Changeset View
Standalone View
contrib/wireguard-tools/man/wg.8
.TH WG 8 "2015 August 13" ZX2C4 "WireGuard" | .\" SPDX-License-Identifier: BSD-2-Clause | ||||||||||
pauamma_gundo.com: .Bq may come handy here. | |||||||||||
Done Inline Actions
des: | |||||||||||
Done Inline Actions
des: | |||||||||||
Done Inline Actions
des: | |||||||||||
.\" | |||||||||||
Done Inline ActionsStill looks like most of the text is mine, right? jason_zx2c4.com: Still looks like most of the text is mine, right? | |||||||||||
.SH NAME | .\" Copyright (c) 2021 Jason A. Donenfeld <Jason@zx2c4.com> | ||||||||||
wg - set and retrieve configuration of WireGuard interfaces | .\" Copyright (c) 2024 Gordon Bergling <gbe@FreeBSD.org> | ||||||||||
.\" | |||||||||||
.SH SYNOPSIS | .Dd March 17, 2024 | ||||||||||
.B wg | .Dt WG 8 | ||||||||||
[ | .Os | ||||||||||
.I COMMAND | .Sh NAME | ||||||||||
] [ | .Nm wg | ||||||||||
.I OPTIONS | .Nd set and retrieve configuration of WireGuard interfaces | ||||||||||
]... [ | .Sh SYNOPSIS | ||||||||||
.I ARGS | .Nm | ||||||||||
]... | .Op Ar COMMAND | ||||||||||
.Op Ar OPTIONS | |||||||||||
.SH DESCRIPTION | .Op Ar ARGS | ||||||||||
.Sh DESCRIPTION | |||||||||||
.B wg | .Nm wg | ||||||||||
is the configuration utility for getting and setting the configuration of | is the configuration utility for getting and setting the configuration of | ||||||||||
WireGuard tunnel interfaces. The interfaces themselves can be added and removed | WireGuard tunnel interfaces. | ||||||||||
using | The interfaces themselves can be added and removed using | ||||||||||
.BR ip-link (8) | .Xr ifconfig 8 | ||||||||||
and their IP addresses and routing tables can be set using | and their IP addresses and routing tables can be set using | ||||||||||
.BR ip-address (8) | .Xr route 8 . | ||||||||||
Done Inline ActionsWhy not ifconfig for IP addresses? pauamma_gundo.com: Why not ifconfig for IP addresses? | |||||||||||
and | |||||||||||
.BR ip-route (8). | |||||||||||
The | The | ||||||||||
.B wg | .Nm | ||||||||||
Done Inline Actions
des: | |||||||||||
utility provides a series of sub-commands for changing WireGuard-specific | utility provides a series of sub-commands for changing WireGuard-specific | ||||||||||
aspects of WireGuard interfaces. | aspects of WireGuard interfaces. | ||||||||||
If no COMMAND is specified, COMMAND defaults to | If no COMMAND is specified, COMMAND defaults to | ||||||||||
.BR show . | .Cm show . | ||||||||||
Done Inline Actions
des: | |||||||||||
Sub-commands that take an INTERFACE must be passed a WireGuard interface. | Sub-commands that take an INTERFACE must be passed a WireGuard interface. | ||||||||||
.Sh COMMANDS | |||||||||||
.SH COMMANDS | .Bl -tag -width indent | ||||||||||
.It Cm show | |||||||||||
.TP | .Bro | ||||||||||
Not Done Inline Actions
everything until .Brc on a single line, keeping in mind to remove the leading . on macros when they are not at the beginning of the line. des: everything until `.Brc` on a single line, keeping in mind to remove the leading `.` on macros… | |||||||||||
Not Done Inline ActionsAgain, everything from .It until .Oc needs to be on a single line. Otherwise mandoc considers everything from .Bro on as part of the first paragraph of the item description instead of part of the item heading. If you don't like long lines you can use \ to break a single logical line into multiple physical ones, just like in a shell script. des: Again, everything from `.It` until `.Oc` needs to be on a single line. Otherwise mandoc… | |||||||||||
\fBshow\fP { \fI<interface>\fP | \fIall\fP | \fIinterfaces\fP } [\fIpublic-key\fP | \fIprivate-key\fP | \fIlisten-port\fP | \fIfwmark\fP | \fIpeers\fP | \fIpreshared-keys\fP | \fIendpoints\fP | \fIallowed-ips\fP | \fIlatest-handshakes\fP | \fIpersistent-keepalive\fP | \fItransfer\fP | \fIdump\fP] | .Ar interface | Li all | Li interfaces | ||||||||||
Not Done Inline Actions
Angle brackets are superfluous, .Ar already implies that “interface” is a placeholder for a user-provided value. des: Angle brackets are superfluous, `.Ar` already implies that “interface” is a placeholder for a… | |||||||||||
