_server_crypto_start $SOCK_LOCAL netinet6 wg
|
||||
rump_server_add_iface $SOCK_LOCAL shmif0 $BUS
|
||||
|
||||
# It sets key_priv_local key_pub_local key_priv_peer key_pub_peer
|
||||
|
@ -232,7 +232,7 @@ add_basic_test()
|
|||
local ipv6=inet6
|
||||
|
||||
name="wg_basic_${inner}_over_${outer}"
|
||||
fulldesc="Test WireGuard with ${inner} over ${outer}"
|
||||
fulldesc="Test wg(4) with ${inner} over ${outer}"
|
||||
|
||||
eval inner=\$$inner
|
||||
eval outer=\$$outer
|
||||
|
@ -262,7 +262,7 @@ add_payload_sizes_test()
|
|||
local ipv6=inet6
|
||||
|
||||
name="wg_payload_sizes_${inner}_over_${outer}"
|
||||
fulldesc="Test WireGuard with ${inner} over ${outer} with various payload sizes"
|
||||
fulldesc="Test wg(4) with ${inner} over ${outer} with various payload sizes"
|
||||
|
||||
eval inner=\$$inner
|
||||
eval outer=\$$outer
|
||||
|
@ -288,7 +288,7 @@ atf_test_case wg_multiple_interfaces cleanup
|
|||
wg_multiple_interfaces_head()
|
||||
{
|
||||
|
||||
atf_set "descr" "tests multiple WireGuard interfaces"
|
||||
atf_set "descr" "tests multiple wg(4) interfaces"
|
||||
atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen"
|
||||
}
|
||||
|
||||
|
@ -314,7 +314,7 @@ wg_multiple_interfaces_body()
|
|||
setup_servers
|
||||
rump_server_add_iface $SOCK_LOCAL shmif1 $BUS
|
||||
|
||||
rump_server_crypto_start $SOCK_PEER2 netinet6 wireguard
|
||||
rump_server_crypto_start $SOCK_PEER2 netinet6 wg
|
||||
rump_server_add_iface $SOCK_PEER2 shmif0 $BUS
|
||||
|
||||
# It sets key_priv_local key_pub_local key_priv_peer key_pub_peer
|
||||
|
@ -381,7 +381,7 @@ atf_test_case wg_multiple_peers cleanup
|
|||
wg_multiple_peers_head()
|
||||
{
|
||||
|
||||
atf_set "descr" "tests multiple WireGuard peers"
|
||||
atf_set "descr" "tests multiple wg(4) peers"
|
||||
atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen"
|
||||
}
|
||||
|
||||
|
@ -404,7 +404,7 @@ wg_multiple_peers_body()
|
|||
setup_servers
|
||||
rump_server_add_iface $SOCK_LOCAL shmif1 $BUS
|
||||
|
||||
rump_server_crypto_start $SOCK_PEER2 netinet6 wireguard
|
||||
rump_server_crypto_start $SOCK_PEER2 netinet6 wg
|
||||
rump_server_add_iface $SOCK_PEER2 shmif0 $BUS
|
||||
|
||||
# It sets key_priv_local key_pub_local key_priv_peer key_pub_peer
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: t_interoperability.sh,v 1.1 2020/08/20 21:28:01 riastradh Exp $
|
||||
# $NetBSD: t_interoperability.sh,v 1.1 2020/08/26 16:03:42 riastradh Exp $
|
||||
#
|
||||
# Copyright (c) 2018 Ryota Ozaki <ozaki.ryota@gmail.com>
|
||||
# All rights reserved.
|
||||
|
@ -34,12 +34,12 @@ atf_test_case wg_interoperability_basic cleanup
|
|||
wg_interoperability_basic_head()
|
||||
{
|
||||
|
||||
atf_set "descr" "tests of interoperability messages of the WireGuard protocol"
|
||||
atf_set "descr" "tests of interoperability with the WireGuard protocol"
|
||||
atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen"
