wgconfig(8)
- NetBSD Manual Pages
WGCONFIG(8) NetBSD System Manager's Manual WGCONFIG(8)
NAME
wgconfig -- configure wg interface parameters
SYNOPSIS
wgconfig wgN [show all]
wgconfig wgN show peer name [--show-preshared-key]
wgconfig wgN show private-key
wgconfig wgN set private-key filename
wgconfig wgN set listen-port port
wgconfig wgN add peer name pubkey [--preshared-key=filename]
[--endpoint=ip:port] [--allowed-ips=ip1/cidr1[,ip2/cidr2,...]]
wgconfig wgN delete peer name
DESCRIPTION
The wgconfig utility is used to configure or display a wg(4) interface's
parameters and status. Every wg(4) interface can be configured with an
IP address using ifconfig(8), a private key generated with wg-keygen(8),
an optional listen port, and a collection of peers. Each peer has a pub-
lic key and allowed IP addresses, and may optionally have a fixed end-
point IP address and a preshared secret key.
The following commands are supported:
show all
Show all peers. No secret keys are included in the output.
show peer name [--show-preshared-key]
Show the peer named name. By default, no secret keys are included
in the output. With --show-preshared-key, also display the secret
preshared key that the peer was configured to have with the
--preshared-key option to wgconfig wgN add peer.
show private-key
Show the private key that was set with wgconfig wgN set private-
key.
set private-key filename
Set the private key of wgN to the base64-encoded private key in the
file at filename.
set listen-port port
Set the UDP port number that wgN listens for incoming sessions on.
This allows a peer to start a new session without having a specific
endpoint IP address configured.
add peer name pubkey [options ...]
Add a peer. The argument name may be passed to wgconfig wgN show
peer and wgconfig wgN delete peer. The argument pubkey is the
peer's base64-encoded public key, as printed by wg-keygen --pub.
The following options may be specified:
--preshared-key=filename
Set a secret preshared key generated by wg-keygen --psk.
If the preshared key can be arranged in advance on a medium
not subject to eavesdropping, then it defends against possi-
ble future quantum cryptanalysis of the X25519 key agreement.
wgconfig still uses X25519 key agreements in order to erase
past session keys so that past session transcripts remain
secret should one of the endpoints be compromised in the
future; the preshared key is an additional measure on top.
--endpoint=ip:port
Set the peer's endpoint address outside the tunnel. This is
optional for a VPN server if the wgconfig interface is con-
figured to listen on a port number.
--allowed-ips=ip1/cidr1[,ip2/cidr2,...]
Set the IP address ranges that the peer is allowed to select
inside the tunnel.
delete peer name
Delete the peer name previously added with wgconfig wgN add peer
name.
EXAMPLES
See wg(4) for an example network topology and wgconfig usage.
SEE ALSO
wg(4), wg-keygen(8)
HISTORY
The wgconfig command first appeared in NetBSD 10.0.
AUTHORS
The wgconfig command was written by Ryota Ozaki <ozaki.ryota@gmail.com>.
NetBSD 10.0 August 20, 2020 NetBSD 10.0
Powered by man-cgi (2024-03-20).
Maintained for NetBSD
by Kimmo Suominen.
Based on man-cgi by Panagiotis Christias.