From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f193.google.com (mail-pg1-f193.google.com [209.85.215.193]) by mandoc.bsd.lv (OpenSMTPD) with ESMTP id ea4d09aa for ; Thu, 13 Feb 2020 23:00:25 -0500 (EST) Received: by mail-pg1-f193.google.com with SMTP id v23so861115pgk.2 for ; Thu, 13 Feb 2020 20:00:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=anjbe-name.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:in-reply-to:references:comments:mime-version :content-id:date:message-id; bh=uHjEHWkfTNDEBKxvCQHApssAR3DJrMQlL4LH9OBNjm4=; b=DsxdNyOn9SuOFV+JkN7K2LkNrmBNKB9HO7wezKneCP4CaQPBedQPPNAbCX1PKrR8fY 7zEQy4bOu2HajG7+xsQQWLslgsZ6Cp2tG8IesGjN+UdbQmmnA1aSOHr9RglVdZvPxHuX +9L958lKj/I0KT+auazKQix22xmpWg1ocsTErQd7f+hjZne80G3LJ8+yJ2XziEElIkoG r/VFr43ylc4aTRq/oK8ztww6qgcB+CLnOgA4DY37AOaMF2LI6XgHl9avIM+dUgweGn6M it8oN/Sdn5arZlB6YFMj5e/xCSy5zYebxfL4Fw3SLHA8hvNbdTZw2zGDMiFZydnlYZ3y s6RA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references :comments:mime-version:content-id:date:message-id; bh=uHjEHWkfTNDEBKxvCQHApssAR3DJrMQlL4LH9OBNjm4=; b=bQk4Cs+jOo8deRh2vaG956lGjiIIgmc7qNnwtrd60A/SFuWEN0TRGTrLIDOlTisHv4 BAn0gG9dF2aWQaBNX44SQ3GxJGDRjLXKKaRNkDUvDXvcL1i9kzVmkHmeTXDMrJ+yOXST dVQJVxosxBBBlJ6VkFbUgTQ4kE5SM9u+MLjmWAqG4eDsiq6NByJjAKftmqowhk4+xu91 2sjWn8nBJFhaBYXUP1ZdYLfAVWRGQFMuxGVs179I1k6HvjUZajDQho3/gzVHPQNe6Z6R 0e55Zagl5s+QfwLwAmYXeUA/2RhzFXJN3GPLwQAEivIUJP17OqOdV3tAcO1gryffuu8h EXlQ== X-Gm-Message-State: APjAAAWCTGZUlDhVRknlxTzASQdLi1u+HsTna/RCB3i3G03aFKvY/UkA jfNEOfpJM3flrgSST08Jp0T7Nfj37gI= X-Google-Smtp-Source: APXvYqyANlN7/6/7gUIGS6UzWgOXOmlw38kbWKZJEquBHwHvwnGh9DhSNj8PNFakoGRAktSmYIcDfg== X-Received: by 2002:a63:5f4e:: with SMTP id t75mr1293985pgb.7.1581652822300; Thu, 13 Feb 2020 20:00:22 -0800 (PST) Received: from desktop.ajb.soy (174-28-243-81.albq.qwest.net. [174.28.243.81]) by smtp.gmail.com with ESMTPSA id l37sm3953492pjb.15.2020.02.13.20.00.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Feb 2020 20:00:21 -0800 (PST) Received: from desktop.ajb.soy (localhost [127.0.0.1]) by desktop.ajb.soy (OpenSMTPD) with ESMTP id 05ad2da4; Thu, 13 Feb 2020 21:00:19 -0700 (MST) From: "Anthony J. Bentley" To: discuss@mandoc.bsd.lv cc: "Jason A. Donenfeld" , Stephen Gregoratto Subject: Re: [PATCH] Fix formatting in wg-quick(8) In-reply-to: <20200213222845.GA31578@athene.usta.de> References: <20200213042900.2ed2sbhglg5uzjq5@BlackBox> <20200213044921.8115-1-dev@sgregoratto.me> <20200213175735.GE75465@athene.usta.de> <20200213193430.GG75465@athene.usta.de> <20200213222845.GA31578@athene.usta.de> Comments: In-reply-to Ingo Schwarze message dated "Thu, 13 Feb 2020 23:28:45 +0100." X-Mailinglist: mandoc-discuss Reply-To: discuss@mandoc.bsd.lv MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <84890.1581652819.1@desktop.ajb.soy> Date: Thu, 13 Feb 2020 21:00:19 -0700 Message-ID: <26710-1581652819.729791@VYCU.Vgnw.Vr5M> Jason A. Donenfeld writes: > It's 2020 now, but what would you think of retaining the original > date? Or do you usually bump it on every change? I'm not sure what the > convention is. Convention is to bump date on every change. > Looks like you removed the (8) on wg-quick there by accident. Usually the section is dropped when referring to self. I made the same change independently before seeing this email. > You've ordered these alphabetically, but the original ordering was > chosen deliberately. Alphabetical is another strongly held convention, so much so that mandoc gives a warning about it. Ingo Schwarze writes: > Do you want somebody to have a go at converting your two files > to mdoc(7)? My attempt is below. One of the more difficult mdoc conversions I've done! Some thoughts that came up during the process: - There were a few places like this where I wasn't sure if squeezing Ar in there might be overkill: Upon bringing the interface up, this runs .Ql resolvconf -a tun.INTERFACE -m 0 -x and upon bringing it