Differential D37404 Diff 136072 contrib/wireguard-tools/man/wg.8

Changeset View

Standalone View

View Options

contrib/wireguard-tools/man/wg.8

.TH WG 8 "2015 August 13" ZX2C4 "WireGuard" .\" SPDX-License-Identifier: BSD-2-Clause

pauamma_gundo.comUnsubmitted

Not Done

.Bq may come handy here.

pauamma_gundo.com: .Bq may come handy here.

desUnsubmitted

Done

.Sh SYNOPSIS

.Nm

- [

- COMMAND

+ .Op Ar COMMAND

des:

desUnsubmitted

Done

COMMAND

- ] [

- OPTIONS

+ .Op Ar OPTIONS

des:

desUnsubmitted

Done

OPTIONS

- ]... [

- ARGS

+ .Op Ar ARGS

des:

.\"

jason_zx2c4.comUnsubmitted

Done

Still looks like most of the text is mine, right?

jason_zx2c4.com: Still looks like most of the text is mine, right?

.\"

.SH SYNOPSIS .Dd March 17, 2024

.B wg .Dt WG 8

[ .Os

.I COMMAND .Sh NAME

] [ .Nm wg

.I OPTIONS .Nd set and retrieve configuration of WireGuard interfaces

]... [ .Sh SYNOPSIS

.I ARGS .Nm

]... .Op Ar COMMAND

.Op Ar OPTIONS

.SH DESCRIPTION .Op Ar ARGS

.Sh DESCRIPTION

.B wg .Nm wg

is the configuration utility for getting and setting the configuration of is the configuration utility for getting and setting the configuration of

WireGuard tunnel interfaces. The interfaces themselves can be added and removed WireGuard tunnel interfaces.

using The interfaces themselves can be added and removed using

.BR ip-link (8) .Xr ifconfig 8

and their IP addresses and routing tables can be set using and their IP addresses and routing tables can be set using

.BR ip-address (8) .Xr route 8 .

pauamma_gundo.comUnsubmitted

Done

Why not ifconfig for IP addresses?

pauamma_gundo.com: Why not ifconfig for IP addresses?

and

.BR ip-route (8).

The The

.B wg .Nm

desUnsubmitted

Done

.Xr route 8 .

The

- .Nm wg

+ .Nm

utility provides a series of sub-commands for changing WireGuard-specific

des:

utility provides a series of sub-commands for changing WireGuard-specific utility provides a series of sub-commands for changing WireGuard-specific

aspects of WireGuard interfaces. aspects of WireGuard interfaces.

If no COMMAND is specified, COMMAND defaults to If no COMMAND is specified, COMMAND defaults to

.BR show . .Cm show .

desUnsubmitted

Done

aspects of WireGuard interfaces.

- If no COMMAND is specified, COMMAND defaults to show .

+ If no COMMAND is specified, COMMAND defaults to

+ .Cm show .

Sub-commands that take an INTERFACE must be passed a WireGuard interface.

des:

Sub-commands that take an INTERFACE must be passed a WireGuard interface. Sub-commands that take an INTERFACE must be passed a WireGuard interface.

.Sh COMMANDS

.SH COMMANDS .Bl -tag -width indent

.It Cm show

.TP .Bro

desUnsubmitted

Not Done

.It Cm show

- {

+ .Bro

.Ar <interface> |

everything until .Brc on a single line, keeping in mind to remove the leading . on macros when they are not at the beginning of the line.

des: everything until `.Brc` on a single line, keeping in mind to remove the leading `.` on macros…

desUnsubmitted

Not Done

Again, everything from .It until .Oc needs to be on a single line. Otherwise mandoc considers everything from .Bro on as part of the first paragraph of the item description instead of part of the item heading. If you don't like long lines you can use \ to break a single logical line into multiple physical ones, just like in a shell script.

des: Again, everything from `.It` until `.Oc` needs to be on a single line. Otherwise mandoc…

