1 files changed, 62 insertions, 23 deletions
diff --git a/src/tools/man/wg-quick.8 b/src/tools/man/wg-quick.8
index d97fec9..6250adc 100644
--- a/src/tools/man/wg-quick.8
+++ b/src/tools/man/wg-quick.8
@@ -11,6 +11,8 @@ wg-quick - set up a WireGuard interface simply
 .I down
 |
 .I save
+|
+.I strip
 ] [
 .I CONFIG_FILE
 |
@@ -27,7 +29,11 @@ an interface. Running \fIup\fP adds a WireGuard interface, brings up the interfa
 supplied IP addresses, sets up mtu and routes, and optionally runs pre/post up scripts. Running \fIdown\fP
 optionally saves the current configuration, removes the WireGuard interface, and optionally
 runs pre/post down scripts. Running \fIsave\fP saves the configuration of an existing
-interface without bringing the interface down.
+interface without bringing the interface down. Use \fIstrip\fP to output a configuration file
+with all
+.BR wg-quick (8)-specific
+options removed, suitable for use with
+.BR wg (8).
 
 \fICONFIG_FILE\fP is a configuration file, whose filename is the interface name
 followed by `.conf'. Otherwise, \fIINTERFACE\fP is an interface name, with configuration
@@ -112,25 +118,25 @@ and a more complete description may be found there. Bold lines below are for opt
 The following might be used for connecting as a client to a VPN gateway for tunneling all
 traffic:
 
-    [Interface] 
+    [Interface]
 .br
     \fBAddress = 10.200.100.8/24\fP
 .br
     \fBDNS = 10.200.100.1\fP
 .br
-    PrivateKey = oK56DE9Ue9zK76rAc8pBl6opph+1v36lm7cXXsQKrQM= 
+    PrivateKey = oK56DE9Ue9zK76rAc8pBl6opph+1v36lm7cXXsQKrQM=
 .br
-     
+
 .br
-    [Peer] 
+    [Peer]
 .br
-    PublicKey = GtL7fZc/bLnqZldpVofMCD6hDjrK28SsdLxevJ+qtKU= 
+    PublicKey = GtL7fZc/bLnqZldpVofMCD6hDjrK28SsdLxevJ+qtKU=
 .br
-    PresharedKey = /UwcSPg38hW/D9Y3tcS1FOV0K1wuURMbS0sesJEP5ak= 
+    PresharedKey = /UwcSPg38hW/D9Y3tcS1FOV0K1wuURMbS0sesJEP5ak=
 .br
-    AllowedIPs = 0.0.0.0/0 
+    AllowedIPs = 0.0.0.0/0
 .br
-    Endpoint = demo.wireguard.com:51820 
+    Endpoint = demo.wireguard.com:51820
 .br
 
 The `Address` field is added here in order to set up the address for the interface. The `DNS` field
@@ -164,7 +170,7 @@ Or, perhaps it is desirable to store private keys in encrypted form, such as thr
 .br
 
 For use on a server, the following is a more complicated example involving multiple peers:
-    
+
     [Interface]
 .br
     \fBAddress = 10.192.122.1/24\fP
@@ -173,31 +179,31 @@ For use on a server, the following is a more complicated example involving multi
 .br
     \fBSaveConfig = true\fP
 .br
-    PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk= 
+    PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
 .br
-    ListenPort = 51820 
+    ListenPort = 51820
 .br
-     
+
 .br
-    [Peer] 
+    [Peer]
 .br
-    PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg= 
+    PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
 .br
-    AllowedIPs = 10.192.122.3/32, 10.192.124.1/24 
+    AllowedIPs = 10.192.122.3/32, 10.192.124.1/24
 .br
-     
+
 .br
-    [Peer] 
+    [Peer]
 .br
-    PublicKey = TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0= 
+    PublicKey = TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0=
 .br
-    AllowedIPs = 10.192.122.4/32, 192.168.0.0/16 
+    AllowedIPs = 10.192.122.4/32, 192.168.0.0/16
 .br
-     
+
 .br
-    [Peer] 
+    [Peer]
 .br
-    PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA= 
+    PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA=
 .br
     AllowedIPs = 10.10.10.230/32
 
@@ -205,6 +211,32 @@ Notice the two `Address' lines at the top, and that `SaveConfig' is set to `true
 that the configuration file should be saved on shutdown using the current status of the
 interface.
 
+A combination of the `Table', `PostUp', and `PreDown' fields may be used for policy routing
+as well. For example, the following may be used to send SSH traffic (TCP port 22) traffic
+through the tunnel:
+
+    [Interface]
+.br
+    Address = 10.192.122.1/24
+.br
+    PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
+.br
+    ListenPort = 51820
+.br
+    \fBTable = 1234\fP
+.br
+    \fBPostUp = ip rule add ipproto tcp dport 22 table 1234\fP
+.br
+    \fBPreDown = ip rule delete ipproto tcp dport 22 table 1234\fP
+.br
+
+.br
+    [Peer]
+.br
+    PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
+.br
+    AllowedIPs = 0.0.0.0/0
+
 These configuration files may be placed in any directory, putting the desired interface name
 in the filename:
 
@@ -217,6 +249,13 @@ For convenience, if only an interface name is supplied, it automatically chooses
 
 This will load the configuration file `/etc/wireguard/wgnet0.conf'.
 
+The \fIstrip\fP command is useful for reloading configuration files without disrupting active
+sessions:
+
+\fB    # wg addconf wgnet0 <(wg-quick strip wgnet0)\fP
+
+(Note that the above command will add and update peers but will not remove peers.)
+
 .SH SEE ALSO
 .BR wg (8),
 .BR ip (8),