down, this runs .Ql resolvconf -d tun.INTERFACE . - Does the config file support statements across multiple lines (with backslash or some such)? Then we could avoid the ugly wrapping in wg-quick(8)'s EXAMPLES. - Wasn't there discussion on the Groff list about moving to title case instead of all caps in section headers? Is that something we want to encourage in downstream manuals? - Not sure of my use of Bro/Brc. - The hanging indent in long tag list items seems problematic here. Suggestions? Pages below--directly, not as a diff, since files are entirely different. .Dd February 13, 2020 .Dt WG 8 .Os .Sh NAME .Nm wg .Nd set and retrieve configuration of WireGuard interfaces .Sh SYNOPSIS .Nm wg .Op Ar COMMAND .Op Ar OPTIONS ... .Op Ar ARGS ... .Sh DESCRIPTION .Nm wg is the configuration utility for getting and setting the configuration of WireGuard tunnel interfaces. The interfaces themselves can be added and removed using .Xr ip-link 8 and their IP addresses and routing tables can be set using .Xr ip-address 8 and .Xr ip-route 8 . The .Nm utility provides a series of sub-commands for changing WireGuard-specific aspects of WireGuard interfaces. .Pp If no .Ar COMMAND is specified, .Ar COMMAND defaults to .Cm show . Sub-commands that take an .Ar interface must be passed a WireGuard interface. .Sh COMMANDS .Bl -tag -width Ds .It Cm show Bro Ar interface | Cm all | interfaces Brc Oo Cm public-key | \ private-key | listen-port | fwmark | peers | preshared-keys | endpoints | \ allowed-ips | latest-handshakes | persistent-keepalive | transfer | dump Oc Shows current WireGuard configuration and runtime information of specified .Ar interface . If no interface is specified, .Ar interface defaults to .Cm all . If .Cm interfaces is specified, prints a list of all WireGuard interfaces, one per line, and quits. If no options are given after the interface specification, then prints a list of all attributes in a visually pleasing way meant for the terminal. Otherwise, prints specified information grouped by newlines and tabs, meant to be used in scripts. For this script-friendly display, if .Cm all is specified, then the first field for all categories of information is the interface name. If .Cm dump is specified, then several lines are printed; the first contains in order separated by tab: private-key, public-key, listen-port, fwmark. Subsequent lines are printed for each peer and contain in order separated by tab: public-key, preshared-key, endpoint, allowed-ips, latest-handshake, transfer-rx, transfer-tx, persistent-keepalive. .It Cm showconf Ar interface Shows the current configuration of .Ar interface in the format described by .Sx CONFIGURATION FILE FORMAT below. .It Cm set Ar interface Oo Cm listen-port Ar port Oc Oo Cm fwmark Ar fwmark Oc \ Oo Cm private-key Ar file-path Oc Oo peer Ar base64-public-key Oo Cm remove Oc \ Oo Cm preshared-key Ar file-path Oc Oo Cm endpoint Ar ip : Ns Ar port Oc \ Oo Cm persistent-keepalive Ar interval_seconds Oc Oo Cm allowed-ips Ar ip1 Ns \ / Ns Ar cidr1 Ns Oo \&, Ns Ar ip2 Ns / Ns Ar cidr2 Ar ... Oc Oc Oc Ar ... Sets configuration values for the specified .Ar interface . Multiple Ar peer Ns s may be specified, and if the .Cm remove argument is given for a peer, that peer is removed, not configured. If .Cm listen-port is not specified, or set to 0, the port will be chosen randomly when the interface comes up. Both .Cm private-key and .Cm preshared-key must be files, because command line arguments are not considered private on most systems but if you are using .Xr bash 1 , you may safely pass in a string by specifying as .Cm private-key or .Cm preshared-key the expression: .Ql <(echo PRIVATEKEYSTRING) . If .Pa /dev/null or another empty file is specified as the filename for either .Cm private-key or .Cm preshared-key , the key is removed from the device. The use of .Cm preshared-key is optional, and may be