1 .\" Copyright (c) 2020 Gordon Bergling <gbe@FreeBSD.org>
3 .\" Redistribution and use in source and binary forms, with or without
4 .\" modification, are permitted provided that the following conditions
6 .\" 1. Redistributions of source code must retain the above copyright
7 .\" notice, this list of conditions and the following disclaimer.
8 .\" 2. Redistributions in binary form must reproduce the above copyright
9 .\" notice, this list of conditions and the following disclaimer in the
10 .\" documentation and/or other materials provided with the distribution.
12 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
13 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
14 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
15 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
16 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
17 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
18 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
19 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
20 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
21 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 .Nd "WireGuard - pseudo-device"
33 To load the driver as a module at boot time, place the following line in
35 .Bd -literal -offset indent
41 driver provides Virtual Private Network (VPN) interfaces for the secure
42 exchange of layer 3 traffic with other WireGuard peers using the WireGuard
47 interface recognises one or more peers, establishes a secure tunnel with
48 each on demand, and tracks each peer's UDP endpoint for exchanging encrypted
51 The interfaces can be created at runtime using the
52 .Ic ifconfig Cm wg Ns Ar N Cm create
54 The interface itself can be configured with
57 The following parameters are available:
58 .Bl -tag -width indent
60 The listing port of the
68 The private key of the
72 Defines a pre-shared key for the
76 A list of allowed IP addresses.
78 The IP address of the WiredGuard to connect to.
80 A list of peering IP addresses to connect to.
85 interfaces support the following
87 .Bl -tag -width Ds -offset indent
88 .It Dv SIOCSWG Fa "struct wg_device_io *"
89 Set the device configuration.
90 .It Dv SIOCGWG Fa "struct wg_device_io *"
91 Get the device configuration.
94 The following glossary provides a brief overview of WireGuard
96 .Bl -tag -width indent -offset 3n
98 Peers exchange IPv4 or IPv6 traffic over secure tunnels.
101 interface may be configured to recognise one or more peers.
103 Each peer uses its private key and corresponding public key to
104 identify itself to others.
107 interface with its own private key and with the public keys of its peers.
109 In addition to the public keys, each peer pair may be configured with a
110 unique pre-shared symmetric key.
111 This is used in their handshake to guard against future compromise of the
112 peers' encrypted tunnel if a quantum-computational attack on their
113 Diffie-Hellman exchange becomes feasible.
114 It is optional, but recommended.
118 interface may maintain concurrent tunnels connecting diverse networks.
119 The interface therefore implements rudimentary routing and reverse-path
120 filtering functions for its tunneled traffic.
121 These functions reference a set of allowed IP ranges configured against
124 The interface will route outbound tunneled traffic to the peer configured
125 with the most specific matching allowed IP address range, or drop it
126 if no such match exists.
128 The interface will accept tunneled traffic only from the peer
129 configured with the most specific matching allowed IP address range
130 for the incoming traffic, or drop it if no such match exists.
131 That is, tunneled traffic routed to a given peer cannot return through
132 another peer of the same
135 This ensures that peers cannot spoof another's traffic.
137 Two peers handshake to mutually authenticate each other and to
138 establish a shared series of secret ephemeral encryption keys.
139 Any peer may initiate a handshake.
140 Handshakes occur only when there is traffic to send, and recur every
141 two minutes during transfers.
143 Due to the handshake behavior, there is no connected or disconnected
147 Private keys for WireGuard can be generated from any sufficiently
148 secure random source.
149 The Curve25519 keys and the pre-shared keys are both 32 bytes
150 long and are commonly encoded in base64 for ease of use.
152 Keys can be generated with
156 .Dl $ openssl rand -base64 32
158 Although a valid Curve25519 key must have 5 bits set to
159 specific values, this is done by the interface and so it
160 will accept any random 32-byte base64 string.
162 When an interface has a private key set with
165 public key is shown in the status output of the interface:
166 .Bd -literal -offset indent
167 # ifconfig wg0 | grep public-key
168 public-key: 7lWtsDdqaGB3EY9WNxRN3hVaHMtu1zXw71+bOjNOVUw=
173 interface and set random private key.
174 .Bd -literal -offset indent
175 # ifconfig wg0 create listen-port 54321 private-key `openssl rand -base64 32`
178 Retrieve the associated public key from a
181 .Bd -literal -offset indent
182 $ ifconfig wg0 | awk '/public-key/ { print $2 }'`
185 Connect to a specific endpoint using its public-key and set the allowed IP address
186 .Bd -literal -offset indent
187 # ifconfig wg0 peer public-key '7lWtsDdqaGB3EY9WNxRN3hVaHMtu1zXw71+bOjNOVUw=' endpoint 10.0.1.100:54321 allowed-ips 192.168.2.100/32
192 interface supports runtime debugging, which can be enabled with:
194 .D1 Ic ifconfig Cm wg Ns Ar N Cm debug
196 Some common error messages include:
198 .It "Handshake for peer X did not complete after 5 seconds, retrying"
199 Peer X did not reply to our initiation packet, for example because:
202 The peer does not have the local interface configured as a peer.
203 Peers must be able to mutually authenticate each other.
205 The peer endpoint IP address is incorrectly configured.
207 There are firewall rules preventing communication between hosts.
209 .It "Invalid handshake initiation"
210 The incoming handshake packet could not be processed.
211 This is likely due to the local interface not containing
212 the correct public key for the peer.
213 .It "Invalid initiation MAC"
214 The incoming handshake initiation packet had an invalid MAC.
215 This is likely because the initiation sender has the wrong public key
216 for the handshake receiver.
217 .It "Packet has unallowed src IP from peer X"
218 After decryption, an incoming data packet has a source IP address that
219 is not assigned to the allowed IPs of Peer X.
230 .%T WireGuard whitepaper
231 .%U https://www.wireguard.com/papers/wireguard.pdf
236 device driver first appeared in
241 device driver was originally written for
244 .An Matt Dunwoodie Aq Mt ncon@nconroy.net
248 .An Matt Macy Aq Mt mmacy@FreeBSD.org .
250 This manual page was written by
251 .An Gordon Bergling Aq Mt gbe@FreeBSD.org
254 manual page written by
255 .An David Gwynne Aq Mt dlg@openbsd.org .