==== ifconfig ====
openssl rand -base64 32 -out 29.key
rm -f 29.pub.tmp
doas -n ifconfig wg29 create || true
doas -n ifconfig wg29 wgkey "`cat 29.key`"
doas -n ifconfig wg29 | awk '/wgpubkey/{print $2}' >29.pub.tmp
mv 29.pub.tmp 29.pub
openssl rand -base64 32 -out 30.key
rm -f 30.pub.tmp
doas -n ifconfig wg30 create || true
doas -n ifconfig wg30 wgkey "`cat 30.key`"
doas -n ifconfig wg30 | awk '/wgpubkey/{print $2}' >30.pub.tmp
mv 30.pub.tmp 30.pub
openssl rand -base64 32 -out 31.key
rm -f 31.pub.tmp
doas -n ifconfig wg31 create || true
doas -n ifconfig wg31 wgkey "`cat 31.key`"
doas -n ifconfig wg31 | awk '/wgpubkey/{print $2}' >31.pub.tmp
mv 31.pub.tmp 31.pub
openssl rand -base64 32 -out 32.key
rm -f 32.pub.tmp
doas -n ifconfig wg32 create || true
doas -n ifconfig wg32 wgkey "`cat 32.key`"
doas -n ifconfig wg32 | awk '/wgpubkey/{print $2}' >32.pub.tmp
mv 32.pub.tmp 32.pub
# destroy WireGuard and routing domain loopback interfaces
doas -n ifconfig wg29 destroy
doas -n ifconfig lo29 destroy
ifconfig: lo29: SIOCIFDESTROY: Device not configured
*** Error 1 in target 'unconfig' (ignored)
doas -n ifconfig wg30 destroy
doas -n ifconfig lo30 destroy
ifconfig: lo30: SIOCIFDESTROY: Device not configured
*** Error 1 in target 'unconfig' (ignored)
doas -n ifconfig wg31 destroy
doas -n ifconfig lo31 destroy
ifconfig: lo31: SIOCIFDESTROY: Device not configured
*** Error 1 in target 'unconfig' (ignored)
doas -n ifconfig wg32 destroy
doas -n ifconfig lo32 destroy
ifconfig: lo32: SIOCIFDESTROY: Device not configured
*** Error 1 in target 'unconfig' (ignored)
# create and configure WireGuard interfaces
doas -n ifconfig wg29  create  wgport 229  wgkey "`cat 29.key`"  rdomain 29
doas -n ifconfig wg30  create  wgport 230  wgkey "`cat 30.key`"  rdomain 30
doas -n ifconfig wg31  create  wgport 231  wgkey "`cat 31.key`"  rdomain 31
doas -n ifconfig wg32  create  wgport 232  wgkey "`cat 32.key`"  rdomain 32
# local SRC, foreign DST, tunnel 4
doas -n ifconfig wg29  wgpeer "`cat 30.pub`"  wgendpoint 127.0.0.1 230  wgaip 10.188.44.2/32  wgaip fdd7:e83e:66bc:46::2/128
# local SRC, foreign DST, tunnel 6
doas -n ifconfig wg31  wgpeer "`cat 32.pub`"  wgendpoint ::1 232  wgaip 10.188.64.2/32  wgaip fdd7:e83e:66bc:66::2/128
# local SRC, foreign DST, tunnel 4
doas -n ifconfig wg29  inet 10.188.44.1/24 alias
doas -n ifconfig wg29  inet6 fdd7:e83e:66bc:46::1/64 alias
# local SRC, foreign DST, tunnel 6
doas -n ifconfig wg31  inet 10.188.64.1/24 alias
doas -n ifconfig wg31  inet6 fdd7:e83e:66bc:66::1/64 alias
# local DST, foreign SRC, tunnel 4
doas -n ifconfig wg30  wgpeer "`cat 29.pub`"  wgendpoint 127.0.0.1 229  wgaip 10.188.44.1/32  wgaip fdd7:e83e:66bc:46::1/128
# local DST, foreign SRC, tunnel 6
doas -n ifconfig wg32  wgpeer "`cat 31.pub`"  wgendpoint ::1 231  wgaip 10.188.64.1/32  wgaip fdd7:e83e:66bc:66::1/128
# local DST, foreign SRC, tunnel 4
doas -n ifconfig wg30  inet 10.188.44.2/24 alias
doas -n ifconfig wg30  inet6 fdd7:e83e:66bc:46::2/64 alias
# local DST, foreign SRC, tunnel 6
doas -n ifconfig wg32  inet 10.188.64.2/24 alias
doas -n ifconfig wg32  inet6 fdd7:e83e:66bc:66::2/64 alias
sleep 1  # Wait until DAD for inet6 tunnel addresses has finished.

