|WG(4)||Device Drivers Manual||WG(4)|
wg — WireGuard
wg driver provides Virtual Private
Network (VPN) interfaces for the secure exchange of layer 3 traffic with
other WireGuard peers using the WireGuard protocol.
wg interface recognises one or more
peers, establishes a secure tunnel with each on demand, and tracks each
peer's UDP endpoint for exchanging encrypted traffic with.
The interfaces can be created at runtime using the
create command or by setting up a
hostname.if(5) configuration file
for netstart(8). The interface itself
can be configured with ifconfig(8).
wg interfaces support the following
The following glossary provides a brief overview of WireGuard terminology:
wginterface may be configured to recognise one or more peers.
wginterface with its own private key and with the public keys of its peers.
wginterface may maintain concurrent tunnels connecting diverse networks. The interface therefore implements rudimentary routing and reverse-path filtering functions for its tunneled traffic. These functions reference a set of allowed IP ranges configured against each peer.
The interface will route outbound tunneled traffic to the peer configured with the most specific matching allowed IP address range, or drop it if no such match exists.
The interface will accept tunneled traffic only from the peer
configured with the most specific matching allowed IP address range for
the incoming traffic, or drop it if no such match exists. That is,
tunneled traffic routed to a given peer cannot return through another
peer of the same
wg interface. This ensures that
peers cannot spoof another's traffic.
Private keys for WireGuard can be generated from any sufficiently secure random source. The Curve25519 keys and the preshared keys are both 32 bytes long and are commonly encoded in base64 for ease of use.
Keys can be generated with openssl(1) as follows:
$ openssl rand -base64 32
Although a valid Curve25519 key must have 5 bits set to specific values, this is done by the interface and so it will accept any random 32-byte base64 string.
When an interface has a private key set with
wgkey, the corresponding public key is shown in the
status output of the interface:
# ifconfig wg1 | grep wgpubkey wgpubkey NW5l2q2MArV5ZXpVXSZwBOyqhohOf8ImDgUB+jPtJps=
wg interfaces in separate
rdomain(4)s, which is of no practical
use but demonstrates two interfaces on the same machine:
#!/bin/sh # create interfaces; set random private keys ifconfig wg1 create wgport 7111 wgkey `openssl rand -base64 32` rdomain 1 ifconfig wg2 create wgport 7222 wgkey `openssl rand -base64 32` rdomain 2 # retrieve the public keys associated with the private keys PUB1="`ifconfig wg1 | grep 'wgpubkey' | cut -d ' ' -f 2`" PUB2="`ifconfig wg2 | grep 'wgpubkey' | cut -d ' ' -f 2`" ifconfig wg1 wgpeer $PUB2 wgendpoint 127.0.0.1 7222 wgaip 192.168.5.2/32 ifconfig wg2 wgpeer $PUB1 wgendpoint 127.0.0.1 7111 wgaip 192.168.5.1/32 ifconfig wg1 192.168.5.1/24 ifconfig wg2 192.168.5.2/24
After this, ping one interface from the other:
$ route -T1 exec ping 192.168.5.2
The two interfaces are able to communicate through the UDP tunnel which resides in the default rdomain(4).
Show the listening sockets:
$ netstat -ln
wg interface supports runtime
debugging, which can be enabled with:
Some common error messages include:
WireGuard whitepaper, https://www.wireguard.com/papers/wireguard.pdf.
|November 27, 2020||OpenBSD-current|