Shows current WireGuard configuration and runtime information of specified \fI<interface>\fP. | .Brc | ||||||||||
Done Inline Actions
Use .Ar for an argument name (placeholder for a user-provided value), .Li for a literal like all or interfaces. Or possibly .Dq Li since .Ar and .Li look the same on a terminal. des: Use `.Ar` for an argument name (placeholder for a user-provided value), `.Li` for a literal… | |||||||||||
If no \fI<interface>\fP is specified, \fI<interface>\fP defaults to \fIall\fP. | .Oo | ||||||||||
Done Inline Actions
des: | |||||||||||
If \fIinterfaces\fP is specified, prints a list of all WireGuard interfaces, | .Li public-key | Li private-key | Li listen-port | Li fwmark | Li peers | | ||||||||||
Done Inline Actions
des: | |||||||||||
one per line, and quits. If no options are given after the interface | .Li preshared-keys | Li endpoints | Li allowed-ips | Li latest-handshakes | | ||||||||||
Done Inline Actions
des: | |||||||||||
specification, then prints a list of all attributes in a visually pleasing way | .Li persistent-keepalive | Li transfer | Li dump | ||||||||||
Done Inline ActionsSee above re. .Ar vs .Li. des: See above re. `.Ar` vs `.Li`. | |||||||||||
meant for the terminal. Otherwise, prints specified information grouped by | .Oc | ||||||||||
newlines and tabs, meant to be used in scripts. For this script-friendly display, | Shows current WireGuard configuration and runtime information of | ||||||||||
if \fIall\fP is specified, then the first field for all categories of information | specified | ||||||||||
is the interface name. If \fPdump\fP is specified, then several lines are printed; | .Ar interface . | ||||||||||
the first contains in order separated by tab: private-key, public-key, listen-port, | If no | ||||||||||
fwmark. Subsequent lines are printed for each peer and contain in order separated | .Ar interface | ||||||||||
is specified, | |||||||||||
.Ar interface | |||||||||||
defaults to | |||||||||||
.Ar all . | |||||||||||
If | |||||||||||
.Ar interfaces | |||||||||||
Done Inline Actions
des: | |||||||||||
is specified, prints a list of all WireGuard interfaces, | |||||||||||
one per line, and quits. | |||||||||||
If no options are given after the interface specification, then | |||||||||||
Not Done Inline ActionsPlease remove _all_ the angle brackets, not just the ones in the heading. des: Please remove _all_ the angle brackets, not just the ones in the heading. | |||||||||||
prints a list of all attributes in a visually pleasing way meant | |||||||||||
for the terminal. | |||||||||||
Otherwise, prints specified information grouped by newlines and tabs, meant | |||||||||||
to be used in scripts. | |||||||||||
For this script-friendly display, if | |||||||||||
.Ar all | |||||||||||
Not Done Inline Actions
des: | |||||||||||
is specified, then the | |||||||||||
first field for all categories of information is the interface name. | |||||||||||
If | |||||||||||
.Ar dump | |||||||||||
is specified, then several lines are printed; | |||||||||||
the first contains in order separated by tab: | |||||||||||
private-key, public-key, listen-port, fwmark. | |||||||||||
Subsequent lines are printed for each peer and contain in order separated | |||||||||||
by tab: public-key, preshared-key, endpoint, allowed-ips, latest-handshake, | by tab: public-key, preshared-key, endpoint, allowed-ips, latest-handshake, | ||||||||||
transfer-rx, transfer-tx, persistent-keepalive. | transfer-rx, transfer-tx, persistent-keepalive. | ||||||||||
.TP | .It Cm showconf Ar interface | ||||||||||
Not Done Inline Actions
etc. des: etc. | |||||||||||
\fBshowconf\fP \fI<interface>\fP | Shows the current configuration of | ||||||||||
Shows the current configuration of \fI<interface>\fP in the format described | .Ar interface | ||||||||||
by \fICONFIGURATION FILE FORMAT\fP below. | in the format described by | ||||||||||
Not Done Inline Actions
