diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2017-10-11 01:55:45 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2017-10-11 15:50:29 +0200 |
commit | 9b32db83adc4a5f241625290392ce5c0d96374ab (patch) | |
tree | b11cb1a026d71d782bacca825d94979a57d224e6 | |
parent | socket: set skb->mark in addition to flowi (diff) | |
download | wireguard-monolithic-historical-9b32db83adc4a5f241625290392ce5c0d96374ab.tar.xz wireguard-monolithic-historical-9b32db83adc4a5f241625290392ce5c0d96374ab.zip |
tools: man: include kill-switch documentation using fwmark
-rw-r--r-- | src/tools/wg-quick.8 | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/src/tools/wg-quick.8 b/src/tools/wg-quick.8 index f27a270..be6137c 100644 --- a/src/tools/wg-quick.8 +++ b/src/tools/wg-quick.8 @@ -129,6 +129,42 @@ indicates that a DNS server for the interface should be configured via The peer's allowed IPs entry implies that this interface should be configured as the default gateway, which this script does. +Building on the last example, one might attempt the so-called ``kill-switch'', in order +to prevent the flow of unencrypted packets through the non-WireGuard interfaces: + + [Interface] +.br + Address = 10.200.100.8/24 +.br + DNS = 10.200.100.1 +.br + PrivateKey = oK56DE9Ue9zK76rAc8pBl6opph+1v36lm7cXXsQKrQM= +.br + \fBPostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -j REJECT\fP +.br + \fBPreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -j REJECT\fP +.br + +.br + [Peer] +.br + PublicKey = GtL7fZc/bLnqZldpVofMCD6hDjrK28SsdLxevJ+qtKU= +.br + PresharedKey = /UwcSPg38hW/D9Y3tcS1FOV0K1wuURMbS0sesJEP5ak= +.br + AllowedIPs = 0.0.0.0/0 +.br + Endpoint = demo.wireguard.com:51820 +.br + +The `PostUp' and `PreDown' fields have been added to specify an +.BR iptables (8) +command which, when used with interfaces that have a peer that specifies 0.0.0.0/0 as part of the +`AllowedIPs', works together with wg-quick's fwmark usage in order to drop all packets that +are either not coming out of the tunnel encrypted or not going through the tunnel itself. (Note +that this continues to allow most DHCP traffic through, since most DHCP clients make use of PF_PACKET +sockets, which bypass Netfilter.) + Here is a more complicated example, fit for usage on a server: [Interface] |