NetBSD/usr.sbin/wgconfig/wgconfig.8

.\"	$NetBSD: wgconfig.8,v 1.10 2020/08/26 16:03:42 riastradh Exp $
.\"
.\" Copyright (C) Ryota Ozaki <ozaki.ryota@gmail.com>
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the University nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd August 20, 2020
.Dt WGCONFIG 8
.Os
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.Sh NAME
.Nm wgconfig
.Nd configure wg interface parameters
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.Sh SYNOPSIS
.Nm
.Li wg Ns Ar N\|
.Op Cm "show all"
.\"
.Nm
.Li wg Ns Ar N\|
.Cm "show peer" Ar name
.Op Fl Fl show-preshared-key
.\"
.Nm
.Li wg Ns Ar N\|
.Cm "show private-key"
.\"
.Nm
.Li wg Ns Ar N\|
.Cm "set private-key" Ar "filename"
.\"
.Nm
.Li wg Ns Ar N\|
.Cm "set listen-port" Ar port
.\"
.Nm
.Li wg Ns Ar N\|
.Cm "add peer" Ar name Ar pubkey
.Op Fl Fl preshared-key Ns Li \&= Ns Ar filename
.Oo Fl Fl endpoint Ns Li \&= Ns Ar ip Ns Li \&: Ns Ar port Oc
.Oo
.Fl Fl allowed-ips Ns Li \&= Ns Ar ip1 Ns Li \&/ Ns Ar cidr1 Ns
.Op Li \&, Ns Ar ip2 Ns Li \&/ Ns Ar cidr2 Ns Li \&, Ns Ar ...
.Oc
.\"
.Nm
.Li wg Ns Ar N\|
.Cm "delete peer" Ar name
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.Sh DESCRIPTION
The
.Nm
utility is used to configure or display a
.Xr wg 4
interface's parameters and status.
Every
.Xr wg 4
interface can be configured with an IP address using
.Xr ifconfig 8 ,
a private key generated with
.Xr wg-keygen 8 ,
an optional listen port,
and a collection of peers.
Each peer has a public key and allowed IP addresses, and may optionally
have a fixed endpoint IP address and a preshared secret key.
.Pp
The following commands are supported:
.Bl -tag -width abcd
.It Cm "show all"
Show all peers.
No secret keys are included in the output.
.It Cm "show peer" Ar name Op Fl Fl show-preshared-key
Show the peer named
.Ar name .
By default, no secret keys are included in the output.
With
.Fl Fl show-preshared-key ,
also display the secret preshared key that the peer was configured to
have with the
.Fl Fl preshared-key
option to
.Nm
.Li wg Ns Ar N Cm "add peer" .
.It Cm "show private-key"
Show the private key that was set with
.Nm
.Li wg Ns Ar N Cm "set private-key" .
.It Cm "set private-key" Ar filename
Set the private key of
.Li wg Ns Ar N\|
to the base64-encoded private key in the file at
.Ar filename .
.It Cm "set listen-port" Ar port
Set the UDP port number that
.Li wg Ns Ar N\|
listens for incoming sessions on.
This allows a peer to start a new session without having a specific
endpoint IP address configured.
.It Cm "add peer" Ar name Ar pubkey Op Ar options ...
Add a peer.
The argument
.Ar name
may be passed to
.Nm
.Li wg Ns Ar N Cm "show peer"
and
.Nm
.Li wg Ns Ar N Cm "delete peer" .
The argument
.Ar pubkey
is the peer's base64-encoded public key, as printed by
.Nm wg-keygen
.Fl Fl pub .
.Pp
The following options may be specified:
.Bl -tag -width abcd
.It Fl Fl preshared-key-file Ns Li \&= Ns Ar filename
Set a secret preshared key generated by
.Nm wg-keygen
.Fl Fl psk .
.Pp
If the preshared key can be arranged in advance on a medium not subject
to eavesdropping, then it defends against possible future quantum
cryptanalysis of the X25519 key agreement.
.Nm
still uses X25519 key agreements in order to erase past
session keys so that past session transcripts remain secret should one
of the endpoints be compromised in the future; the preshared key is an
additional measure on top.
.It Fl Fl endpoint Ns Li \&= Ns Ar ip Ns Li \&: Ns Ar port
Set the peer's endpoint address outside the tunnel.
This is optional for a VPN server if the
.Nm
interface is configured to listen on a port number.
.It Fl Fl allowed-ips Ns Li \&= Ns Ar ip1 Ns Li \&/ Ns Ar cidr1 Ns \
    Op Li \&, Ns Ar ip2 Ns Li \&/ Ns Ar cidr2 Ns Li \&, Ns Ar ...
Set the IP address ranges that the peer is allowed to select inside the
tunnel.
.El
.It Cm "delete peer" Ar name
Delete the peer
.Ar name
previously added with
.Nm
.Li wg Ns Ar N Cm "add peer" Ar name .
.El
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.Sh EXAMPLES
See
.Xr wg 4
for an example network topology and
.Nm
usage.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.Sh SEE ALSO
.Xr wg 4 ,
.Xr wg-keygen 8
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.Sh HISTORY
The
.Nm
command first appeared in
.Nx 10.0 .
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.Sh AUTHORS
The
.Nm
command was written by
.An Ryota Ozaki
.Aq ozaki.ryota@gmail.com .