des: | |||||||||||
.TP | .Sx CONFIGURATION FILE FORMAT | ||||||||||
\fBset\fP \fI<interface>\fP [\fIlisten-port\fP \fI<port>\fP] [\fIfwmark\fP \fI<fwmark>\fP] [\fIprivate-key\fP \fI<file-path>\fP] [\fIpeer\fP \fI<base64-public-key>\fP [\fIremove\fP] [\fIpreshared-key\fP \fI<file-path>\fP] [\fIendpoint\fP \fI<ip>:<port>\fP] [\fIpersistent-keepalive\fP \fI<interval seconds>\fP] [\fIallowed-ips\fP \fI<ip1>/<cidr1>\fP[,\fI<ip2>/<cidr2>\fP]...] ]... | below. | ||||||||||
Sets configuration values for the specified \fI<interface>\fP. Multiple | .It Cm set | ||||||||||
\fIpeer\fPs may be specified, and if the \fIremove\fP argument is given | .Ar interface | ||||||||||
Not Done Inline ActionsSee above, everything until the actual text begins must be on a single line. des: See above, everything until the actual text begins must be on a single line. | |||||||||||
Not Done Inline ActionsNot done des: Not done | |||||||||||
for a peer, that peer is removed, not configured. If \fIlisten-port\fP | .Bo | ||||||||||
Not Done Inline ActionsNot done des: Not done | |||||||||||
is not specified, or set to 0, the port will be chosen randomly when the | .Ar listen-port Ar port | ||||||||||
interface comes up. Both \fIprivate-key\fP and \fIpreshared-key\fP must | .Bc | ||||||||||
be files, because command line arguments are not considered private on | .Bo | ||||||||||
most systems but if you are using | .Ar fwmark Ar fwmark | ||||||||||
.BR bash (1), | .Bc | ||||||||||
you may safely pass in a string by specifying as \fIprivate-key\fP or | .Bo | ||||||||||
\fIpreshared-key\fP the expression: <(echo PRIVATEKEYSTRING). If | .Ar private-key Ar file-path | ||||||||||
\fI/dev/null\fP or another empty file is specified as the filename for | .Bc | ||||||||||
either \fIprivate-key\fP or \fIpreshared-key\fP, the key is removed from | .Bo | ||||||||||
the device. The use of \fIpreshared-key\fP is optional, and may be omitted; | .Ar peer Ar base64-public-key | ||||||||||
it adds an additional layer of symmetric-key cryptography to be mixed into | .Bo | ||||||||||
the already existing public-key cryptography, for post-quantum resistance. | .Ar remove | ||||||||||
If \fIallowed-ips\fP is specified, but the value is the empty string, all | .Bc | ||||||||||
allowed ips are removed from the peer. The use of \fIpersistent-keepalive\fP | .Bo | ||||||||||
is optional and is by default off; setting it to 0 or "off" disables it. | .Ar preshared-key Ar file-path | ||||||||||
.Bc | |||||||||||
.Bo | |||||||||||
.Ar endpoint Ar ip Ns : Ns Ar port | |||||||||||
.Bc | |||||||||||
.Bo | |||||||||||
.Ar persistent-keepalive Ar interval seconds | |||||||||||
Done Inline Actions
des: | |||||||||||
.Bc | |||||||||||
.Bo | |||||||||||
.Ar allowed-ips Ar ip1/cidr1 | |||||||||||
.Bo , | |||||||||||
.Ar ip2/cidr2 | |||||||||||
.Bc ... Bc | |||||||||||
.Bc ... | |||||||||||
Sets configuration values for the specified | |||||||||||
.Ar interface . | |||||||||||
Multiple | |||||||||||
.Ar peer | |||||||||||
may be specified, and if the | |||||||||||
.Ar remove argument is given | |||||||||||
for a peer, that peer is removed, not configured. | |||||||||||
If | |||||||||||
.Ar listen-port | |||||||||||
is not specified, or set to 0, the port will | |||||||||||
be chosen randomly when the interface comes up. | |||||||||||
Both | |||||||||||
.Ar private-key | |||||||||||
and | |||||||||||
.Ar preshared-key | |||||||||||
must be files, because command | |||||||||||
line arguments are not considered private on most systems but if you are using | |||||||||||
.Xr bash 1 , | |||||||||||
you may safely pass in a string by specifying as | |||||||||||
.Ar private-key | |||||||||||
or | |||||||||||
.Ar preshared-key | |||||||||||
the expression: < (echo PRIVATEKEYSTRING). | |||||||||||
If | |||||||||||
.Ar /dev/null | |||||||||||
or another empty file is specified as the filename for | |||||||||||
either | |||||||||||
.Ar private-key | |||||||||||
or | |||||||||||
.Ar preshared-key , | |||||||||||
the key is removed from the device. | |||||||||||