|
||||
}
|
||||
|
||||
#
|
||||
# Set ATF_WIREGUARD_INTEROPERABILITY=yes to run the test.
|
||||
# Set ATF_NET_IF_WG_INTEROPERABILITY=yes to run the test.
|
||||
# Also to run the test, the following setups are required on the host and a peer.
|
||||
#
|
||||
# [Host]
|
||||
|
@ -78,12 +78,12 @@ wg_interoperability_basic_body()
|
|||
local port=52428
|
||||
local outfile=./out
|
||||
|
||||
if [ "$ATF_WIREGUARD_INTEROPERABILITY" != yes ]; then
|
||||
atf_skip "set ATF_WIREGUARD_INTEROPERABILITY=yes to run the test"
|
||||
if [ "$ATF_NET_IF_WG_INTEROPERABILITY" != yes ]; then
|
||||
atf_skip "set ATF_NET_IF_WG_INTEROPERABILITY=yes to run the test"
|
||||
fi
|
||||
|
||||
export RUMP_SERVER=$SOCK_LOCAL
|
||||
rump_server_crypto_start $SOCK_LOCAL virtif wireguard netinet6
|
||||
rump_server_crypto_start $SOCK_LOCAL virtif wg netinet6
|
||||
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
|
||||
atf_check -s exit:0 rump.ifconfig virt0 create
|
||||
atf_check -s exit:0 rump.ifconfig virt0 $ip_local/24
|
||||
|
@ -116,7 +116,7 @@ atf_test_case wg_interoperability_cookie cleanup
|
|||
wg_interoperability_cookie_head()
|
||||
{
|
||||
|
||||
atf_set "descr" "tests of interoperability messages of the WireGuard protocol"
|
||||
atf_set "descr" "tests of interoperability with the WireGuard protocol"
|
||||
atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen"
|
||||
}
|
||||
|
||||
|
@ -137,12 +137,12 @@ wg_interoperability_cookie_body()
|
|||
local outfile=./out
|
||||
local rekey_timeout=5 # default
|
||||
|
||||
if [ "$ATF_WIREGUARD_INTEROPERABILITY" != yes ]; then
|
||||
atf_skip "set ATF_WIREGUARD_INTEROPERABILITY=yes to run the test"
|
||||
if [ "$ATF_NET_IF_WG_INTEROPERABILITY" != yes ]; then
|
||||
atf_skip "set ATF_NET_IF_WG_INTEROPERABILITY=yes to run the test"
|
||||
fi
|
||||
|
||||
export RUMP_SERVER=$SOCK_LOCAL
|
||||
rump_server_crypto_start $SOCK_LOCAL virtif wireguard netinet6
|
||||
rump_server_crypto_start $SOCK_LOCAL virtif wg netinet6
|
||||
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
|
||||
atf_check -s exit:0 rump.ifconfig virt0 create
|
||||
atf_check -s exit:0 rump.ifconfig virt0 $ip_local/24
|
||||
|
@ -159,7 +159,7 @@ wg_interoperability_cookie_body()
|
|||
|
||||
# Emulate load to send back a cookie on receiving a response message
|
||||
atf_check -s exit:0 -o ignore \
|
||||
rump.sysctl -w net.wireguard.force_underload=1
|
||||
rump.sysctl -w net.wg.force_underload=1
|
||||
|
||||
add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32
|
||||
|
||||
|
@ -188,12 +188,12 @@ atf_test_case wg_userspace_basic cleanup
|
|||
wg_userspace_basic_head()
|
||||
{
|
||||
|
||||
atf_set "descr" "tests of userspace implementation of WireGuard"
|
||||
atf_set "descr" "tests of userspace implementation of wg(4)"
|
||||
atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen"