\fBshow\fP { \fI<interface>\fP | \fIall\fP | \fIinterfaces\fP } [\fIpublic-key\fP | \fIprivate-key\fP | \fIlisten-port\fP | \fIfwmark\fP | \fIpeers\fP | \fIpreshared-keys\fP | \fIendpoints\fP | \fIallowed-ips\fP | \fIlatest-handshakes\fP | \fIpersistent-keepalive\fP | \fItransfer\fP | \fIdump\fP] .Ar interface | Li all | Li interfaces

desUnsubmitted

Not Done

.It Cm show

{

- .Ar <interface> |

+ .Ar interface |

.Ar all |

Angle brackets are superfluous, .Ar already implies that “interface” is a placeholder for a user-provided value.

des: Angle brackets are superfluous, `.Ar` already implies that “interface” is a placeholder for a…

Shows current WireGuard configuration and runtime information of specified \fI<interface>\fP. .Brc

desUnsubmitted

Done

.Ar <interface> |

- .Ar all |

+ .Li all |

.Ar interfaces

Use .Ar for an argument name (placeholder for a user-provided value), .Li for a literal like all or interfaces. Or possibly .Dq Li since .Ar and .Li look the same on a terminal.

des: Use `.Ar` for an argument name (placeholder for a user-provided value), `.Li` for a literal…

If no \fI<interface>\fP is specified, \fI<interface>\fP defaults to \fIall\fP. .Oo

desUnsubmitted

Done

.Ar all |

- .Ar interfaces

+ .Li interfaces

}

[

.Ar public-key |

des:

desUnsubmitted

Done

.Ar interfaces

- }

+ .Brc

[

.Ar public-key |

des:

one per line, and quits. If no options are given after the interface .Li preshared-keys | Li endpoints | Li allowed-ips | Li latest-handshakes |

desUnsubmitted

Done

.Ar interfaces

}

- [

+ .Oo

.Ar public-key |

des:

specification, then prints a list of all attributes in a visually pleasing way .Li persistent-keepalive | Li transfer | Li dump

desUnsubmitted

Done

See above re. .Ar vs .Li.

des: See above re. `.Ar` vs `.Li`.

meant for the terminal. Otherwise, prints specified information grouped by .Oc

newlines and tabs, meant to be used in scripts. For this script-friendly display, Shows current WireGuard configuration and runtime information of

if \fIall\fP is specified, then the first field for all categories of information specified

is the interface name. If \fPdump\fP is specified, then several lines are printed; .Ar interface .

the first contains in order separated by tab: private-key, public-key, listen-port, If no

fwmark. Subsequent lines are printed for each peer and contain in order separated .Ar interface

is specified,

.Ar interface

defaults to

.Ar all .

.Ar interfaces

desUnsubmitted

Done

.Ar dump

- ]

+ .Oc

Shows current WireGuard configuration and runtime information of

des:

is specified, prints a list of all WireGuard interfaces,

one per line, and quits.

If no options are given after the interface specification, then

desUnsubmitted

Not Done

Please remove _all_ the angle brackets, not just the ones in the heading.

des: Please remove _all_ the angle brackets, not just the ones in the heading.

prints a list of all attributes in a visually pleasing way meant

for the terminal.

Otherwise, prints specified information grouped by newlines and tabs, meant

to be used in scripts.

For this script-friendly display, if

.Ar all

desUnsubmitted

Not Done

defaults to

- .Ar all .

+ .Li all .

.Ar interfaces

des:

is specified, then the

first field for all categories of information is the interface name.

.Ar dump

is specified, then several lines are printed;

the first contains in order separated by tab:

private-key, public-key, listen-port, fwmark.

Subsequent lines are printed for each peer and contain in order separated

by tab: public-key, preshared-key, endpoint, allowed-ips, latest-handshake, by tab: public-key, preshared-key, endpoint, allowed-ips, latest-handshake,

transfer-rx, transfer-tx, persistent-keepalive. transfer-rx, transfer-tx, persistent-keepalive.

.TP .It Cm showconf Ar interface

desUnsubmitted

Not Done

For this script-friendly display, if

- .Ar all

+ .Li all

is specified, then the

etc.

des: etc.

