which this script does.
Building on the last example, one might attempt the so-called ``kill-switch'', in order
-to prevent the flow of unencrypted packets through the non-WireGuard interfaces:
+to prevent the flow of unencrypted packets through the non-WireGuard interfaces, by adding the following
+two lines `PostUp` and `PreDown` lines to the `[Interface]` section:
- [Interface]
-.br
- Address = 10.200.100.8/24
-.br
- DNS = 10.200.100.1
-.br
- PrivateKey = oK56DE9Ue9zK76rAc8pBl6opph+1v36lm7cXXsQKrQM=
-.br
\fBPostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -j REJECT\fP
.br
\fBPreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -j REJECT\fP
.br
-
-.br
- [Peer]
-.br
- PublicKey = GtL7fZc/bLnqZldpVofMCD6hDjrK28SsdLxevJ+qtKU=
-.br
- PresharedKey = /UwcSPg38hW/D9Y3tcS1FOV0K1wuURMbS0sesJEP5ak=
-.br
- AllowedIPs = 0.0.0.0/0
-.br
- Endpoint = demo.wireguard.com:51820
-.br
The `PostUp' and `PreDown' fields have been added to specify an
.BR iptables (8)
that this continues to allow most DHCP traffic through, since most DHCP clients make use of PF_PACKET
sockets, which bypass Netfilter.)
-Here is a more complicated example, fit for usage on a server:
+Or, perhaps it is desirable to store private keys in encrypted form, such as through use of
+.BR pass (1):
+
+ \fBPostUp = wg set %i private-key <(pass WireGuard/private-keys/%i)\fP
+.br
+
+For use on a server, the following is a more complicated example involving multiple peers:
[Interface]
.br
projects / thirdparty / wireguard-tools.git / commitdiff
