Re: wgconfig(8) and peer endpoint
On Fri, 19 Dec 2025 15:39:46 +0100
Martin Husemann wrote:
> On Fri, Dec 19, 2025 at 02:32:01PM +, Sad Clouds wrote:
> > NetBSD seems to lack /etc/rc.d scripts to configure wg interfaces and
> > their peers during system boot. I'll be fixing this shortly for my own
> > use cases, is there any interest for someone to import this
> > functionality into NetBSD?
>
> I don't think there is anything missing.
>
> # cat /etc/ifconfig.wg0
> 192.168.110.42/24
> !wgconfig ${int} set private-key /etc/wg/${int}
> !wgconfig ${int} set listen-port 62345
> !wgconfig ${int} add peer nameofpeera
> XXX= --allowed-ips=192.168.110.32/32
> !wgconfig ${int} add peer nameofpeerb
> YYY= --allowed-ips=192.168.110.33/32
> !wgconfig ${int} add peer nameofpeerc
> ZZZ= --allowed-ips=192.168.110.34/32
> up
>
>
> Martin
OK thanks for the example. I've been setting this up on Linux and it
uses separate config files and scripts to achieve the same thing. But
looks like NetBSD can run arbitrary shell commands via ifconfig.if(5)
which simplifies this a lot.
Re: wgconfig(8) and peer endpoint
On Fri, Dec 19, 2025 at 02:32:01PM +, Sad Clouds wrote:
> NetBSD seems to lack /etc/rc.d scripts to configure wg interfaces and
> their peers during system boot. I'll be fixing this shortly for my own
> use cases, is there any interest for someone to import this
> functionality into NetBSD?
I don't think there is anything missing.
# cat /etc/ifconfig.wg0
192.168.110.42/24
!wgconfig ${int} set private-key /etc/wg/${int}
!wgconfig ${int} set listen-port 62345
!wgconfig ${int} add peer nameofpeera
XXX= --allowed-ips=192.168.110.32/32
!wgconfig ${int} add peer nameofpeerb
YYY= --allowed-ips=192.168.110.33/32
!wgconfig ${int} add peer nameofpeerc
ZZZ= --allowed-ips=192.168.110.34/32
up
Martin
Re: wgconfig(8) and peer endpoint
On Thu, 18 Dec 2025 19:07:45 +0100 Martin Husemann wrote: > On Thu, Dec 18, 2025 at 05:59:14PM +, Sad Clouds wrote: > > Are there any use cases for this option on the server side? > > Not sure if that is what is meant here, but the wg(4) server might > be behind a NAT and proper port forwarding on the outer firewall is > configured, so the wg(4) server has no clue what it's public > address is. > > Martin I think the man page is written in a confusing manner. If I'm not mistaken, a VPN client should always specify peer endpoint, either VPN server or NAT firewall IP address. A VPN server can optionally specify peer endpoint, but I think this will prevent dynamic IP autolearning and will probably always use the specified client endpoint IP. NetBSD seems to lack /etc/rc.d scripts to configure wg interfaces and their peers during system boot. I'll be fixing this shortly for my own use cases, is there any interest for someone to import this functionality into NetBSD?
Re: wgconfig(8) and peer endpoint
On Thu, Dec 18, 2025 at 05:59:14PM +, Sad Clouds wrote: > Are there any use cases for this option on the server side? Not sure if that is what is meant here, but the wg(4) server might be behind a NAT and proper port forwarding on the outer firewall is configured, so the wg(4) server has no clue what it's public address is. Martin