\fBshowconf\fP \fI<interface>\fP Shows the current configuration of

Shows the current configuration of \fI<interface>\fP in the format described .Ar interface

by \fICONFIGURATION FILE FORMAT\fP below. in the format described by

desUnsubmitted

Not Done

Shows the current configuration of

- .Ar <interface> in the format described

+ .Ar interface

+ in the format described

.Sx CONFIGURATION FILE FORMAT

des:

.TP .Sx CONFIGURATION FILE FORMAT

\fBset\fP \fI<interface>\fP [\fIlisten-port\fP \fI<port>\fP] [\fIfwmark\fP \fI<fwmark>\fP] [\fIprivate-key\fP \fI<file-path>\fP] [\fIpeer\fP \fI<base64-public-key>\fP [\fIremove\fP] [\fIpreshared-key\fP \fI<file-path>\fP] [\fIendpoint\fP \fI<ip>:<port>\fP] [\fIpersistent-keepalive\fP \fI<interval seconds>\fP] [\fIallowed-ips\fP \fI<ip1>/<cidr1>\fP[,\fI<ip2>/<cidr2>\fP]...] ]... below.

Sets configuration values for the specified \fI<interface>\fP. Multiple .It Cm set

\fIpeer\fPs may be specified, and if the \fIremove\fP argument is given .Ar interface

desUnsubmitted

Not Done

See above, everything until the actual text begins must be on a single line.

des: See above, everything until the actual text begins must be on a single line.

desUnsubmitted

Not Done

Not done

des: Not done

for a peer, that peer is removed, not configured. If \fIlisten-port\fP .Bo

desUnsubmitted

Not Done

Not done

des: Not done

is not specified, or set to 0, the port will be chosen randomly when the .Ar listen-port Ar port

interface comes up. Both \fIprivate-key\fP and \fIpreshared-key\fP must .Bc

be files, because command line arguments are not considered private on .Bo

most systems but if you are using .Ar fwmark Ar fwmark

.BR bash (1), .Bc

you may safely pass in a string by specifying as \fIprivate-key\fP or .Bo

\fIpreshared-key\fP the expression: <(echo PRIVATEKEYSTRING). If .Ar private-key Ar file-path

\fI/dev/null\fP or another empty file is specified as the filename for .Bc

either \fIprivate-key\fP or \fIpreshared-key\fP, the key is removed from .Bo

the device. The use of \fIpreshared-key\fP is optional, and may be omitted; .Ar peer Ar base64-public-key

it adds an additional layer of symmetric-key cryptography to be mixed into .Bo

the already existing public-key cryptography, for post-quantum resistance. .Ar remove

If \fIallowed-ips\fP is specified, but the value is the empty string, all .Bc

allowed ips are removed from the peer. The use of \fIpersistent-keepalive\fP .Bo

is optional and is by default off; setting it to 0 or "off" disables it. .Ar preshared-key Ar file-path

.Bc

.Bo

.Ar endpoint Ar ip Ns : Ns Ar port

.Bc

.Bo

.Ar persistent-keepalive Ar interval seconds

desUnsubmitted

Done

.Ar endpoint

- .Ar <ip>:<port>

- ]

+ .Ar ip Ns : Ns Ar port]

[

.Ar persistent-keepalive

des:

.Bc

.Bo

.Ar allowed-ips Ar ip1/cidr1

.Bo ,

.Ar ip2/cidr2

.Bc ... Bc

.Bc ...

Sets configuration values for the specified

.Ar interface .

Multiple

.Ar peer

may be specified, and if the

.Ar remove argument is given

for a peer, that peer is removed, not configured.

.Ar listen-port

is not specified, or set to 0, the port will

be chosen randomly when the interface comes up.

Both

.Ar private-key

and

.Ar preshared-key

must be files, because command

line arguments are not considered private on most systems but if you are using

.Xr bash 1 ,

you may safely pass in a string by specifying as

.Ar private-key

.Ar preshared-key

the expression: < (echo PRIVATEKEYSTRING).

.Ar /dev/null

or another empty file is specified as the filename for

either

.Ar private-key

.Ar preshared-key ,

the key is removed from the device.

The use of

.Ar preshared-key

is optional, and may be omitted; it adds an

additional layer of symmetric-key cryptography to be mixed into the already

existing public-key cryptography, for post-quantum resistance.

.Ar allowed-ips

is specified, but the value is the empty string, all

allowed ips are removed from the peer.

The use of

.Ar persistent-keepalive

is optional and is by default off;

setting it to 0 or "off" disables it.

desUnsubmitted

Done

transfer-rx, transfer-tx, persistent-keepalive.

