diff --git a/src/wg-quick.8 b/src/wg-quick.8 index be6137c..b39eff8 100644 --- a/src/wg-quick.8 +++ b/src/wg-quick.8 @@ -130,32 +130,13 @@ The peer's allowed IPs entry implies that this interface should be configured as which this script does. Building on the last example, one might attempt the so-called ``kill-switch'', in order -to prevent the flow of unencrypted packets through the non-WireGuard interfaces: +to prevent the flow of unencrypted packets through the non-WireGuard interfaces, by adding the following +two lines `PostUp` and `PreDown` lines to the `[Interface]` section: - [Interface] -.br - Address = 10.200.100.8/24 -.br - DNS = 10.200.100.1 -.br - PrivateKey = oK56DE9Ue9zK76rAc8pBl6opph+1v36lm7cXXsQKrQM= -.br \fBPostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -j REJECT\fP .br \fBPreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -j REJECT\fP .br - -.br - [Peer] -.br - PublicKey = GtL7fZc/bLnqZldpVofMCD6hDjrK28SsdLxevJ+qtKU= -.br - PresharedKey = /UwcSPg38hW/D9Y3tcS1FOV0K1wuURMbS0sesJEP5ak= -.br - AllowedIPs = 0.0.0.0/0 -.br - Endpoint = demo.wireguard.com:51820 -.br The `PostUp' and `PreDown' fields have been added to specify an .BR iptables (8) @@ -165,7 +146,13 @@ are either not coming out of the tunnel encrypted or not going through the tunne that this continues to allow most DHCP traffic through, since most DHCP clients make use of PF_PACKET sockets, which bypass Netfilter.) -Here is a more complicated example, fit for usage on a server: +Or, perhaps it is desirable to store private keys in encrypted form, such as through use of +.BR pass (1): + + \fBPostUp = wg set %i private-key <(pass WireGuard/private-keys/%i)\fP +.br + +For use on a server, the following is a more complicated example involving multiple peers: [Interface] .br