|
||||
}
|
||||
|
||||
#
|
||||
# Set ATF_WIREGUARD_USERSPACE=yes to run the test.
|
||||
# Set ATF_NET_IF_WG_USERSPACE=yes to run the test.
|
||||
# Also to run the test, the following setups are required on the host and a peer.
|
||||
#
|
||||
# [Host]
|
||||
|
@ -233,12 +233,12 @@ wg_userspace_basic_body()
|
|||
local port_peer=52428
|
||||
local outfile=./out
|
||||
|
||||
if [ "$ATF_WIREGUARD_USERSPACE" != yes ]; then
|
||||
atf_skip "set ATF_WIREGUARD_USERSPACE=yes to run the test"
|
||||
if [ "$ATF_NET_IF_WG_USERSPACE" != yes ]; then
|
||||
atf_skip "set ATF_NET_IF_WG_USERSPACE=yes to run the test"
|
||||
fi
|
||||
|
||||
export RUMP_SERVER=$SOCK_LOCAL
|
||||
rump_server_crypto_start $SOCK_LOCAL virtif wireguard netinet6
|
||||
rump_server_crypto_start $SOCK_LOCAL virtif wg netinet6
|
||||
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
|
||||
|
||||
$DEBUG && netstat -nr -f inet
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: t_misc.sh,v 1.1 2020/08/20 21:28:01 riastradh Exp $
|
||||
# $NetBSD: t_misc.sh,v 1.1 2020/08/26 16:03:42 riastradh Exp $
|
||||
#
|
||||
# Copyright (c) 2018 Ryota Ozaki <ozaki.ryota@gmail.com>
|
||||
# All rights reserved.
|
||||
|
@ -34,7 +34,7 @@ atf_test_case wg_rekey cleanup
|
|||
wg_rekey_head()
|
||||
{
|
||||
|
||||
atf_set "descr" "tests of rekeying of WireGuard"
|
||||
atf_set "descr" "tests of rekeying of wg(4)"
|
||||
atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen"
|
||||
}
|
||||
|
||||
|
@ -54,10 +54,10 @@ wg_rekey_body()
|
|||
|
||||
export RUMP_SERVER=$SOCK_LOCAL
|
||||
atf_check -s exit:0 -o ignore \
|
||||
rump.sysctl -w net.wireguard.rekey_after_time=$rekey_after_time
|
||||
rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time
|
||||
export RUMP_SERVER=$SOCK_PEER
|
||||
atf_check -s exit:0 -o ignore \
|
||||
rump.sysctl -w net.wireguard.rekey_after_time=$rekey_after_time
|
||||
rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time
|
||||
|
||||
# It sets key_priv_local key_pub_local key_priv_peer key_pub_peer
|
||||
generate_keys
|
||||
|
@ -128,7 +128,7 @@ atf_test_case wg_handshake_timeout cleanup
|
|||
wg_handshake_timeout_head()
|
||||
{
|
||||
|
||||
atf_set "descr" "tests of handshake timeout of WireGuard"
|
||||
atf_set "descr" "tests of handshake timeout of wg(4)"
|
||||
atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen"
|
||||
}
|
||||
|
||||
|
@ -152,14 +152,14 @@ wg_handshake_timeout_body()
|
|||
|
||||
export RUMP_SERVER=$SOCK_LOCAL
|
||||
atf_check -s exit:0 -o ignore \
|
||||
rump.sysctl -w net.wireguard.rekey_timeout=$rekey_timeout
|
||||
rump.sysctl -w net.wg.rekey_timeout=$rekey_timeout
|
||||
atf_check -s exit:0 -o ignore \
|
||||
rump.sysctl -w net.wireguard.rekey_attempt_time=$rekey_attempt_time
|
||||
rump.sysctl -w net.wg.rekey_attempt_time=$rekey_attempt_time
|
||||
export RUMP_SERVER=$SOCK_PEER
|
||||
atf_check -s exit:0 -o ignore \
|
||||
rump.sysctl -w net.wireguard.rekey_timeout=$rekey_timeout
|
||||
rump.sysctl -w net.wg.rekey_timeout=$rekey_timeout
|
||||
atf_check -s exit:0 -o ignore \
|
||||
rump.sysctl -w net.wireguard.rekey_attempt_time=$rekey_attempt_time
|
||||
rump.sysctl -w net.wg.rekey_attempt_time=$rekey_attempt_time
|
||||
|
||||
# It sets key_priv_local key_pub_local key_priv_peer key_pub_peer
|
||||
generate_keys
|
||||
|
@ -220,7 +220,7 @@ atf_test_case wg_cookie cleanup
