Hi Matt, again, documentation is not critical for the initial commit, but why not provide feedback right away.
As we already have an ifconfig(8) manual page, i decided to simply send an updated version of the ifconfig.8 part of the diff because sending around diffs of diffs feels awkward, and you can easily apply my version of the diff and compare to what you had before. In addition to my changes, it might be useful to mention the unit for the wgpka persistent-keepalive option. Seconds? Minutes? Also, what are the defaults for wgport and wgpka, if any? Finally, what is the meaning of "all previously configured peers and allowed IPs are overwritten"? It could be either: When execution of wgconf begins, -wgpeerall and -wgaipall are applied first. Or: When wgconf encounters a wgpeer for a peer that already exists, the configuration of that peer (or just the list of allowed IPs?) is cleared first. Either way, it might be good to describe the effect more precisely. My changes: * Minor macro improvements. * A few wording improvements. * Sorting the text at a few places. * New sentence, new line. By the way, when working on manual pages, using mandoc(1) -T lint can help in some respects. Yours, Ingo Index: ifconfig.8 =================================================================== RCS file: /cvs/src/sbin/ifconfig/ifconfig.8,v retrieving revision 1.346 diff -u -r1.346 ifconfig.8 --- ifconfig.8 29 Apr 2020 13:13:29 -0000 1.346 +++ ifconfig.8 12 May 2020 16:46:43 -0000 @@ -207,7 +207,8 @@ .Xr tun 4 , .Xr vether 4 , .Xr vlan 4 , -.Xr vxlan 4 +.Xr vxlan 4 , +.Xr wg 4 .It Cm debug Enable driver-dependent debugging code; usually, this turns on extra console error logging. @@ -2041,6 +2042,166 @@ Clear the tag value. Packets on a VLAN interface without a tag set will use a value of 0 in their headers. +.El +.Sh WIREGUARD +.nr nS 1 +.Bk -words +.Nm ifconfig +.Ar wg-interface +.Op Cm wgkey Ar privatekey +.Op Cm wgport Ar port +.Op Cm wgrtable Ar rtable +.Oo +.Oo Fl Oc Ns Cm wgpeer Ar publickey +.Op Cm wgpsk Ar presharedkey +.Op Fl wgpsk +.Op Cm wgpka Ar persistent-keepalive +.Op Cm wgpip Ar ip port +.Op Cm wgaip Ar allowed-ip/prefix +.Op Fl wgaipall +.Oc +.Op Fl wgpeerall +.Op Cm wgconf +.Ek +.nr nS 0 +.Pp +The following options are available for +.Xr wg 4 +interfaces: +.Bl -tag -width Ds +.It Cm wgkey Ar privatekey +Set the local private key of the interface to +.Ar privatekey . +This is a random 32 byte value, encoded as base64. +It can be generated as follows: +.Pp +.Dl $ openssl rand -base64 32 +.Pp +A valid Curve25519 key is required to have 5 bits set to specific +values. +This is done by the interface, so it is safe to provide a random +32 byte base64 string. +.Pp +Once set, the corresponding public key will be displayed +in the interface status; it must be distributed to peers +that this interface intends to communicate with. +.It Cm wgport Ar port +Set the UDP +.Ar port +that the tunnel operates on. +The interface will bind to +.Dv INADDR_ANY +and +.Dv IN6ADDR_ANY_INIT . +.It Cm wgrtable Ar rtable +Use routing table +.Ar rtable +instead of the default table for the tunnel. +The tunnel does not need +to terminate in the same routing domain as the interface itself. +.Ar rtable +can be set to any valid routing table ID; the corresponding routing +domain is derived from this table. +.It Cm wgpeer Ar publickey +Select the peer to perform the subsequent operations on. +This creates a peer with the associated 32 byte, base64 encoded +.Ar publickey +if it does not yet exist. +This option can be specified multiple times in a single command. +.It Cm -wgpeer Ar publickey +Remove the peer with the associated +.Ar publickey . +.It Cm -wgpeerall +Remove all peers from the interface. +.El +.Pp +The following options configure peers for the interface. +Each interface can have multiple peers. +In order to add a peer, a +.Cm wgpeer +option must be specified, followed by its configuration options. +.Bl -tag -width Ds +.It Cm wgpsk Ar presharedkey +Set the preshared key for the peer. +This is a random 32 byte, base64 encoded string +that both ends must agree on. +It offers a post-quantum resistance to the Diffie-Hellman exchange. +If there is no preshared key, the exact same handshake is performed, +however the preshared key is set to all zero. +This can be generated in the same way as +.Ar privatekey . +.It Cm -wgpsk +Remove the preshared key from the specified peer. +.It Cm wgpka Ar persistent-keepalive +Set the interval that a keepalive should be sent at. +By setting the interval to 0, the functionality is disabled. +This is often used to ensure a peer will be accessible +when protected by a firewall, as is when behind a NAT address. +A value of 25 is commonly used. +.It Cm wgpip Ar ip port +Set the IP address and port to send the encapsulated packets to. +If the peer changes address, the local interface will update the address +after receiving a correctly authenticated packet. +The IP address can be either +IPv4 or IPv6, and the port is a regular 16 bit UDP port. +.It Cm wgaip Ar allowed-ip/prefix +Add an allowed IP to the peer. +This indicates the IP addresses a peer is allowed to send from. +That is, in order for an incoming packet from a peer to reach the +interface, the decryped IP source address must be in the peer's +.Ar allowed-ip +list. +Both IPv4 and IPv6 addresses are supported. +.Pp +The +.Ar allowed-ip +list also provides an outgoing routing table for outgoing packets. +Overlapping ranges can be configured, with packets being +directed to the most specific route. +Likewise, packets can only be received from the most specific route. +.It Fl wgaipall +Remove all allowed IPs from the peer. +.El +.Pp +Unlike the other options, the following option reads from standard input. +This allows very fast configuration with a large number of peers. +.Bl -tag -width Ds +.It Cm wgconf +The following directives can be issued on standard input, +one per line, with the same syntax as documented above. +.Pp +.Bl -bullet -offset indent -compact +.It +.Cm wgkey Ar privatekey +.It +.Cm wgport Ar port +.It +.Cm wgrtable Ar rtable +.It +.Cm wgpeer Ar publickey +.It +.Cm wgpsk Ar presharedkey +.It +.Cm wgpip Ar ip port +.It +.Cm wgaip Ar allowed-ip/prefix +.It +.Cm # Ar comment +.El +.Pp +The peer specific directives +.Cm wgpsk , +.Cm wgpip , +and +.Cm wgaip +apply only to the most recent +.Cm wgpeer +and must not precede the first +.Cm wgpeer +directive. +.Pp +When this option is used, all previously configured peers and +allowed IPs are overwritten. .El .Sh EXAMPLES Assign the