- .It Cm showconf

+ .It Cm showconf Ar interface

.Ar <interface>

des:

Otherwise it represents, in seconds, between 1 and 65535 inclusive, how often Otherwise it represents, in seconds, between 1 and 65535 inclusive, how often

to send an authenticated empty packet to the peer, for the purpose of keeping to send an authenticated empty packet to the peer, for the purpose of keeping

a stateful firewall or NAT mapping valid persistently. For example, if the a stateful firewall or NAT mapping valid persistently.

interface very rarely sends traffic, but it might at anytime receive traffic For example, if the interface very rarely sends traffic, but it might at

from a peer, and it is behind NAT, the interface might benefit from having a anytime receive traffic from a peer, and it is behind NAT, the interface

persistent keepalive interval of 25 seconds; however, most users will not need might benefit from having a persistent keepalive interval of 25 seconds;

this. The use of \fIfwmark\fP is optional and is by default off; setting it to however, most users will not need this.

0 or "off" disables it. Otherwise it is a 32-bit fwmark for outgoing packets The use of

and may be specified in hexadecimal by prepending "0x". .Ar fwmark

.TP is optional and is by default off; setting it to 0 or "off" disables it.

\fBsetconf\fP \fI<interface>\fP \fI<configuration-filename>\fP Otherwise it is a 32-bit fwmark for outgoing packets and may be specified

Sets the current configuration of \fI<interface>\fP to the contents of in hexadecimal by prepending "0x".

\fI<configuration-filename>\fP, which must be in the format described .It Cm setconf Ar interface Ar configuration-filename

by \fICONFIGURATION FILE FORMAT\fP below. Sets the current configuration of

.TP .Ar interface

\fBaddconf\fP \fI<interface>\fP \fI<configuration-filename>\fP to the contents of

Appends the contents of \fI<configuration-filename>\fP, which must .Ar configuration-filename ,

be in the format described by \fICONFIGURATION FILE FORMAT\fP below, which must be in the format described

to the current configuration of \fI<interface>\fP. by

.TP .Sx CONFIGURATION FILE FORMAT

\fBsyncconf\fP \fI<interface>\fP \fI<configuration-filename>\fP below.

Like \fBsetconf\fP, but reads back the existing configuration first .It Cm addconf Ar interface Ar configuration-filename

and only makes changes that are explicitly different between the configuration Appends the contents of

file and the interface. This is much less efficient than \fBsetconf\fP, .Ar configuration-filename ,

but has the benefit of not disrupting current peer sessions. The contents of which must be in the format described by

\fI<configuration-filename>\fP must be in the format described by .Sx CONFIGURATION FILE FORMAT below ,

\fICONFIGURATION FILE FORMAT\fP below. to the current configuration of

.TP .Ar interface .

\fBgenkey\fP .It Cm syncconf Ar interface Ar configuration-filename

Generates a random \fIprivate\fP key in base64 and prints it to Like

standard output. .Ar setconf ,

.TP but reads back the existing configuration first and only makes changes that

\fBgenpsk\fP are explicitly different between the configuration file and the interface.

Generates a random \fIpreshared\fP key in base64 and prints it to This is much less efficient than

standard output. .Ar setconf ,

.TP but has the benefit of not disrupting current peer sessions.

\fBpubkey\fP The contents of

Calculates a \fIpublic\fP key and prints it in base64 to standard .Ar configuration-filename

output from a corresponding \fIprivate\fP key (generated with must be in the format described by

\fIgenkey\fP) given in base64 on standard input. .Sx CONFIGURATION FILE FORMAT below .

.It Cm genkey

A private key and a corresponding public key may be generated at once by calling: Generates a random

.br .Ar private

key in base64 and prints it to standard output.

.It Cm genpsk

Generates a random

.Ar preshared

key in base64 and prints it to standard output.

.It Cm pubkey

Calculates a

.Ar public

key and prints it in base64 to standard output from a corresponding

.Ar private

key (generated with genkey) given in base64 on standard input.

