195 lines
5.9 KiB
Groff
195 lines
5.9 KiB
Groff
.\" $NetBSD: wgconfig.8,v 1.10 2020/08/26 16:03:42 riastradh Exp $
|
|
.\"
|
|
.\" Copyright (C) Ryota Ozaki <ozaki.ryota@gmail.com>
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. Neither the name of the University nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.Dd August 20, 2020
|
|
.Dt WGCONFIG 8
|
|
.Os
|
|
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
|
.Sh NAME
|
|
.Nm wgconfig
|
|
.Nd configure wg interface parameters
|
|
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Li wg Ns Ar N\|
|
|
.Op Cm "show all"
|
|
.\"
|
|
.Nm
|
|
.Li wg Ns Ar N\|
|
|
.Cm "show peer" Ar name
|
|
.Op Fl Fl show-preshared-key
|
|
.\"
|
|
.Nm
|
|
.Li wg Ns Ar N\|
|
|
.Cm "show private-key"
|
|
.\"
|
|
.Nm
|
|
.Li wg Ns Ar N\|
|
|
.Cm "set private-key" Ar "filename"
|
|
.\"
|
|
.Nm
|
|
.Li wg Ns Ar N\|
|
|
.Cm "set listen-port" Ar port
|
|
.\"
|
|
.Nm
|
|
.Li wg Ns Ar N\|
|
|
.Cm "add peer" Ar name Ar pubkey
|
|
.Op Fl Fl preshared-key Ns Li \&= Ns Ar filename
|
|
.Oo Fl Fl endpoint Ns Li \&= Ns Ar ip Ns Li \&: Ns Ar port Oc
|
|
.Oo
|
|
.Fl Fl allowed-ips Ns Li \&= Ns Ar ip1 Ns Li \&/ Ns Ar cidr1 Ns
|
|
.Op Li \&, Ns Ar ip2 Ns Li \&/ Ns Ar cidr2 Ns Li \&, Ns Ar ...
|
|
.Oc
|
|
.\"
|
|
.Nm
|
|
.Li wg Ns Ar N\|
|
|
.Cm "delete peer" Ar name
|
|
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
utility is used to configure or display a
|
|
.Xr wg 4
|
|
interface's parameters and status.
|
|
Every
|
|
.Xr wg 4
|
|
interface can be configured with an IP address using
|
|
.Xr ifconfig 8 ,
|
|
a private key generated with
|
|
.Xr wg-keygen 8 ,
|
|
an optional listen port,
|
|
and a collection of peers.
|
|
Each peer has a public key and allowed IP addresses, and may optionally
|
|
have a fixed endpoint IP address and a preshared secret key.
|
|
.Pp
|
|
The following commands are supported:
|
|
.Bl -tag -width abcd
|
|
.It Cm "show all"
|
|
Show all peers.
|
|
No secret keys are included in the output.
|
|
.It Cm "show peer" Ar name Op Fl Fl show-preshared-key
|
|
Show the peer named
|
|
.Ar name .
|
|
By default, no secret keys are included in the output.
|
|
With
|
|
.Fl Fl show-preshared-key ,
|
|
also display the secret preshared key that the peer was configured to
|
|
have with the
|
|
.Fl Fl preshared-key
|
|
option to
|
|
.Nm
|
|
.Li wg Ns Ar N Cm "add peer" .
|
|
.It Cm "show private-key"
|
|
Show the private key that was set with
|
|
.Nm
|
|
.Li wg Ns Ar N Cm "set private-key" .
|
|
.It Cm "set private-key" Ar filename
|
|
Set the private key of
|
|
.Li wg Ns Ar N\|
|
|
to the base64-encoded private key in the file at
|
|
.Ar filename .
|
|
.It Cm "set listen-port" Ar port
|
|
Set the UDP port number that
|
|
.Li wg Ns Ar N\|
|
|
listens for incoming sessions on.
|
|
This allows a peer to start a new session without having a specific
|
|
endpoint IP address configured.
|
|
.It Cm "add peer" Ar name Ar pubkey Op Ar options ...
|
|
Add a peer.
|
|
The argument
|
|
.Ar name
|
|
may be passed to
|
|
.Nm
|
|
.Li wg Ns Ar N Cm "show peer"
|
|
and
|
|
.Nm
|
|
.Li wg Ns Ar N Cm "delete peer" .
|
|
The argument
|
|
.Ar pubkey
|
|
is the peer's base64-encoded public key, as printed by
|
|
.Nm wg-keygen
|
|
.Fl Fl pub .
|
|
.Pp
|
|
The following options may be specified:
|
|
.Bl -tag -width abcd
|
|
.It Fl Fl preshared-key-file Ns Li \&= Ns Ar filename
|
|
Set a secret preshared key generated by
|
|
.Nm wg-keygen
|
|
.Fl Fl psk .
|
|
.Pp
|
|
If the preshared key can be arranged in advance on a medium not subject
|
|
to eavesdropping, then it defends against possible future quantum
|
|
cryptanalysis of the X25519 key agreement.
|
|
.Nm
|
|
still uses X25519 key agreements in order to erase past
|
|
session keys so that past session transcripts remain secret should one
|
|
of the endpoints be compromised in the future; the preshared key is an
|
|
additional measure on top.
|
|
.It Fl Fl endpoint Ns Li \&= Ns Ar ip Ns Li \&: Ns Ar port
|
|
Set the peer's endpoint address outside the tunnel.
|
|
This is optional for a VPN server if the
|
|
.Nm
|
|
interface is configured to listen on a port number.
|
|
.It Fl Fl allowed-ips Ns Li \&= Ns Ar ip1 Ns Li \&/ Ns Ar cidr1 Ns \
|
|
Op Li \&, Ns Ar ip2 Ns Li \&/ Ns Ar cidr2 Ns Li \&, Ns Ar ...
|
|
Set the IP address ranges that the peer is allowed to select inside the
|
|
tunnel.
|
|
.El
|
|
.It Cm "delete peer" Ar name
|
|
Delete the peer
|
|
.Ar name
|
|
previously added with
|
|
.Nm
|
|
.Li wg Ns Ar N Cm "add peer" Ar name .
|
|
.El
|
|
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
|
.Sh EXAMPLES
|
|
See
|
|
.Xr wg 4
|
|
for an example network topology and
|
|
.Nm
|
|
usage.
|
|
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
|
.Sh SEE ALSO
|
|
.Xr wg 4 ,
|
|
.Xr wg-keygen 8
|
|
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
command first appeared in
|
|
.Nx 10.0 .
|
|
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
|
.Sh AUTHORS
|
|
The
|
|
.Nm
|
|
command was written by
|
|
.An Ryota Ozaki
|
|
.Aq ozaki.ryota@gmail.com .
|