wg(4) - NetBSD Manual Pages

Command: Section: Arch: Collection:  
WG(4)                   NetBSD Kernel Interfaces Manual                  WG(4)

wg -- virtual private network tunnel (EXPERIMENTAL)
pseudo-device wg
The wg interface implements a roaming-capable virtual private network tunnel, configured with ifconfig(8) and wgconfig(8). WARNING: wg is experimental. Packets exchanged on a wg interface are authenticated and encrypted with a secret key negotiated with the peer, and the encapsulation is exchanged over IP or IPv6 using UDP. Every wg interface can be configured with an IP address using ifconfig(8), a private key generated with wg-keygen(8), an optional lis- ten port, and a collection of peers. Each peer configured on an wg interface has a public key and a range of IP addresses the peer is allowed to use for its wg interface inside the tunnel. Each peer may also optionally have a preshared secret key and a fixed endpoint IP address outside the tunnel.
Typical network topology: Stationary server: Roaming client: +---------+ +---------+ | A | | B | |---------| |---------| | | | | | [wm0]----------internet-----------[bge0] | | [wg0] port 1234 - - - (tunnel) - - - - - - [wg0] | | | | | fd00:2::1 | fd00:2::42 | | | | | | +--[wm1]--+ +-----------------+ +---------+ | | VPN | | | fd00:2::/64 | | +-----------------+ +-----------------+ | LAN | | fd00:1::/64 | +-----------------+ Generate key pairs on A and B: A# (umask 0077; wg-keygen > /etc/wg/wg0) A# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub A# cat /etc/wg/wg0.pub N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y= B# (umask 0077; wg-keygen > /etc/wg/wg0) B# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub B# cat /etc/wg/wg0.pub X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU= Generate a pre-shared key on A and copy it to B to defend against poten- tial future quantum cryptanalysis (not necessary for functionality): A# (umask 0077; wg-keygen > /etc/wg/wg0.A-B) Configure A to listen on port 1234 and allow connections from B to appear in the and fd00:2::/64 subnets: A# ifconfig wg0 create A# ifconfig wg0 inet A# ifconfig wg0 inet6 fd00:2::1/64 A# wgconfig wg0 set private-key /etc/wg/wg0 A# wgconfig wg0 set listen-port 1234 A# wgconfig wg0 add peer B \ X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU= \ --preshared-key=/etc/wg/wg0.A-B \ --allowed-ips=,fd00:2::42/128 A# ifconfig wg0 up A# ifconfig wg0 wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420 status: active inet6 fe80::22f7:d6ff:fe3a:1e60%wg0/64 flags 0 scopeid 0x3 inet6 fd00:2::1/64 flags 0 inet flags 0 Configure B to connect to A at on port 1234 and the packets can begin to flow: B# ifconfig wg0 create B# ifconfig wg0 inet B# ifconfig wg0 inet6 fd00:2::42/64 B# wgconfig wg0 set private-key /etc/wg/wg0 B# wgconfig wg0 add peer A \ N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y= \ --preshared-key=/etc/wg/wg0.A-B \ --allowed-ips=,fd00:2::1/128 \ --endpoint= B# ifconfig wg0 up B# ifconfig wg0 wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420 status: active inet6 fe80::56eb:59ff:fe3d:d413%wg0/64 flags 0 scopeid 0x3 inet6 fd00:2::42/64 flags 0 inet flags 0 B# ping -n PING ( 56 data bytes 64 bytes from icmp_seq=0 ttl=255 time=2.721110 ms ... B# ping6 -n fd00:2::1 PING6(56=40+8+8 bytes) fd00:2::42 --> fd00:2::1 16 bytes from fd00:2::1, icmp_seq=0 hlim=64 time=2.634 ms ...
wg-keygen(8), wgconfig(8)
The wg interface aims to be compatible with the WireGuard protocol, as described in: Jason A. Donenfeld, WireGuard: Next Generation Kernel Network Tunnel, https://web.archive.org/web/20180805103233/https://www.wireguard.com/papers/wireguard.pdf, 2018-06-30, Document ID: 4846ada1492f5d92198df154f48c3d54205657bc.
The wg interface first appeared in NetBSD 10.0.
The wg interface was implemented by Ryota Ozaki <ozaki.ryota@gmail.com>. NetBSD 10.99 August 20, 2020 NetBSD 10.99
Powered by man-cgi (2024-03-20). Maintained for NetBSD by Kimmo Suominen. Based on man-cgi by Panagiotis Christias.