The use of | |||||||||||
.Ar preshared-key | |||||||||||
is optional, and may be omitted; it adds an | |||||||||||
additional layer of symmetric-key cryptography to be mixed into the already | |||||||||||
existing public-key cryptography, for post-quantum resistance. | |||||||||||
If | |||||||||||
.Ar allowed-ips | |||||||||||
is specified, but the value is the empty string, all | |||||||||||
allowed ips are removed from the peer. | |||||||||||
The use of | |||||||||||
.Ar persistent-keepalive | |||||||||||
is optional and is by default off; | |||||||||||
setting it to 0 or "off" disables it. | |||||||||||
Done Inline Actions
des: | |||||||||||
Otherwise it represents, in seconds, between 1 and 65535 inclusive, how often | Otherwise it represents, in seconds, between 1 and 65535 inclusive, how often | ||||||||||
to send an authenticated empty packet to the peer, for the purpose of keeping | to send an authenticated empty packet to the peer, for the purpose of keeping | ||||||||||
a stateful firewall or NAT mapping valid persistently. For example, if the | a stateful firewall or NAT mapping valid persistently. | ||||||||||
interface very rarely sends traffic, but it might at anytime receive traffic | For example, if the interface very rarely sends traffic, but it might at | ||||||||||
from a peer, and it is behind NAT, the interface might benefit from having a | anytime receive traffic from a peer, and it is behind NAT, the interface | ||||||||||
persistent keepalive interval of 25 seconds; however, most users will not need | might benefit from having a persistent keepalive interval of 25 seconds; | ||||||||||
this. The use of \fIfwmark\fP is optional and is by default off; setting it to | however, most users will not need this. | ||||||||||
0 or "off" disables it. Otherwise it is a 32-bit fwmark for outgoing packets | The use of | ||||||||||
and may be specified in hexadecimal by prepending "0x". | .Ar fwmark | ||||||||||
.TP | is optional and is by default off; setting it to 0 or "off" disables it. | ||||||||||
\fBsetconf\fP \fI<interface>\fP \fI<configuration-filename>\fP | Otherwise it is a 32-bit fwmark for outgoing packets and may be specified | ||||||||||
Sets the current configuration of \fI<interface>\fP to the contents of | in hexadecimal by prepending "0x". | ||||||||||
\fI<configuration-filename>\fP, which must be in the format described | .It Cm setconf Ar interface Ar configuration-filename | ||||||||||
by \fICONFIGURATION FILE FORMAT\fP below. | Sets the current configuration of | ||||||||||
.TP | .Ar interface | ||||||||||
\fBaddconf\fP \fI<interface>\fP \fI<configuration-filename>\fP | to the contents of | ||||||||||
Appends the contents of \fI<configuration-filename>\fP, which must | .Ar configuration-filename , | ||||||||||
be in the format described by \fICONFIGURATION FILE FORMAT\fP below, | which must be in the format described | ||||||||||
to the current configuration of \fI<interface>\fP. | by | ||||||||||
.TP | .Sx CONFIGURATION FILE FORMAT | ||||||||||
\fBsyncconf\fP \fI<interface>\fP \fI<configuration-filename>\fP | below. | ||||||||||
Like \fBsetconf\fP, but reads back the existing configuration first | .It Cm addconf Ar interface Ar configuration-filename | ||||||||||
and only makes changes that are explicitly different between the configuration | Appends the contents of | ||||||||||
file and the interface. This is much less efficient than \fBsetconf\fP, | .Ar configuration-filename , | ||||||||||
but has the benefit of not disrupting current peer sessions. The contents of | which must be in the format described by | ||||||||||
\fI<configuration-filename>\fP must be in the format described by | .Sx CONFIGURATION FILE FORMAT below , | ||||||||||
\fICONFIGURATION FILE FORMAT\fP below. | to the current configuration of | ||||||||||
.TP | .Ar interface . | ||||||||||
\fBgenkey\fP | .It Cm syncconf Ar interface Ar configuration-filename | ||||||||||
Generates a random \fIprivate\fP key in base64 and prints it to | Like | ||||||||||
