summaryrefslogtreecommitdiffstatshomepage
path: root/src/tools
diff options
context:
space:
mode:
authorJason A. Donenfeld <Jason@zx2c4.com>2017-10-16 03:28:24 +0200
committerJason A. Donenfeld <Jason@zx2c4.com>2017-10-17 19:26:07 +0200
commit391e5802419766457e2e58b92180839738252900 (patch)
tree52dc0d51cd08e6a139b0554635f95b48f07bb8bb /src/tools
parenttools: don't insist on having a private key (diff)
downloadwireguard-monolithic-historical-391e5802419766457e2e58b92180839738252900.tar.xz
wireguard-monolithic-historical-391e5802419766457e2e58b92180839738252900.zip
tools: add pass example to wg-quick man page
Diffstat (limited to 'src/tools')
-rw-r--r--src/tools/wg-quick.831
1 files changed, 9 insertions, 22 deletions
diff --git a/src/tools/wg-quick.8 b/src/tools/wg-quick.8
index be6137c..b39eff8 100644
--- a/src/tools/wg-quick.8
+++ b/src/tools/wg-quick.8
@@ -130,32 +130,13 @@ The peer's allowed IPs entry implies that this interface should be configured as
which this script does.
Building on the last example, one might attempt the so-called ``kill-switch'', in order
-to prevent the flow of unencrypted packets through the non-WireGuard interfaces:
+to prevent the flow of unencrypted packets through the non-WireGuard interfaces, by adding the following
+two lines `PostUp` and `PreDown` lines to the `[Interface]` section:
- [Interface]
-.br
- Address = 10.200.100.8/24
-.br
- DNS = 10.200.100.1
-.br
- PrivateKey = oK56DE9Ue9zK76rAc8pBl6opph+1v36lm7cXXsQKrQM=
-.br
\fBPostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -j REJECT\fP
.br
\fBPreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -j REJECT\fP
.br
-
-.br
- [Peer]
-.br
- PublicKey = GtL7fZc/bLnqZldpVofMCD6hDjrK28SsdLxevJ+qtKU=
-.br
- PresharedKey = /UwcSPg38hW/D9Y3tcS1FOV0K1wuURMbS0sesJEP5ak=
-.br
- AllowedIPs = 0.0.0.0/0
-.br
- Endpoint = demo.wireguard.com:51820
-.br
The `PostUp' and `PreDown' fields have been added to specify an
.BR iptables (8)
@@ -165,7 +146,13 @@ are either not coming out of the tunnel encrypted or not going through the tunne
that this continues to allow most DHCP traffic through, since most DHCP clients make use of PF_PACKET
sockets, which bypass Netfilter.)
-Here is a more complicated example, fit for usage on a server:
+Or, perhaps it is desirable to store private keys in encrypted form, such as through use of
+.BR pass (1):
+
+ \fBPostUp = wg set %i private-key <(pass WireGuard/private-keys/%i)\fP
+.br
+
+For use on a server, the following is a more complicated example involving multiple peers:
[Interface]
.br