omitted; it adds an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance. If .Cm allowed-ips is specified, but the value is the empty string, all allowed ips are removed from the peer. The use of .Cm persistent-keepalive is optional and is by default off; setting it to 0 or .Ql off disables it. Otherwise it represents, in seconds, between 1 and 65535 inclusive, how often to send an authenticated empty packet to the peer, for the purpose of keeping a stateful firewall or NAT mapping valid persistently. For example, if the interface very rarely sends traffic, but it might at anytime receive traffic from a peer, and it is behind NAT, the interface might benefit from having a persistent keepalive interval of 25 seconds; however, most users will not need this. The use of .Cm fwmark is optional and is by default off; setting it to 0 or .Ql off disables it. Otherwise it is a 32-bit fwmark for outgoing packets and may be specified in hexadecimal by prepending .Ql 0x . .It Cm setconf Ar interface configuration-filename Sets the current configuration of .Ar interface to the contents of .Ar configuration-filename , which must be in the format described by .Sx CONFIGURATION FILE FORMAT below. .It Cm addconf Ar interface configuration-filename Appends the contents of .Ar configuration-filename , which must be in the format described by .Sx CONFIGURATION FILE FORMAT below, to the current configuration of .Ar interface . .It Cm syncconf Ar interface configuration-filename Like .Cm setconf , but reads back the existing configuration first and only makes changes that are explicitly different between the configuration file and the interface. This is much less efficient than .Cm setconf , but has the benefit of not disrupting current peer sessions. The contents of .Ar configuration-filename must be in the format described by .Sx CONFIGURATION FILE FORMAT below. .It Cm genkey Generates a random .Em private key in base64 and prints it to standard output. .It Cm genpsk Generates a random .Em preshared key in base64 and prints it to standard output. .It Cm pubkey Calculates a .Em public key and prints it in base64 to standard output from a corresponding .Em private key (generated with .Cm genkey ) given in base64 on standard input. .Pp A private key and a corresponding public key may be generated at once by calling: .Pp .Dl $ umask 077 .Dl $ wg genkey | tee private.key | wg pubkey > public.key .It Cm help Shows usage message. .El .Sh CONFIGURATION FILE FORMAT The configuration file format is based on INI. There are two top level sections \(em .Ic Interface and .Ic Peer . Multiple .Ic Peer sections may be specified, but only one .Ic Interface section may be specified. .Pp The .Ar Interface section may contain the following fields: .Bl -tag -width Ds .It Ic PrivateKey A base64 private key generated by .Ql wg genkey . Required. .It Ic ListenPort A 16-bit port for listening. Optional; if not specified, chosen randomly. .It Ic FwMark A 32-bit fwmark for outgoing packets. If set to 0 or .Ql off , this option is disabled. May be specified in hexadecimal by prepending .Ql 0x . Optional. .El .Pp The .Ic Peer sections may contain the following fields: .Bl -tag -width Ds .It Ic PublicKey A base64 public key calculated by .Ql wg pubkey from a private key, and usually transmitted out of band to the author of the configuration file. Required. .It Ic PresharedKey A base64 preshared key generated by .Ql wg genpsk . Optional, and may be omitted. This option adds an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance. .It Ic AllowedIPs A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. The catch-all .Ql 0.0.0.0/0 may be specified for matching all IPv4 addresses, and .Ql ::/0 may be specified for matching all IPv6 addresses. May be specified multiple times. .It Ic Endpoint An endpoint IP or hostname, followed by a colon, and then a port number. This endpoint will