|
|||
wg_cookie_head()
|
||||
{
|
||||
|
||||
atf_set "descr" "tests of cookie messages of the WireGuard protocol"
|
||||
atf_set "descr" "tests of cookie messages of the wg(4) protocol"
|
||||
atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen"
|
||||
}
|
||||
|
||||
|
@ -259,7 +259,7 @@ wg_cookie_body()
|
|||
export RUMP_SERVER=$SOCK_PEER
|
||||
# Emulate load on the peer
|
||||
atf_check -s exit:0 -o ignore \
|
||||
rump.sysctl -w net.wireguard.force_underload=1
|
||||
rump.sysctl -w net.wg.force_underload=1
|
||||
|
||||
export RUMP_SERVER=$SOCK_LOCAL
|
||||
|
||||
|
@ -306,7 +306,7 @@ atf_test_case wg_mobility cleanup
|
|||
wg_mobility_head()
|
||||
{
|
||||
|
||||
atf_set "descr" "tests of the mobility of WireGuard"
|
||||
atf_set "descr" "tests of the mobility of wg(4)"
|
||||
atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen"
|
||||
}
|
||||
|
||||
|
@ -441,7 +441,7 @@ wg_keepalive_body()
|
|||
|
||||
# Shorten keepalive_timeout of the peer
|
||||
atf_check -s exit:0 -o ignore \
|
||||
rump.sysctl -w net.wireguard.keepalive_timeout=$keepalive_timeout
|
||||
rump.sysctl -w net.wg.keepalive_timeout=$keepalive_timeout
|
||||
|
||||
export RUMP_SERVER=$SOCK_LOCAL
|
||||
|
||||
|
@ -505,10 +505,10 @@ wg_psk_body()
|
|||
|
||||
export RUMP_SERVER=$SOCK_LOCAL
|
||||
atf_check -s exit:0 -o ignore \
|
||||
rump.sysctl -w net.wireguard.rekey_after_time=$rekey_after_time
|
||||
rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time
|
||||
export RUMP_SERVER=$SOCK_PEER
|
||||
atf_check -s exit:0 -o ignore \
|
||||
rump.sysctl -w net.wireguard.rekey_after_time=$rekey_after_time
|
||||
rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time
|
||||
|
||||
# It sets key_priv_local key_pub_local key_priv_peer key_pub_peer
|
||||
generate_keys
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: t_tunnel.sh,v 1.1 2020/08/20 21:28:01 riastradh Exp $
|
||||
# $NetBSD: t_tunnel.sh,v 1.1 2020/08/26 16:03:42 riastradh Exp $
|
||||
#
|
||||
# Copyright (c) 2018 Ryota Ozaki <ozaki.ryota@gmail.com>
|
||||
# All rights reserved.
|
||||
|
@ -45,11 +45,11 @@ setup_servers()
|
|||
rump_server_start $SOCK_LOCAL netinet6
|
||||
rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL
|
||||
|
||||
rump_server_crypto_start $SOCK_TUN_LOCAL netinet6 wireguard
|
||||
rump_server_crypto_start $SOCK_TUN_LOCAL netinet6 wg
|
||||
rump_server_add_iface $SOCK_TUN_LOCAL shmif0 $BUS_LOCAL
|
||||
rump_server_add_iface $SOCK_TUN_LOCAL shmif1 $BUS_TUN
|
||||
|
||||
rump_server_crypto_start $SOCK_TUN_PEER netinet6 wireguard
|
||||
rump_server_crypto_start $SOCK_TUN_PEER netinet6 wg
|
||||
rump_server_add_iface $SOCK_TUN_PEER shmif0 $BUS_PEER
|
||||
rump_server_add_iface $SOCK_TUN_PEER shmif1 $BUS_TUN
|
||||
|
||||
|
@ -300,7 +300,7 @@ add_tunnel_test()
|
|||
local ipv6=inet6
|
||||
|
||||
name="wg_tunnel_${inner}_over_${outer}"
|
||||
fulldesc="Test WireGuard with ${inner} over ${outer}"
|
||||
fulldesc="Test wg(4) with ${inner} over ${outer}"
|
||||
|
||||
eval inner=\$$inner
|
||||
eval outer=\$$outer
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: wg-keygen.8,v 1.2 2020/08/20 21:36:00 riastradh Exp $
|
||||
.\" $NetBSD: wg-keygen.8,v 1.3 2020/08/26 16:03:42 riastradh Exp $
|
||||
.\"
|
||||
.\" Copyright (C) Ryota Ozaki <ozaki.ryota@gmail.com>
|
||||
.\" All rights reserved.