A private key and a corresponding public key may be generated at

once by calling:

.Bd -literal -offset indent

$ umask 077 $ umask 077

.br

$ wg genkey | tee private.key | wg pubkey > public.key $ wg genkey | tee private.key | wg pubkey > public.key

.TP .Ed

\fBhelp\fP .It Cm help

Shows usage message. Shows usage message.

.El

.SH CONFIGURATION FILE FORMAT .Sh CONFIGURATION FILE FORMAT

The configuration file format is based on \fIINI\fP. There are two top level sections The configuration file format is based on the Windows INI file format.

-- \fIInterface\fP and \fIPeer\fP. Multiple \fIPeer\fP sections may be specified, but There are two top level sections:

desUnsubmitted

Done

“INI” is not an argument, so .Ar is improper. I would expand to “the Windows INI file format”.

des: “INI” is not an argument, so `.Ar` is improper. I would expand to “the Windows INI file format”.

only one \fIInterface\fP section may be specified. .Li Interface

desUnsubmitted

Done

.Ar INI .

- There are two top level sections --

- .Ar Interface

+ There are two top level sections:.Ar Interface

des:

and

desUnsubmitted

Done

“Interface” is not an argument. I'm unsure what would be best here, but perhaps .Li?

des: “Interface” is not an argument. I'm unsure what would be best here, but perhaps `.Li`?

.P .Li Peer .

The \fIInterface\fP section may contain the following fields: Multiple

.IP \(bu .Li Peer

PrivateKey \(em a base64 private key generated by \fIwg genkey\fP. Required. sections may be specified, but only one

.IP \(bu .Li Interface

ListenPort \(em a 16-bit port for listening. Optional; if not specified, chosen section may be specified.

randomly. .Pp

.IP \(bu The

FwMark \(em a 32-bit fwmark for outgoing packets. If set to 0 or "off", this .Ar Interface

option is disabled. May be specified in hexadecimal by prepending "0x". Optional. section may contain the following fields:

.P .Bl -tag -width indent

The \fIPeer\fP sections may contain the following fields: .It Va PrivateKey

.IP \(bu a base64 private key generated by the

desUnsubmitted

Done

PrivateKey is not a command, I believe .Va would be more appropriate here.

des: `PrivateKey` is not a command, I believe `.Va` would be more appropriate here.

PublicKey \(em a base64 public key calculated by \fIwg pubkey\fP from a .Cm genkey

private key, and usually transmitted out of band to the author of the command.

desUnsubmitted

Done

a base64 private key generated by

- .Ar wg genkey .

+ the

+ .Cm genkey

+ command.

Required.

again, not an argument.

des: again, not an argument.

configuration file. Required. Required.

.IP \(bu .It Cm ListenPort

PresharedKey \(em a base64 preshared key generated by \fIwg genpsk\fP. Optional, a 16-bit port for listening.

and may be omitted. This option adds an additional layer of symmetric-key Optional; if not specified, chosen randomly.

cryptography to be mixed into the already existing public-key cryptography, .It Cm FwMark

for post-quantum resistance. a 32-bit fwmark for outgoing packets.

.IP \(bu If set to 0 or "off", this option is disabled.

AllowedIPs \(em a comma-separated list of IP (v4 or v6) addresses with May be specified in hexadecimal by prepending "0x".

Optional.

.El

.Pp

The

.Ar Peer

sections may contain the following fields:

.Bl -tag -width indent

.It Cm PublicKey

a base64 public key calculated by

.Ar wg pubkey

from a private key, and usually transmitted out of band to the author of the

configuration file.

Required.

.It Cm PresharedKey

a base64 preshared key generated by

.Ar wg genpsk .

Optional, and may be omitted.

This option adds an additional layer of symmetric-key cryptography to

be mixed into the already existing public-key cryptography, for post-quantum

resistance.

.It Cm AllowedIPs

a comma-separated list of IP (v4 or v6) addresses with

CIDR masks from which incoming traffic for this peer is allowed and to CIDR masks from which incoming traffic for this peer is allowed and to

which outgoing traffic for this peer is directed. The catch-all which outgoing traffic for this peer is directed.

\fI0.0.0.0/0\fP may be specified for matching all IPv4 addresses, and The catch-all 0.0.0.0/0 may be specified for matching all v4 addresses,

\fI::/0\fP may be specified for matching all IPv6 addresses. May be specified and ::/0 may be specified for matching all v6 addresses.

desUnsubmitted

Done

not an argument

des: not an argument

multiple times. May be specified multiple times.

