Module Name: src
Committed By: riastradh
Date: Sat Mar 9 12:36:07 UTC 2024
Modified Files:
src/share/man/man4: wg.4
Log Message:
wg(4): Spruce up example a bit.
- Suggest umask so the private keys aren't world readable.
- Suggest use of pre-shared key files.
- Use TEST-NET-1 and TEST-NET-2 addresses for the example instead of
real publicly routable addresses.
Holding off on adding IPv6 example until the tun(4) issue is fixed
(PR bin/58013).
PR misc/58015
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/share/man/man4/wg.4
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/share/man/man4/wg.4
diff -u src/share/man/man4/wg.4:1.6 src/share/man/man4/wg.4:1.7
--- src/share/man/man4/wg.4:1.6 Mon Aug 31 20:20:22 2020
+++ src/share/man/man4/wg.4 Sat Mar 9 12:36:07 2024
@@ -1,4 +1,4 @@
-.\" $NetBSD: wg.4,v 1.6 2020/08/31 20:20:22 riastradh Exp $
+.\" $NetBSD: wg.4,v 1.7 2024/03/09 12:36:07 riastradh Exp $
.\"
.\" Copyright (c) 2020 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -75,7 +75,7 @@ endpoint IP address outside the tunnel.
.Sh EXAMPLES
Typical network topology:
.Bd -literal -offset abcd
-wm0 = 1.2.3.4 bge0 = 4.3.2.1
+wm0 = 192.0.2.123 bge0 = 198.51.100.45
Stationary server: Roaming client:
+---------+ +---------+
@@ -95,17 +95,24 @@ Stationary server:
.Pp
Generate key pairs on A and B:
.Bd -literal -offset abcd
-A# wg-keygen > /etc/wg/wg0
+A# (umask 0077; wg-keygen > /etc/wg/wg0)
A# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub
A# cat /etc/wg/wg0.pub
N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y=
-B# wg-keygen > /etc/wg/wg0
+B# (umask 0077; wg-keygen > /etc/wg/wg0)
B# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub
B# cat /etc/wg/wg0.pub
X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU=
.Ed
.Pp
+Generate a pre-shared key on A and copy it to B to defend against
+potential future quantum cryptanalysis (not necessary for
+functionality):
+.Bd -literal -offset abcd
+A# (umask 0077; wg-keygen > /etc/wg/wg0.A-B)
+.Ed
+.Pp
Configure A to listen on port 1234 and allow connections from B to
appear in the 10.0.1.0/24 subnet:
.Bd -literal -offset abcd
@@ -114,6 +121,7 @@ A# wgconfig wg0 set private-key /etc/wg/
A# wgconfig wg0 set listen-port 1234
A# wgconfig wg0 add peer B \e
X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU= \e
+ --preshared-key=/etc/wg/wg0.A-B \e
--allowed-ips=10.0.1.1/32
A# ifconfig wg0 up
A# ifconfig wg0
@@ -122,15 +130,16 @@ wg0: flags=0x8041<UP,RUNNING,MULTICAST>
inet6 fe80::22f7:d6ff:fe3a:1e60%wg0/64 flags 0 scopeid 0x3
.Ed
.Pp
-Configure B to connect to A at 1.2.3.4 on port 1234 and the packets can
-begin to flow:
+Configure B to connect to A at 192.0.2.123 on port 1234 and the packets
+can begin to flow:
.Bd -literal -offset abcd
B# ifconfig wg0 create 10.0.1.1/24
B# wgconfig wg0 set private-key /etc/wg/wg0
B# wgconfig wg0 add peer A \e
N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y= \e
+ --preshared-key=/etc/wg/wg0.A-B \e
--allowed-ips=10.0.1.0/32 \e
- --endpoint=1.2.3.4:1234
+ --endpoint=192.0.2.123:1234
B# ifconfig wg0 up
B# ifconfig wg0
wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420