standard output. | .Ar setconf , | ||||||||||
.TP | but reads back the existing configuration first and only makes changes that | ||||||||||
\fBgenpsk\fP | are explicitly different between the configuration file and the interface. | ||||||||||
Generates a random \fIpreshared\fP key in base64 and prints it to | This is much less efficient than | ||||||||||
standard output. | .Ar setconf , | ||||||||||
.TP | but has the benefit of not disrupting current peer sessions. | ||||||||||
\fBpubkey\fP | The contents of | ||||||||||
Calculates a \fIpublic\fP key and prints it in base64 to standard | .Ar configuration-filename | ||||||||||
output from a corresponding \fIprivate\fP key (generated with | must be in the format described by | ||||||||||
\fIgenkey\fP) given in base64 on standard input. | .Sx CONFIGURATION FILE FORMAT below . | ||||||||||
.It Cm genkey | |||||||||||
A private key and a corresponding public key may be generated at once by calling: | Generates a random | ||||||||||
.br | .Ar private | ||||||||||
key in base64 and prints it to standard output. | |||||||||||
.It Cm genpsk | |||||||||||
Generates a random | |||||||||||
.Ar preshared | |||||||||||
key in base64 and prints it to standard output. | |||||||||||
.It Cm pubkey | |||||||||||
Calculates a | |||||||||||
.Ar public | |||||||||||
key and prints it in base64 to standard output from a corresponding | |||||||||||
.Ar private | |||||||||||
key (generated with genkey) given in base64 on standard input. | |||||||||||
A private key and a corresponding public key may be generated at | |||||||||||
once by calling: | |||||||||||
.Bd -literal -offset indent | |||||||||||
$ umask 077 | $ umask 077 | ||||||||||
.br | |||||||||||
$ wg genkey | tee private.key | wg pubkey > public.key | $ wg genkey | tee private.key | wg pubkey > public.key | ||||||||||
.TP | .Ed | ||||||||||
\fBhelp\fP | .It Cm help | ||||||||||
Shows usage message. | Shows usage message. | ||||||||||
.El | |||||||||||
.SH CONFIGURATION FILE FORMAT | .Sh CONFIGURATION FILE FORMAT | ||||||||||
The configuration file format is based on \fIINI\fP. There are two top level sections | The configuration file format is based on the Windows INI file format. | ||||||||||
-- \fIInterface\fP and \fIPeer\fP. Multiple \fIPeer\fP sections may be specified, but | There are two top level sections: | ||||||||||
Done Inline Actions“INI” is not an argument, so .Ar is improper. I would expand to “the Windows INI file format”. des: “INI” is not an argument, so `.Ar` is improper. I would expand to “the Windows INI file format”. | |||||||||||
only one \fIInterface\fP section may be specified. | .Li Interface | ||||||||||
Done Inline Actions
des: | |||||||||||
and | |||||||||||
Done Inline Actions“Interface” is not an argument. I'm unsure what would be best here, but perhaps .Li? des: “Interface” is not an argument. I'm unsure what would be best here, but perhaps `.Li`? | |||||||||||
.P | .Li Peer . | ||||||||||
The \fIInterface\fP section may contain the following fields: | Multiple | ||||||||||
.IP \(bu | .Li Peer | ||||||||||
PrivateKey \(em a base64 private key generated by \fIwg genkey\fP. Required. | sections may be specified, but only one | ||||||||||
.IP \(bu | .Li Interface | ||||||||||
ListenPort \(em a 16-bit port for listening. Optional; if not specified, chosen | section may be specified. | ||||||||||
randomly. | .Pp | ||||||||||
.IP \(bu | The | ||||||||||
FwMark \(em a 32-bit fwmark for outgoing packets. If set to 0 or "off", this | .Ar Interface | ||||||||||
option is disabled. May be specified in hexadecimal by prepending "0x". Optional. | section may contain the following fields: | ||||||||||
.P | .Bl -tag -width indent | ||||||||||
The \fIPeer\fP sections may contain the following fields: | .It Va PrivateKey | ||||||||||
.IP \(bu | a base64 private key generated by the | ||||||||||
Done Inline ActionsPrivateKey is not a command, I believe .Va would be more appropriate here. des: `PrivateKey` is not a command, I believe `.Va` would be more appropriate here. | |||||||||||