.IP \(bu .It Cm Endpoint

Endpoint \(em an endpoint IP or hostname, followed by a colon, and then a an endpoint IP or hostname, followed by a colon, and then a

port number. This endpoint will be updated automatically to the most recent port number.

pauamma_gundo.comUnsubmitted

Not Done

.It Cm Endpoint

- an endpoint IP or hostname, followed by a colon, and then a

+ an endpoint IP or hostname, followed by a colon then a

port number.

Taste, concision

pauamma_gundo.com: Taste, concision

source IP address and port of correctly authenticated packets from the peer. This endpoint will be updated automatically to the most recent source IP address

and port of correctly authenticated packets from the peer.

Optional. Optional.

.IP \(bu .It Cm PersistentKeepalive

PersistentKeepalive \(em a seconds interval, between 1 and 65535 inclusive, of a seconds interval, between 1 and 65535 inclusive, of

how often to send an authenticated empty packet to the peer for the purpose of keeping a how often to send an authenticated empty packet to the peer for the purpose of

stateful firewall or NAT mapping valid persistently. For example, if the interface keeping a stateful firewall or NAT mapping valid persistently.

very rarely sends traffic, but it might at anytime receive traffic from a peer, For example, if the interface very rarely sends traffic, but it might at

and it is behind NAT, the interface might benefit from having a persistent keepalive anytime receive traffic from a peer, and it is behind NAT, the interface

interval of 25 seconds. If set to 0 or "off", this option is disabled. By default or might benefit from having a persistent keepalive interval of 25 seconds.

when unspecified, this option is off. Most users will not need this. Optional. If set to 0 or "off", this option is disabled.

By default or when unspecified, this option is off.

.SH CONFIGURATION FILE FORMAT EXAMPLE Most users will not need this.

This example may be used as a model for writing configuration files, following an Optional.

INI-like syntax. Characters after and including a '#' are considered comments and .El

.Sh CONFIGURATION FILE FORMAT EXAMPLE

This example may be used as a model for writing configuration files,

following an INI-like syntax.

Characters after and including a '#' are considered comments and

are thus ignored. are thus ignored.

.Bd -literal -offset indent

[Interface] [Interface]

.br

PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk= PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=

.br

ListenPort = 51820 ListenPort = 51820

.br

[Peer] [Peer]

.br

PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg= PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=

.br

Endpoint = 192.95.5.67:1234 Endpoint = 192.95.5.67:1234

.br

AllowedIPs = 10.192.122.3/32, 10.192.124.1/24 AllowedIPs = 10.192.122.3/32, 10.192.124.1/24

.br

[Peer] [Peer]

.br

PublicKey = TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0= PublicKey = TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0=

.br

Endpoint = [2607:5300:60:6b0::c05f:543]:2468 Endpoint = [2607:5300:60:6b0::c05f:543]:2468

.br

AllowedIPs = 10.192.122.4/32, 192.168.0.0/16 AllowedIPs = 10.192.122.4/32, 192.168.0.0/16

.br

[Peer] [Peer]

.br

PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA= PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA=

.br

Endpoint = test.wireguard.com:18981 Endpoint = test.wireguard.com:18981

.br

AllowedIPs = 10.10.10.230/32 AllowedIPs = 10.10.10.230/32

.Ed

.SH DEBUGGING INFORMATION .Sh DEBUGGING INFORMATION

Sometimes it is useful to have information on the current runtime state of a tunnel. When using the Linux kernel module on a kernel that supports dynamic debugging, debugging information can be written into Sometimes it is useful to have information on the current runtime state

.BR dmesg (1) of a tunnel.

by running as root: Debugging information can be written into

.Xr dmesg 8

\fB # modprobe wireguard && echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control\fP

On OpenBSD and FreeBSD, debugging information can be written into

.BR dmesg (1)

on a per-interface basis by using on a per-interface basis by using

.BR ifconfig (1): .Xr ifconfig 8 :

.Bd -literal -offset indent

\fB # ifconfig wg0 debug # ifconfig wg0 debug

.Ed

On userspace implementations, it is customary to set the \fILOG_LEVEL\fP environment variable to \fIverbose\fP. .Pp

On userspace implementations, it is customary to set the

.SH ENVIRONMENT VARIABLES .Ar LOG_LEVEL

.TP environment variable to

.I WG_COLOR_MODE .Ar verbose .

