From 6f9b135966206803df877d9e0c447455ec6e6516 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Mon, 16 Oct 2017 03:28:24 +0200 Subject: [PATCH] wg: add pass example to wg-quick man page Signed-off-by: Jason A. Donenfeld --- src/wg-quick.8 | 31 +++++++++---------------------- 1 file changed, 9 insertions(+), 22 deletions(-) diff --git a/src/wg-quick.8 b/src/wg-quick.8 index be6137c..b39eff8 100644 --- a/src/wg-quick.8 +++ b/src/wg-quick.8 @@ -130,32 +130,13 @@ The peer's allowed IPs entry implies that this interface should be configured as which this script does. Building on the last example, one might attempt the so-called ``kill-switch'', in order -to prevent the flow of unencrypted packets through the non-WireGuard interfaces: +to prevent the flow of unencrypted packets through the non-WireGuard interfaces, by adding the following +two lines `PostUp` and `PreDown` lines to the `[Interface]` section: - [Interface] -.br - Address = 10.200.100.8/24 -.br - DNS = 10.200.100.1 -.br - PrivateKey = oK56DE9Ue9zK76rAc8pBl6opph+1v36lm7cXXsQKrQM= -.br \fBPostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -j REJECT\fP .br \fBPreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -j REJECT\fP .br - -.br - [Peer] -.br - PublicKey = GtL7fZc/bLnqZldpVofMCD6hDjrK28SsdLxevJ+qtKU= -.br - PresharedKey = /UwcSPg38hW/D9Y3tcS1FOV0K1wuURMbS0sesJEP5ak= -.br - AllowedIPs = 0.0.0.0/0 -.br - Endpoint = demo.wireguard.com:51820 -.br The `PostUp' and `PreDown' fields have been added to specify an .BR iptables (8) @@ -165,7 +146,13 @@ are either not coming out of the tunnel encrypted or not going through the tunne that this continues to allow most DHCP traffic through, since most DHCP clients make use of PF_PACKET sockets, which bypass Netfilter.) -Here is a more complicated example, fit for usage on a server: +Or, perhaps it is desirable to store private keys in encrypted form, such as through use of +.BR pass (1): + + \fBPostUp = wg set %i private-key <(pass WireGuard/private-keys/%i)\fP +.br + +For use on a server, the following is a more complicated example involving multiple peers: [Interface] .br