PublicKey \(em a base64 public key calculated by \fIwg pubkey\fP from a | .Cm genkey | ||||||||||
private key, and usually transmitted out of band to the author of the | command. | ||||||||||
Done Inline Actions
again, not an argument. des: again, not an argument. | |||||||||||
configuration file. Required. | Required. | ||||||||||
.IP \(bu | .It Cm ListenPort | ||||||||||
PresharedKey \(em a base64 preshared key generated by \fIwg genpsk\fP. Optional, | a 16-bit port for listening. | ||||||||||
and may be omitted. This option adds an additional layer of symmetric-key | Optional; if not specified, chosen randomly. | ||||||||||
cryptography to be mixed into the already existing public-key cryptography, | .It Cm FwMark | ||||||||||
for post-quantum resistance. | a 32-bit fwmark for outgoing packets. | ||||||||||
.IP \(bu | If set to 0 or "off", this option is disabled. | ||||||||||
AllowedIPs \(em a comma-separated list of IP (v4 or v6) addresses with | May be specified in hexadecimal by prepending "0x". | ||||||||||
Optional. | |||||||||||
.El | |||||||||||
.Pp | |||||||||||
The | |||||||||||
.Ar Peer | |||||||||||
sections may contain the following fields: | |||||||||||
.Bl -tag -width indent | |||||||||||
.It Cm PublicKey | |||||||||||
a base64 public key calculated by | |||||||||||
.Ar wg pubkey | |||||||||||
from a private key, and usually transmitted out of band to the author of the | |||||||||||
configuration file. | |||||||||||
Required. | |||||||||||
.It Cm PresharedKey | |||||||||||
a base64 preshared key generated by | |||||||||||
.Ar wg genpsk . | |||||||||||
Optional, and may be omitted. | |||||||||||
This option adds an additional layer of symmetric-key cryptography to | |||||||||||
be mixed into the already existing public-key cryptography, for post-quantum | |||||||||||
resistance. | |||||||||||
.It Cm AllowedIPs | |||||||||||
a comma-separated list of IP (v4 or v6) addresses with | |||||||||||
CIDR masks from which incoming traffic for this peer is allowed and to | CIDR masks from which incoming traffic for this peer is allowed and to | ||||||||||
which outgoing traffic for this peer is directed. The catch-all | which outgoing traffic for this peer is directed. | ||||||||||
\fI0.0.0.0/0\fP may be specified for matching all IPv4 addresses, and | The catch-all 0.0.0.0/0 may be specified for matching all v4 addresses, | ||||||||||
\fI::/0\fP may be specified for matching all IPv6 addresses. May be specified | and ::/0 may be specified for matching all v6 addresses. | ||||||||||
Done Inline Actionsnot an argument des: not an argument | |||||||||||
multiple times. | May be specified multiple times. | ||||||||||
.IP \(bu | .It Cm Endpoint | ||||||||||
Endpoint \(em an endpoint IP or hostname, followed by a colon, and then a | an endpoint IP or hostname, followed by a colon, and then a | ||||||||||
port number. This endpoint will be updated automatically to the most recent | port number. | ||||||||||
Not Done Inline Actions
Taste, concision pauamma_gundo.com: Taste, concision | |||||||||||
source IP address and port of correctly authenticated packets from the peer. | This endpoint will be updated automatically to the most recent source IP address | ||||||||||
and port of correctly authenticated packets from the peer. | |||||||||||
Optional. | Optional. | ||||||||||
.IP \(bu | .It Cm PersistentKeepalive | ||||||||||
PersistentKeepalive \(em a seconds interval, between 1 and 65535 inclusive, of | a seconds interval, between 1 and 65535 inclusive, of | ||||||||||
how often to send an authenticated empty packet to the peer for the purpose of keeping a | how often to send an authenticated empty packet to the peer for the purpose of | ||||||||||
stateful firewall or NAT mapping valid persistently. For example, if the interface | keeping a stateful firewall or NAT mapping valid persistently. | ||||||||||
very rarely sends traffic, but it might at anytime receive traffic from a peer, | For example, if the interface very rarely sends traffic, but it might at | ||||||||||