be updated automatically to the most recent source IP address and port of correctly authenticated packets from the peer. Optional. .It Ic PersistentKeepalive A seconds interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. For example, if the interface very rarely sends traffic, but it might at anytime receive traffic from a peer, and it is behind NAT, the interface might benefit from having a persistent keepalive interval of 25 seconds. If set to 0 or .Ql off , this option is disabled. By default or when unspecified, this option is off. Most users will not need this. Optional. .El .Sh CONFIGURATION FILE FORMAT EXAMPLE This example may be used as a model for writing configuration files, following an INI-like syntax. Characters after and including a .Ql # are considered comments and are thus ignored. .Bd -literal -offset Ds [Interface] PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk= ListenPort = 51820 [Peer] PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg= Endpoint = 192.95.5.67:1234 AllowedIPs = 10.192.122.3/32, 10.192.124.1/24 [Peer] PublicKey = TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0= Endpoint = [2607:5300:60:6b0::c05f:543]:2468 AllowedIPs = 10.192.122.4/32, 192.168.0.0/16 [Peer] PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA= Endpoint = test.wireguard.com:18981 AllowedIPs = 10.10.10.230/32 .Ed .Sh DEBUGGING INFORMATION Sometimes it is useful to have information on the current runtime state of a tunnel. When using the Linux kernel module on a kernel that supports dynamic debugging, debugging information can be written into .Xr dmesg 1 by running as root: .Pp .Dl # modprobe wireguard && \e .Dl echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control .Pp On userspace implementations, it is customary to set the .Ev LOG_LEVEL environment variable to .Cm debug . .Sh ENVIRONMENT VARIABLES .Bl -tag -width Ds .It Ev WG_COLOR_MODE If set to .Cm always , always print ANSI colorized output. If set to .Cm never , never print ANSI colorized output. If set to .Cm auto , something invalid, or unset, then print ANSI colorized output only when writing to a TTY. .It Ev WG_HIDE_KEYS If set to .Cm never , then the pretty-printing .Cm show sub-command will show private and preshared keys in the output. If set to .Cm always , something invalid, or unset, then private and preshared keys will be printed as .Ql Pq hidden . .It Ev WG_ENDPOINT_RESOLUTION_RETRIES If set to an integer or to .Cm infinity , DNS resolution for each peer's endpoint will be retried that many times for non-permanent errors, with an increasing delay between retries. If unset, the default is 15 retries. .El .Sh SEE ALSO .Xr ip 8 , .Xr ip-address 8 , .Xr ip-link 8 , .Xr ip-route 8 , .Xr wg-quick 8 .Sh AUTHORS .An -nosplit .Nm was written by .An Jason A. Donenfeld Aq Mt Jason@zx2c4.com . For updates and more information, a project page is available .Lk https://www.wireguard.com/ on the World Wide Web . .Dd February 13, 2020 .Dt WG-QUICK 8 .Os .Sh NAME .Nm wg-quick .Nd set up a WireGuard interface simply .Sh SYNOPSIS .Nm wg-quick .Op Cm up | down | save | strip .Op Ar CONFIG_FILE | INTERFACE .Sh DESCRIPTION This is an extremely simple script for easily bringing up a WireGuard interface, suitable for a few common use cases. .Pp Use .Cm up to add and set up an interface, and use .Cm down to tear down and remove an interface. Running .Cm up adds a WireGuard interface, brings up the interface with the supplied IP addresses, sets up mtu and routes, and optionally runs pre/post up scripts. Running .Cm down optionally saves the current configuration, removes the WireGuard interface, and optionally runs pre/post down scripts. Running .Cm save saves the configuration of an existing interface without bringing the interface down. Use .Cm strip to output a configuration file with all .Nm wg-quick Ns -specific options removed, suitable for use