wg: add pass example to wg-quick man page

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This commit is contained in:
Jason A. Donenfeld 2017-10-16 03:28:24 +02:00
parent 65db14706b
commit 6f9b135966
1 changed files with 9 additions and 22 deletions

View File

@ -130,33 +130,14 @@ The peer's allowed IPs entry implies that this interface should be configured as
which this script does.
Building on the last example, one might attempt the so-called ``kill-switch'', in order
to prevent the flow of unencrypted packets through the non-WireGuard interfaces:
to prevent the flow of unencrypted packets through the non-WireGuard interfaces, by adding the following
two lines `PostUp` and `PreDown` lines to the `[Interface]` section:
[Interface]
.br
Address = 10.200.100.8/24
.br
DNS = 10.200.100.1
.br
PrivateKey = oK56DE9Ue9zK76rAc8pBl6opph+1v36lm7cXXsQKrQM=
.br
\fBPostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -j REJECT\fP
.br
\fBPreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -j REJECT\fP
.br
.br
[Peer]
.br
PublicKey = GtL7fZc/bLnqZldpVofMCD6hDjrK28SsdLxevJ+qtKU=
.br
PresharedKey = /UwcSPg38hW/D9Y3tcS1FOV0K1wuURMbS0sesJEP5ak=
.br
AllowedIPs = 0.0.0.0/0
.br
Endpoint = demo.wireguard.com:51820
.br
The `PostUp' and `PreDown' fields have been added to specify an
.BR iptables (8)
command which, when used with interfaces that have a peer that specifies 0.0.0.0/0 as part of the
@ -165,7 +146,13 @@ are either not coming out of the tunnel encrypted or not going through the tunne
that this continues to allow most DHCP traffic through, since most DHCP clients make use of PF_PACKET
sockets, which bypass Netfilter.)
Here is a more complicated example, fit for usage on a server:
Or, perhaps it is desirable to store private keys in encrypted form, such as through use of
.BR pass (1):
\fBPostUp = wg set %i private-key <(pass WireGuard/private-keys/%i)\fP
.br
For use on a server, the following is a more complicated example involving multiple peers:
[Interface]
.br