diff options
Diffstat (limited to 'sbin/ifconfig/ifconfig.8')
| -rw-r--r-- | sbin/ifconfig/ifconfig.8 | 130 |
1 files changed, 127 insertions, 3 deletions
diff --git a/sbin/ifconfig/ifconfig.8 b/sbin/ifconfig/ifconfig.8 index 8a5025f8bdf..5c11f6a698f 100644 --- a/sbin/ifconfig/ifconfig.8 +++ b/sbin/ifconfig/ifconfig.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ifconfig.8,v 1.346 2020/04/29 13:13:29 stsp Exp $ +.\" $OpenBSD: ifconfig.8,v 1.347 2020/06/21 12:20:06 dlg Exp $ .\" $NetBSD: ifconfig.8,v 1.11 1996/01/04 21:27:29 pk Exp $ .\" $FreeBSD: ifconfig.8,v 1.16 1998/02/01 07:03:29 steve Exp $ .\" @@ -31,7 +31,7 @@ .\" .\" @(#)ifconfig.8 8.4 (Berkeley) 6/1/94 .\" -.Dd $Mdocdate: April 29 2020 $ +.Dd $Mdocdate: June 21 2020 $ .Dt IFCONFIG 8 .Os .Sh NAME @@ -207,7 +207,8 @@ At least the following devices can be created on demand: .Xr tun 4 , .Xr vether 4 , .Xr vlan 4 , -.Xr vxlan 4 +.Xr vxlan 4 , +.Xr wg 4 .It Cm debug Enable driver-dependent debugging code; usually, this turns on extra console error logging. @@ -2042,6 +2043,129 @@ Clear the tag value. Packets on a VLAN interface without a tag set will use a value of 0 in their headers. .El +.Sh WIREGUARD +.nr nS 1 +.Bk -words +.Nm ifconfig +.Ar wg-interface +.Op Cm wgkey Ar privatekey +.Op Cm wgport Ar port +.Op Cm wgrtable Ar rtable +.Oo +.Oo Fl Oc Ns Cm wgpeer Ar publickey +.Op Cm wgpsk Ar presharedkey +.Op Fl wgpsk +.Op Cm wgpka Ar persistent-keepalive +.Op Cm wgpip Ar ip port +.Op Cm wgaip Ar allowed-ip/prefix +.Oc +.Op Fl wgpeerall +.Ek +.nr nS 0 +.Pp +The following options are available for +.Xr wg 4 +interfaces: +.Bl -tag -width Ds +.It Cm wgkey Ar privatekey +Set the local private key of the interface to +.Ar privatekey . +This is a random 32 byte value, encoded as base64. +It may be generated as follows: +.Pp +.Dl $ openssl rand -base64 32 +.Pp +A valid Curve25519 key is required to have 5 bits set to specific +values. +This is done by the interface, so it is safe to provide a random +32 byte base64 string. +.Pp +Once set, the corresponding public key will be displayed +in the interface status; it must be distributed to peers +that this interface intends to communicate with. +.It Cm wgport Ar port +Set the UDP +.Ar port +that the tunnel operates on. +The interface will bind to +.Dv INADDR_ANY +and +.Dv IN6ADDR_ANY_INIT . +If no port is configured, one will be chosen automatically. +.It Cm wgrtable Ar rtable +Use routing table +.Ar rtable +instead of the default table for the tunnel. +The tunnel does not need to terminate in the same routing domain as the +interface itself. +.Ar rtable +can be set to any valid routing table ID; the corresponding routing +domain is derived from this table. +.It Cm wgpeer Ar publickey +Select the peer to perform the subsequent operations on. +This creates a peer with the associated 32 byte, base64 encoded +.Ar publickey +if it does not yet exist. +This option can be specified multiple times in a single command. +.It Cm -wgpeer Ar publickey +Remove the peer with the associated +.Ar publickey . +.It Cm -wgpeerall +Remove all peers from the interface. +.El +.Pp +The following options configure peers for the interface. +Each interface can have multiple peers. +In order to add a peer, a +.Cm wgpeer +option must be specified, followed by its configuration options. +.Bl -tag -width Ds +.It Cm wgpsk Ar presharedkey +Set the preshared key for the peer. +This is a random 32 byte, base64 encoded string +that both ends must agree on. +It offers a post-quantum resistance to the Diffie-Hellman exchange. +If there is no preshared key, the exact same handshake is performed, +however the preshared key is set to all zero. +This can be generated in the same way as +.Ar privatekey . +.It Cm -wgpsk +Remove the preshared key from the specified peer. +.It Cm wgpka Ar persistent-keepalive +Set the interval of additional keepalive packets in seconds. +By default this functionality is disabled, equivalent to a value of 0. +This is often used to ensure a peer will be accessible when protected by +a firewall, as is when behind a NAT address. +A value of 25 is commonly used. +.It Cm wgpip Ar ip port +Set the IP address and port to send the encapsulated packets to. +If the peer changes address, the local interface will update the address +after receiving a correctly authenticated packet. +The IP address can be either +IPv4 or IPv6, and the port is a regular 16 bit UDP port. +.It Cm wgaip Ar allowed-ip/prefix +Set the allowed IPs for the peer. +The allowed IPs indicate the IP addresses a peer is allowed to send +from. +That is, in order for an incoming packet from a peer to reach the host, +the decryped IP source address must be in the peer's +.Ar allowed-ip +ranges. +.Pp +The +.Ar allowed-ip +list also provides an outgoing routing table for outgoing packets. +Overlapping ranges can be configured, with packets being +directed to the most specific route. +Likewise, packets can only be received for the most specific route. +.Pp +Both IPv4 and IPv6 addresses are supported. +To set multiple allowed IPs, specify the +.Cm wgaip +option multiple times in the same +.Nm +invocation. +.El .Sh EXAMPLES Assign the address of 192.168.1.10 with a network mask of |