Updated: 2021/Apr/14


WG(4)                        Device Drivers Manual                       WG(4)

NAME
     wg - virtual private network tunnel (EXPERIMENTAL)

SYNOPSIS
     pseudo-device wg

DESCRIPTION
     The wg interface implements a roaming-capable virtual private network
     tunnel, configured with ifconfig(8) and wgconfig(8).

     WARNING: wg is experimental.

     Packets exchanged on a wg interface are authenticated and encrypted with
     a secret key negotiated with the peer, and the encapsulation is exchanged
     over IP or IPv6 using UDP.

     Every wg interface can be configured with an IP address using
     ifconfig(8), a private key generated with wg-keygen(8), an optional
     listen port, and a collection of peers.

     Each peer configured on an wg interface has a public key and a range of
     IP addresses the peer is allowed to use for its wg interface inside the
     tunnel.  Each peer may also optionally have a preshared secret key and a
     fixed endpoint IP address outside the tunnel.

EXAMPLES
     Typical network topology:

         wm0 = 1.2.3.4                               bge0 = 4.3.2.1

         Stationary server:                         Roaming client:
         +---------+                                    +---------+
         |    A    |                                    |    B    |
         |---------|                                    |---------|
         |        [wm0]-------------internet--------[bge0]        |
         |    [wg0] port 1234 - - - (tunnel) - - - - - - [wg0]    |
         |   10.0.1.0                  |               10.0.1.1   |
         |         |                   |                |         |
         +--[wm1]--+          +-----------------+       +---------+
              |               | VPN 10.0.1.0/24 |
              |               +-----------------+
         +-----------------+
         | LAN 10.0.0.0/24 |
         +-----------------+

     Generate key pairs on A and B:

         A# wg-keygen > /etc/wg/wg0
         A# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub
         A# cat /etc/wg/wg0.pub
         N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y=

         B# wg-keygen > /etc/wg/wg0
         B# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub
         B# cat /etc/wg/wg0.pub
         X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU=

     Configure A to listen on port 1234 and allow connections from B to appear
     in the 10.0.1.0/24 subnet:

         A# ifconfig wg0 create 10.0.1.0/24
         A# wgconfig wg0 set private-key /etc/wg/wg0
         A# wgconfig wg0 set listen-port 1234
         A# wgconfig wg0 add peer B \
             X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU= \
             --allowed-ips=10.0.1.1/32
         A# ifconfig wg0 up
         A# ifconfig wg0
         wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420
                 inet 10.0.1.0/24 flags 0
                 inet6 fe80::22f7:d6ff:fe3a:1e60%wg0/64 flags 0 scopeid 0x3

     Configure B to connect to A at 1.2.3.4 on port 1234 and the packets can
     begin to flow:

         B# ifconfig wg0 create 10.0.1.1/24
         B# wgconfig wg0 set private-key /etc/wg/wg0
         B# wgconfig wg0 add peer A \
             N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y= \
             --allowed-ips=10.0.1.0/32 \
             --endpoint=1.2.3.4:1234
         B# ifconfig wg0 up
         B# ifconfig wg0
         wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420
                 inet 10.0.1.1/24 flags 0
                 inet6 fe80::56eb:59ff:fe3d:d413%wg0/64 flags 0 scopeid 0x3
         B# ping -n 10.0.1.0
         PING 10.0.1.0 (10.0.1.0): 56 data bytes
         64 bytes from 10.0.1.0: icmp_seq=0 ttl=255 time=2.721110 ms
         ...

SEE ALSO
     wg-keygen(8), wgconfig(8)

COMPATIBILITY
     The wg interface aims to be compatible with the WireGuard protocol, as
     described in:

     Jason A. Donenfeld, WireGuard: Next Generation Kernel Network Tunnel,
     https://web.archive.org/web/20180805103233/https://www.wireguard.com/papers/wireguard.pdf,
     2018-06-30, Document ID: 4846ada1492f5d92198df154f48c3d54205657bc.

HISTORY
     The wg interface first appeared in NetBSD 10.0.

AUTHORS
     The wg interface was implemented by Ryota Ozaki <ozaki.ryota@gmail.com>.

NetBSD 9.99                     August 20, 2020                    NetBSD 9.99