|
||||
|
@ -33,7 +33,7 @@
|
|||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh NAME
|
||||
.Nm wg-keygen
|
||||
.Nd generate keys for WireGuard interfaces
|
||||
.Nd generate keys for wg interfaces
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh SYNOPSIS
|
||||
.Nm
|
||||
|
@ -42,7 +42,8 @@
|
|||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
generates keys for WireGuard.
|
||||
generates keys for
|
||||
.Xr wg 4 .
|
||||
.Bl -tag -width abcd
|
||||
.It Nm
|
||||
Generate a private key and print it to standard output.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: wg-userspace.8,v 1.2 2020/08/20 22:17:16 riastradh Exp $
|
||||
.\" $NetBSD: wg-userspace.8,v 1.3 2020/08/26 16:03:42 riastradh Exp $
|
||||
.\"
|
||||
.\" Copyright (C) Ryota Ozaki <ozaki.ryota@gmail.com>
|
||||
.\" All rights reserved.
|
||||
|
@ -33,7 +33,7 @@
|
|||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh NAME
|
||||
.Nm wg-userspace
|
||||
.Nd manipulate WireGuard userspace instances
|
||||
.Nd manipulate wg userspace instances (EXPERIMENTAL)
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh SYNOPSIS
|
||||
.Ar id
|
||||
|
@ -42,39 +42,45 @@
|
|||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
is used to create, destroy and configure WireGuard userspace instances.
|
||||
is used to create, destroy and configure
|
||||
.Xr wg 4
|
||||
userspace instances.
|
||||
.Pp
|
||||
.Sy WARNING:
|
||||
.Nm
|
||||
is experimental.
|
||||
.Pp
|
||||
The following commands are supported:
|
||||
.Bl -tag -width "destroy"
|
||||
.It Cm create
|
||||
Create a WireGuard interface.
|
||||
Create an interface.
|
||||
The interface will appear as
|
||||
.Li tun Ns Ar id
|
||||
to the rest of the system, and will be served by a rump server in whose
|
||||
context the interface appears as
|
||||
.Li wg Ns Ar id .
|
||||
.It Cm destroy
|
||||
Destroy a WireGuard interface and stop the rump server behind it.
|
||||
Destroy an interface and stop the rump server behind it.
|
||||
.It Cm ifconfig Ar wgN Ar args...
|
||||
Run
|
||||
.Xr ifconfig 8
|
||||
in the context of the WireGuard interface's rump server.
|
||||
in the context of the interface's rump server.
|
||||
For example,
|
||||
.Bd -literal -compact
|
||||
# wg-userspace 0 ifconfig wg0 10.0.1.0/24
|
||||
.Ed
|
||||
will set the WireGuard interface's IP address.
|
||||
will set the interface's IP address.
|
||||
.It Cm wgconfig Ar wgN Ar args...
|
||||
Run
|
||||
.Xr wgconfig 8
|
||||
in the context of the WireGuard interface's rump server.
|
||||
in the context of the interface's rump server.
|
||||
For example,
|
||||
.Bd -literal -compact
|
||||
# wg-userspace 0 wgconfig wg0 set listen-port 1234
|
||||
.Ed
|
||||
will set the WireGuard interface's listening port.
|
||||
will set the interface's listening port.
|
||||
.It Cm debug Ar command Op Ar args...
|
||||
Run an arbitrary command in the context of the WireGuard interface's
|
||||
Run an arbitrary command in the context of the interface's
|
||||
rump server, using
|
||||
.Xr rumphijack 3 .