and it is behind NAT, the interface might benefit from having a persistent keepalive | anytime receive traffic from a peer, and it is behind NAT, the interface | ||||||||||
interval of 25 seconds. If set to 0 or "off", this option is disabled. By default or | might benefit from having a persistent keepalive interval of 25 seconds. | ||||||||||
when unspecified, this option is off. Most users will not need this. Optional. | If set to 0 or "off", this option is disabled. | ||||||||||
By default or when unspecified, this option is off. | |||||||||||
.SH CONFIGURATION FILE FORMAT EXAMPLE | Most users will not need this. | ||||||||||
This example may be used as a model for writing configuration files, following an | Optional. | ||||||||||
INI-like syntax. Characters after and including a '#' are considered comments and | .El | ||||||||||
.Sh CONFIGURATION FILE FORMAT EXAMPLE | |||||||||||
This example may be used as a model for writing configuration files, | |||||||||||
following an INI-like syntax. | |||||||||||
Characters after and including a '#' are considered comments and | |||||||||||
are thus ignored. | are thus ignored. | ||||||||||
.Bd -literal -offset indent | |||||||||||
[Interface] | [Interface] | ||||||||||
.br | |||||||||||
PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk= | PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk= | ||||||||||
.br | |||||||||||
ListenPort = 51820 | ListenPort = 51820 | ||||||||||
.br | |||||||||||
.br | |||||||||||
[Peer] | [Peer] | ||||||||||
.br | |||||||||||
PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg= | PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg= | ||||||||||
.br | |||||||||||
Endpoint = 192.95.5.67:1234 | Endpoint = 192.95.5.67:1234 | ||||||||||
.br | |||||||||||
AllowedIPs = 10.192.122.3/32, 10.192.124.1/24 | AllowedIPs = 10.192.122.3/32, 10.192.124.1/24 | ||||||||||
.br | |||||||||||
.br | |||||||||||
[Peer] | [Peer] | ||||||||||
.br | |||||||||||
PublicKey = TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0= | PublicKey = TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0= | ||||||||||
.br | |||||||||||
Endpoint = [2607:5300:60:6b0::c05f:543]:2468 | Endpoint = [2607:5300:60:6b0::c05f:543]:2468 | ||||||||||
.br | |||||||||||
AllowedIPs = 10.192.122.4/32, 192.168.0.0/16 | AllowedIPs = 10.192.122.4/32, 192.168.0.0/16 | ||||||||||
.br | |||||||||||
.br | |||||||||||
[Peer] | [Peer] | ||||||||||
.br | |||||||||||
PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA= | PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA= | ||||||||||
.br | |||||||||||
Endpoint = test.wireguard.com:18981 | Endpoint = test.wireguard.com:18981 | ||||||||||
.br | |||||||||||
AllowedIPs = 10.10.10.230/32 | AllowedIPs = 10.10.10.230/32 | ||||||||||
.Ed | |||||||||||
.SH DEBUGGING INFORMATION | .Sh DEBUGGING INFORMATION | ||||||||||
Sometimes it is useful to have information on the current runtime state of a tunnel. When using the Linux kernel module on a kernel that supports dynamic debugging, debugging information can be written into | Sometimes it is useful to have information on the current runtime state | ||||||||||
.BR dmesg (1) | of a tunnel. | ||||||||||
by running as root: | Debugging information can be written into | ||||||||||
.Xr dmesg 8 | |||||||||||
\fB # modprobe wireguard && echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control\fP | |||||||||||
On OpenBSD and FreeBSD, debugging information can be written into | |||||||||||
.BR dmesg (1) | |||||||||||
on a per-interface basis by using | on a per-interface basis by using | ||||||||||
.BR ifconfig (1): | .Xr ifconfig 8 : | ||||||||||
.Bd -literal -offset indent | |||||||||||
\fB # ifconfig wg0 debug | # ifconfig wg0 debug | ||||||||||
.Ed | |||||||||||
On userspace implementations, it is customary to set the \fILOG_LEVEL\fP environment variable to \fIverbose\fP. | .Pp | ||||||||||
On userspace implementations, it is customary to set the | |||||||||||
