wireguard-tools, branch masterRequired tools for WireGuard, such as wg(8) and wg-quick(8)https://git.zx2c4.com/wireguard-tools/atom/?h=master2026-03-24T02:27:26Zipc: freebsd: add allowed-ip flags support for FreeBSD2026-03-24T02:27:26ZKyle Evanskevans@FreeBSD.org2025-06-26T02:57:03Zurn:sha1:025f00454fec8fd0816607a28c1ee6cd9a54b134
The FreeBSD kernel flags will match what we define here in wg(8), just
pass them through and let the kernel sort it out.
Signed-off-by: Kyle Evans <kevans@FreeBSD.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
ipc: windows: support incremental allowed ips updates2026-03-24T02:22:51ZJason A. DonenfeldJason@zx2c4.com2026-03-24T02:22:51Zurn:sha1:06a99cce2c9998f53eb30d2f258a9e5ff286445b
Following the Linux case, now support the same API on Windows.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
global: bump copyright2026-03-21T11:20:43ZJason A. DonenfeldJason@zx2c4.com2026-03-21T11:20:43Zurn:sha1:997ffa0c89b4a6a3998325ceeb55588bb0cf8017
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
wg: windows: raise min windows version to 102026-03-21T10:42:07ZJason A. DonenfeldJason@zx2c4.com2026-03-20T21:07:25Zurn:sha1:1090b17df4ad07a9f46f5723ad4f8e3839484dea
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
version: bump2026-02-23T22:24:27ZJason A. DonenfeldJason@zx2c4.com2026-02-23T22:24:27Zurn:sha1:49ce333da02056ae7b22ee2aeb6afe8aaed79b19
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
syncconf: account for persistent keepalive removed from config file2026-02-23T22:23:04ZJason A. DonenfeldJason@zx2c4.com2025-05-23T18:22:37Zurn:sha1:0a81a174dbde2371ddcf4b602ba0ecda3c5dbd67
Otherwise removing a persistent keepalive from a config file wouldn't
reflect on the runtime state.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
config: preserve const correctness2026-02-23T22:10:51ZJason A. DonenfeldJason@zx2c4.com2026-02-23T22:10:48Zurn:sha1:ede2c4804245d4069b629ef6e8c670ca033afdfc
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
wg-quick@.service: add deps on wg-quick.target2026-02-23T22:02:07ZDoug Freeddwfreed@mtu.edu2023-04-03T05:58:55Zurn:sha1:0cbe9938e1b1435a6ac394309c4884340240bb44
These dependencies ensure that instances of this service are started
before wg-quick.target is considered started, allowing other services
to depend on wg-quick.target to mean "all wg-quick services are started"
Signed-off-by: Doug Freed <dwfreed@mtu.edu>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
wg-quick: linux: do not unnecessarily set sysctl2026-02-23T21:54:42ZJason A. DonenfeldJason@zx2c4.com2026-02-23T21:54:42Zurn:sha1:ac74ed6d7dd4d77f56c7f05c053a5e645e0e33a0
In some restrictive container namespaces, sysctl is locked down and
can't be changed. This shouldn't be a problem, though, at least in
theory, because net.ipv4.conf.all.src_valid_mark is already 1. However,
currently wg-quick unconditionally sets it. Instead, check to see if
it's already 1 before trying make it 1.
Suggested-by: Dean P <dean@apakossa.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
wg-quick: use addconf instead of setconf2025-06-19T15:08:50ZJason A. DonenfeldJason@zx2c4.com2025-06-19T14:58:39Zurn:sha1:0b7d9821f2815973a2930ace28a3f73c205d0e5c
The example in the man page at some point changed:
- \fBPostUp = wg set %i private-key <(pass WireGuard/private-keys/%i)\fP
+ \fBPreUp = wg set %i private-key <(pass WireGuard/private-keys/%i)\fP
This is actually wrong because PreUp is followed by set_config(), which
calls `wg setconf`, which in turn deletes the private key from the
interface because it is missing from the configuration. Replacing this
with `wg addconf` is safe to do because the interface is newly created.
Suggested-by: Matthias Dressel <code@deadcode.eu>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>