wg: add pass example to wg-quick man page
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This commit is contained in:
parent
65db14706b
commit
6f9b135966
1 changed files with 9 additions and 22 deletions
|
@ -130,33 +130,14 @@ The peer's allowed IPs entry implies that this interface should be configured as
|
||||||
which this script does.
|
which this script does.
|
||||||
|
|
||||||
Building on the last example, one might attempt the so-called ``kill-switch'', in order
|
Building on the last example, one might attempt the so-called ``kill-switch'', in order
|
||||||
to prevent the flow of unencrypted packets through the non-WireGuard interfaces:
|
to prevent the flow of unencrypted packets through the non-WireGuard interfaces, by adding the following
|
||||||
|
two lines `PostUp` and `PreDown` lines to the `[Interface]` section:
|
||||||
|
|
||||||
[Interface]
|
|
||||||
.br
|
|
||||||
Address = 10.200.100.8/24
|
|
||||||
.br
|
|
||||||
DNS = 10.200.100.1
|
|
||||||
.br
|
|
||||||
PrivateKey = oK56DE9Ue9zK76rAc8pBl6opph+1v36lm7cXXsQKrQM=
|
|
||||||
.br
|
|
||||||
\fBPostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -j REJECT\fP
|
\fBPostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -j REJECT\fP
|
||||||
.br
|
.br
|
||||||
\fBPreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -j REJECT\fP
|
\fBPreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -j REJECT\fP
|
||||||
.br
|
.br
|
||||||
|
|
||||||
.br
|
|
||||||
[Peer]
|
|
||||||
.br
|
|
||||||
PublicKey = GtL7fZc/bLnqZldpVofMCD6hDjrK28SsdLxevJ+qtKU=
|
|
||||||
.br
|
|
||||||
PresharedKey = /UwcSPg38hW/D9Y3tcS1FOV0K1wuURMbS0sesJEP5ak=
|
|
||||||
.br
|
|
||||||
AllowedIPs = 0.0.0.0/0
|
|
||||||
.br
|
|
||||||
Endpoint = demo.wireguard.com:51820
|
|
||||||
.br
|
|
||||||
|
|
||||||
The `PostUp' and `PreDown' fields have been added to specify an
|
The `PostUp' and `PreDown' fields have been added to specify an
|
||||||
.BR iptables (8)
|
.BR iptables (8)
|
||||||
command which, when used with interfaces that have a peer that specifies 0.0.0.0/0 as part of the
|
command which, when used with interfaces that have a peer that specifies 0.0.0.0/0 as part of the
|
||||||
|
@ -165,7 +146,13 @@ are either not coming out of the tunnel encrypted or not going through the tunne
|
||||||
that this continues to allow most DHCP traffic through, since most DHCP clients make use of PF_PACKET
|
that this continues to allow most DHCP traffic through, since most DHCP clients make use of PF_PACKET
|
||||||
sockets, which bypass Netfilter.)
|
sockets, which bypass Netfilter.)
|
||||||
|
|
||||||
Here is a more complicated example, fit for usage on a server:
|
Or, perhaps it is desirable to store private keys in encrypted form, such as through use of
|
||||||
|
.BR pass (1):
|
||||||
|
|
||||||
|
\fBPostUp = wg set %i private-key <(pass WireGuard/private-keys/%i)\fP
|
||||||
|
.br
|
||||||
|
|
||||||
|
For use on a server, the following is a more complicated example involving multiple peers:
|
||||||
|
|
||||||
[Interface]
|
[Interface]
|
||||||
.br
|
.br
|
||||||
|
|
Loading…
Reference in a new issue