.SH ENVIRONMENT VARIABLES | .Ar LOG_LEVEL | ||||||||||
.TP | environment variable to | ||||||||||
.I WG_COLOR_MODE | .Ar verbose . | ||||||||||
If set to \fIalways\fP, always print ANSI colorized output. If set to \fInever\fP, never print ANSI colorized output. If set to \fIauto\fP, something invalid, or unset, then print ANSI colorized output only when writing to a TTY. | .Sh ENVIRONMENT | ||||||||||
.TP | The following environment variables affect the execution of | ||||||||||
.I WG_HIDE_KEYS | .Nm : | ||||||||||
If set to \fInever\fP, then the pretty-printing \fBshow\fP sub-command will show private and preshared keys in the output. If set to \fIalways\fP, something invalid, or unset, then private and preshared keys will be printed as "(hidden)". | .Bl -tag -width WG_ENDPOINT_RESOLUTION_RETRIES | ||||||||||
.TP | .It Ev WG_COLOR_MODE | ||||||||||
.I WG_ENDPOINT_RESOLUTION_RETRIES | If set to | ||||||||||
If set to an integer or to \fIinfinity\fP, DNS resolution for each peer's endpoint will be retried that many times for non-permanent errors, with an increasing delay between retries. If unset, the default is 15 retries. | .Ar always , | ||||||||||
always print ANSI colorized output. | |||||||||||
.SH SEE ALSO | If set to | ||||||||||
.BR wg-quick (8), | .Ar never , | ||||||||||
.BR ip (8), | never print ANSI colorized output. | ||||||||||
.BR ip-link (8), | If set to | ||||||||||
.BR ip-address (8), | .Ar auto , | ||||||||||
.BR ip-route (8). | something invalid, or unset, then print ANSI | ||||||||||
colorized output only when writing to a TTY. | |||||||||||
.SH AUTHOR | .It Ev WG_HIDE_KEYS | ||||||||||
.B wg | If set to | ||||||||||
was written by | .Ar never , | ||||||||||
.MT Jason@zx2c4.com | then the pretty-printing | ||||||||||
Jason A. Donenfeld | .Ar show | ||||||||||
.ME . | sub-command will show private and preshared keys in the output. | ||||||||||
For updates and more information, a project page is available on the | If set to | ||||||||||
.UR https://\:www.wireguard.com/ | .Ar always , | ||||||||||
World Wide Web | something invalid, or unset, then private and preshared keys will be printed | ||||||||||
.UE . | as (hidden). | ||||||||||
Done Inline Actions
des: | |||||||||||
.It Ev WG_ENDPOINT_RESOLUTION_RETRIES | |||||||||||
Done Inline ActionsMaybe .Lk instead? pauamma_gundo.com: Maybe .Lk instead? | |||||||||||
Done Inline Actions.Lk isn't suitable in an .Rs context. gbe: .Lk isn't suitable in an .Rs context. | |||||||||||
Done Inline ActionsI meant instead of .Rs. Or is .Rs required here? pauamma_gundo.com: I meant instead of .Rs. Or is .Rs required here? | |||||||||||
If set to an integer or to | |||||||||||
.Li infinity , | |||||||||||
Done Inline Actions
des: | |||||||||||
DNS resolution for each peer's endpoint will be retried that many times for | |||||||||||
non-permanent errors, with an increasing delay between retries. | |||||||||||
If unset, the default is 15 retries. | |||||||||||
.El | |||||||||||
.Sh SEE ALSO | |||||||||||
.Xr netstat 1 , | |||||||||||
.Xr ifconfig 8 , | |||||||||||
.Xr route 8 | |||||||||||
.Rs | |||||||||||
.%T WireGuard Project Page | |||||||||||
.%U https://www.wireguard.com/ | |||||||||||
.Re | |||||||||||
.Sh HISTORY | |||||||||||
The | |||||||||||
.Nm | |||||||||||
command first appeared in | |||||||||||
.Fx 13.2 . | |||||||||||
.Sh AUTHORS | |||||||||||
.An -nosplit | |||||||||||
The | |||||||||||
.Nm wg | |||||||||||
command was written by | |||||||||||
.An Jason A. Donenfeld Aq Mt Jason@zx2c4.com . | |||||||||||
.Pp | |||||||||||
This manual page was written by | |||||||||||
Done Inline ActionsI think it would be more fair to say that it was “written by Jason A. Donenfeld and Gordon Bergling” since most of the text is still Jason's. des: I think it would be more fair to say that it was “written by Jason A. Donenfeld and Gordon… | |||||||||||
.An Jason A. Donenfeld Aq Mt Jason@zx2c4.com | |||||||||||
and adapted for | |||||||||||
.Fx by | |||||||||||
.An Gordon Bergling Aq Mt gbe@FreeBSD.org . |
.Bq may come handy here.