|
||||
.El
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
RUMPLIBS="-lrumpnet -lrumpnet_net -lrumpnet_netinet \
|
||||
-lrumpdev -lrumpvfs -lrumpdev_opencrypto -lrumpkern_z \
|
||||
-lrumpkern_crypto -lrumpnet_wireguard -lrumpnet_netinet6"
|
||||
-lrumpkern_crypto -lrumpnet_wg -lrumpnet_netinet6"
|
||||
HIJACKING="env LD_PRELOAD=/usr/lib/librumphijack.so \
|
||||
RUMPHIJACK=path=/rump,socket=all:nolocal,sysctl=yes"
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: wgconfig.8,v 1.9 2020/08/21 03:44:58 uwe Exp $
|
||||
.\" $NetBSD: wgconfig.8,v 1.10 2020/08/26 16:03:42 riastradh Exp $
|
||||
.\"
|
||||
.\" Copyright (C) Ryota Ozaki <ozaki.ryota@gmail.com>
|
||||
.\" All rights reserved.
|
||||
|
@ -33,7 +33,7 @@
|
|||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh NAME
|
||||
.Nm wgconfig
|
||||
.Nd configure WireGuard interface parameters
|
||||
.Nd configure wg interface parameters
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.Sh SYNOPSIS
|
||||
.Nm
|
||||
|
@ -74,7 +74,7 @@
|
|||
.Sh DESCRIPTION
|
||||
The
|
||||
.Nm
|
||||
utility is used to configure or display a WireGuard
|
||||
utility is used to configure or display a
|
||||
.Xr wg 4
|
||||
interface's parameters and status.
|
||||
Every
|
||||
|
@ -91,7 +91,7 @@ have a fixed endpoint IP address and a preshared secret key.
|
|||
The following commands are supported:
|
||||
.Bl -tag -width abcd
|
||||
.It Cm "show all"
|
||||
Show all WireGuard peers.
|
||||
Show all peers.
|
||||
No secret keys are included in the output.
|
||||
.It Cm "show peer" Ar name Op Fl Fl show-preshared-key
|
||||
Show the peer named
|
||||
|
@ -117,7 +117,7 @@ to the base64-encoded private key in the file at
|
|||
.It Cm "set listen-port" Ar port
|
||||
Set the UDP port number that
|
||||
.Li wg Ns Ar N\|
|
||||
listens for incoming WireGuard sessions on.
|
||||
listens for incoming sessions on.
|
||||
This allows a peer to start a new session without having a specific
|
||||
endpoint IP address configured.
|
||||
.It Cm "add peer" Ar name Ar pubkey Op Ar options ...
|
||||
|
@ -146,14 +146,16 @@ Set a secret preshared key generated by
|
|||
If the preshared key can be arranged in advance on a medium not subject
|
||||
to eavesdropping, then it defends against possible future quantum
|
||||
cryptanalysis of the X25519 key agreement.
|
||||
WireGuard still uses X25519 key agreements in order to erase past
|
||||
.Nm
|
||||
still uses X25519 key agreements in order to erase past
|
||||
session keys so that past session transcripts remain secret should one
|
||||
of the endpoints be compromised in the future; the preshared key is an
|
||||
additional measure on top.
|
||||
.It Fl Fl endpoint Ns Li \&= Ns Ar ip Ns Li \&: Ns Ar port
|
||||
Set the peer's endpoint address outside the tunnel.
|
||||
This is optional for a VPN server if the WireGuard interface is
|
||||
configured to listen on a port number.
|
||||
This is optional for a VPN server if the
|
||||
.Nm
|
||||
interface is configured to listen on a port number.
|
||||
.It Fl Fl allowed-ips Ns Li \&= Ns Ar ip1 Ns Li \&/ Ns Ar cidr1 Ns \
|
||||
Op Li \&, Ns Ar ip2 Ns Li \&/ Ns Ar cidr2 Ns Li \&, Ns Ar ...
|
||||
Set the IP address ranges that the peer is allowed to select inside the
|
||||
|
|
Loading…
Reference in New Issue