If set to \fIalways\fP, always print ANSI colorized output. If set to \fInever\fP, never print ANSI colorized output. If set to \fIauto\fP, something invalid, or unset, then print ANSI colorized output only when writing to a TTY. .Sh ENVIRONMENT

.TP The following environment variables affect the execution of

.I WG_HIDE_KEYS .Nm :

If set to \fInever\fP, then the pretty-printing \fBshow\fP sub-command will show private and preshared keys in the output. If set to \fIalways\fP, something invalid, or unset, then private and preshared keys will be printed as "(hidden)". .Bl -tag -width WG_ENDPOINT_RESOLUTION_RETRIES

.TP .It Ev WG_COLOR_MODE

.I WG_ENDPOINT_RESOLUTION_RETRIES If set to

If set to an integer or to \fIinfinity\fP, DNS resolution for each peer's endpoint will be retried that many times for non-permanent errors, with an increasing delay between retries. If unset, the default is 15 retries. .Ar always ,

always print ANSI colorized output.

.SH SEE ALSO If set to

.BR wg-quick (8), .Ar never ,

.BR ip (8), never print ANSI colorized output.

.BR ip-link (8), If set to

.BR ip-address (8), .Ar auto ,

.BR ip-route (8). something invalid, or unset, then print ANSI

colorized output only when writing to a TTY.

.SH AUTHOR .It Ev WG_HIDE_KEYS

.B wg If set to

was written by .Ar never ,

.MT Jason@zx2c4.com then the pretty-printing

Jason A. Donenfeld .Ar show

.ME . sub-command will show private and preshared keys in the output.

For updates and more information, a project page is available on the If set to

.UR https://\:www.wireguard.com/ .Ar always ,

World Wide Web something invalid, or unset, then private and preshared keys will be printed

.UE . as (hidden).

desUnsubmitted

Done

something invalid, or unset, then private and preshared keys will be printed

- as "(hidden)".

+ as

+ .Li (hidden) .

.It Ev WG_ENDPOINT_RESOLUTION_RETRIES

des:

.It Ev WG_ENDPOINT_RESOLUTION_RETRIES

pauamma_gundo.comUnsubmitted

Done

Maybe .Lk instead?

pauamma_gundo.com: Maybe .Lk instead?

gbeAuthorUnsubmitted

Done

.Lk isn't suitable in an .Rs context.

gbe: .Lk isn't suitable in an .Rs context.

pauamma_gundo.comUnsubmitted

Done

I meant instead of .Rs. Or is .Rs required here?

pauamma_gundo.com: I meant instead of .Rs. Or is .Rs required here?

If set to an integer or to

.Li infinity ,

desUnsubmitted

Done

If set to an integer or to

- .Ar infinity ,

+ .Li infinity ,

DNS resolution for each peer's endpoint will be retried that many times for

des:

DNS resolution for each peer's endpoint will be retried that many times for

non-permanent errors, with an increasing delay between retries.

If unset, the default is 15 retries.

.El

.Sh SEE ALSO

.Xr netstat 1 ,

.Xr ifconfig 8 ,

.Xr route 8

.Rs

.%T WireGuard Project Page

.%U https://www.wireguard.com/

.Re

.Sh HISTORY

The

.Nm

command first appeared in

.Fx 13.2 .

.Sh AUTHORS

.An -nosplit

The

.Nm wg

command was written by

.An Jason A. Donenfeld Aq Mt Jason@zx2c4.com .

.Pp

This manual page was written by

desUnsubmitted

Done

I think it would be more fair to say that it was “written by Jason A. Donenfeld and Gordon Bergling” since most of the text is still Jason's.

des: I think it would be more fair to say that it was “written by Jason A. Donenfeld and Gordon…

.An Jason A. Donenfeld Aq Mt Jason@zx2c4.com

and adapted for

.Fx by

.An Gordon Bergling Aq Mt gbe@FreeBSD.org .