with .Xr wg 8 . .Pp .Ar CONFIG_FILE is a configuration file, whose filename is the interface name followed by .Ql .conf . Otherwise, .Ar INTERFACE is an interface name, with configuration found at .Pa /etc/wireguard/INTERFACE.conf , searched first, followed by distro-specific search paths. .Pp Generally speaking, this utility is just a simple script that wraps invocations to .Xr wg 8 and .Xr ip 8 in order to set up a WireGuard interface. It is designed for users with simple needs, and users with more advanced needs are highly encouraged to use a more specific tool, a more complete network manager, or otherwise just use .Xr wg 8 and .Xr ip 8 , as usual. .Sh CONFIGURATION The configuration file adds a few extra configuration values to the format understood by .Xr wg 8 in order to configure additional attributes of an interface. It handles the values that it understands, and then it passes the remaining ones directly to .Xr wg 8 for further processing. .Pp It infers all routes from the list of peers' allowed IPs, and automatically adds them to the system routing table. If one of those routes is the default route (0.0.0.0/0 or ::/0), then it uses .Xr ip-rule 8 to handle overriding of the default gateway. .Pp The configuration file will be passed directly to .Xr wg 8 Ns 's .Cm setconf sub-command, with the exception of the following additions to the .Ic Interface section, which are handled by this tool: .Bl -tag -width Ds .It Ic Address A comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. May be specified multiple times. .It Ic DNS A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers. May be specified multiple times. Upon bringing the interface up, this runs .Ql resolvconf -a tun.INTERFACE -m 0 -x and upon bringing it down, this runs .Ql resolvconf -d tun.INTERFACE . If these particular invocations of .Xr resolvconf 8 are undesirable, the .Ic PostUp and .Ic PostDown keys below may be used instead. .It Ic MTU If not specified, the MTU is automatically determined from the endpoint addresses or the system default route, which is usually a sane choice. However, to manually specify an MTU to override this automatic discovery, this value may be specified explicitly. .It Ic Table Controls the routing table to which routes are added. There are two special values: .Cm off disables the creation of routes altogether, and .Cm auto (the default) adds routes to the default table and enables special handling of default routes. .It Ic PreUp, PostUp, PreDown, PostDown Script snippets which will be executed by .Xr bash 1 before/after setting up/tearing down the interface, most commonly used to configure custom DNS options or firewall rules. The special string .Ql %i is expanded to .Ar INTERFACE . Each one may be specified multiple times, in which case the commands are executed in order. .It Ic SaveConfig If set to .Cm true , the configuration is saved from the current state of the interface upon shutdown. .El .Pp Recommended .Ar INTERFACE names include .Ql wg0 or .Ql wgvpn0 or even .Ql wgmgmtlan0 . However, the number at the end is in fact optional, and really any free-form string [a-zA-Z0-9_=+.-]{1,15} will work. So even interface names corresponding to geographic locations would suffice, such as .Ql cincinnati , .Ql nyc , or .Ql paris , if that's somehow desirable. .Sh EXAMPLES These examples draw on the same syntax found for .Xr wg 8 , and a more complete description may be found there. Bold lines below are for options that extend .Xr wg 8 . .Pp The following might be used for connecting as a client to a VPN gateway for tunneling all traffic: .Bd -literal -offset Ds [Interface] Address = 10.200.100.8/24 DNS = 10.200.100.1 PrivateKey = oK56DE9Ue9zK76rAc8pBl6opph+1v36lm7cXXsQKrQM= [Peer] PublicKey = GtL7fZc/bLnqZldpVofMCD6hDjrK28SsdLxevJ+qtKU= PresharedKey = /UwcSPg38hW/D9Y3tcS1FOV0K1wuURMbS0sesJEP5ak= AllowedIPs = 0.0.0.0/0 Endpoint = demo.wireguard.com:51820 .Ed .Pp The .Ic Address field is added here in order to set up the address for the interface. The .Ic DNS field indicates that a DNS server for the interface should be configured via .Xr resolvconf 8 . The peer's allowed IPs entry implies that this interface should be configured as the default gateway, which this script does. .Pp Building on the last example, one might attempt the so-called .Dq kill-switch , in order to prevent the flow of unencrypted packets through the non-WireGuard interfaces, by adding the following two .Ic PostUp and .Ic PreDown lines to the .Ql [Interface] section: .Bd -literal -offset Ds PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT .Ed .Pp The .Ic PostUp and .Ic PreDown fields have been added to specify an .Xr iptables 8 command which, when used with interfaces that have a peer that specifies 0.0.0.0/0 as part of the .Ic AllowedIPs , works together with .Nm wg-quick Ns 's fwmark usage in order to drop all packets that are either not coming out of the tunnel encrypted or not going through the tunnel itself. (Note that this continues to allow most DHCP traffic through, since most DHCP clients make use of PF_PACKET sockets, which bypass Netfilter.) When IPv6 is in use, additional similar lines could be added using .Xr ip6tables 8 . .Pp Or, perhaps it is desirable to store private keys in encrypted form, such as through use of .Xr pass 1 : .Bd -literal -offset Ds PostUp = wg set %i private-key <(pass WireGuard/private-keys/%i) .Ed .Pp For use on a server, the following is a more complicated example involving multiple peers: .Bd -literal -offset Ds [Interface] Address = 10.192.122.1/24 Address = 10.10.0.1/16 SaveConfig = true PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk= ListenPort = 51820 [Peer] PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg= AllowedIPs = 10.192.122.3/32, 10.192.124.1/24 [Peer] PublicKey = TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0= AllowedIPs = 10.192.122.4/32, 192.168.0.0/16 [Peer] PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA= AllowedIPs = 10.10.10.230/32 .Ed .Pp Notice the two .Ic Address lines at the top, and that .Ic SaveConfig is set to .Cm true , indicating that the configuration file should be saved on shutdown using the current status of the interface. .Pp A combination of the .Ic Table , .Ic PostUp , and .Ic PreDown fields may be used for policy routing as well. For example, the following may be used to send SSH traffic (TCP port 22) traffic through the tunnel: .Bd -literal -offset Ds [Interface] Address = 10.192.122.1/24 PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk= ListenPort = 51820 Table = 1234 PostUp = ip rule add ipproto tcp dport 22 table 1234 PreDown = ip rule delete ipproto tcp dport 22 table 1234 [Peer] PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg= AllowedIPs = 0.0.0.0/0 .Ed These configuration files may be placed in any directory, putting the desired interface name in the filename: .Pp .Dl # wg-quick up /path/to/wgnet0.conf .Pp For convenience, if only an interface name is supplied, it automatically chooses a path in .Pa /etc/wireguard/ : .Pp .Dl # wg-quick up wgnet0 .Pp This will load the configuration file .Pa /etc/wireguard/wgnet0.conf . .Pp The .Cm strip command is useful for reloading configuration files without disrupting active sessions: .Pp .Dl # wg addconf wgnet0 <(wg-quick strip wgnet0) .Pp (Note that the above command will add and update peers but will not remove peers.) .Sh SEE ALSO .Xr ip 8 , .Xr ip-address 8 , .Xr ip-link 8 , .Xr ip-route 8 , .Xr ip-rule 8 , .Xr resolvconf 8 , .Xr wg 8 .Sh AUTHORS .An -nosplit .Nm wg-quick was written by .An Jason A. Donenfeld Aq Mt Jason@zx2c4.com . For updates and more information, a project page is available .Lk https://www.wireguard.com/ on the World Wide Web . -- To unsubscribe send an email to discuss+unsubscribe@mandoc.bsd.lv