==== run-route-tunnel4-addr4-src-dst ====
# Get route to local address.
/sbin/route -n -T 29 get 10.188.44.1 |  grep 'interface: wg29$'
  interface: wg29
/sbin/route -n -T 29 get 10.188.44.1 |  grep 'flags: .*,LOCAL'
      flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 29 get 10.188.44.2 |  grep 'interface: wg29$'
  interface: wg29
/sbin/route -n -T 29 get 10.188.44.2 |  grep 'flags: .*,CLON'
      flags: <UP,DONE,CLONING,CONNECTED>

==== run-ping-tunnel4-addr4-src-dst ====
# Ping local address.
/sbin/ping -n -w 1 -c 1 -V 29 10.188.44.1
PING 10.188.44.1 (10.188.44.1): 56 data bytes
64 bytes from 10.188.44.1: icmp_seq=0 ttl=255 time=0.121 ms

--- 10.188.44.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.121/0.121/0.121/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap  ip and udp port 229 or 230 or 231 or 232 or 0 &
sleep 1  # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping -n -w 1 -c 1 -V 29 10.188.44.2
PING 10.188.44.2 (10.188.44.2): 56 data bytes
64 bytes from 10.188.44.2: icmp_seq=0 ttl=255 time=15.400 ms

--- 10.188.44.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 15.400/15.400/15.400/0.000 ms
sleep 1  # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'

5 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap |  fgrep ': [wg] data '
03:08:02.115499 127.0.0.1.229 > 127.0.0.1.230: [wg] data length 96 to 0xdaffeee5 nonce 0
03:08:02.122443 127.0.0.1.230 > 127.0.0.1.229: [wg] data length 96 to 0xdebf7e61 nonce 1

==== run-badkey-tunnel4-addr4-src-dst ====
openssl rand -base64 32 -out bad.key
# Ping foreign address with bad key.
doas -n ifconfig wg29  wgkey "`cat bad.key`"
! /sbin/ping -n -w 1 -c 1 -V 29 10.188.44.2
PING 10.188.44.2 (10.188.44.2): 56 data bytes

--- 10.188.44.2 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg29  wgkey "`cat 29.key`"
/sbin/ping -n -w 1 -c 1 -V 29 10.188.44.2
PING 10.188.44.2 (10.188.44.2): 56 data bytes
64 bytes from 10.188.44.2: icmp_seq=0 ttl=255 time=3.235 ms

--- 10.188.44.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 3.235/3.235/3.235/0.000 ms

==== run-route-tunnel4-addr4-dst-src ====
# Get route to local address.
/sbin/route -n -T 30 get 10.188.44.2 |  grep 'interface: wg30$'
  interface: wg30
/sbin/route -n -T 30 get 10.188.44.2 |  grep 'flags: .*,LOCAL'
      flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 30 get 10.188.44.1 |  grep 'interface: wg30$'
  interface: wg30
/sbin/route -n -T 30 get 10.188.44.1 |  grep 'flags: .*,CLON'
      flags: <UP,HOST,DONE,CLONED>

==== run-ping-tunnel4-addr4-dst-src ====
# Ping local address.
/sbin/ping -n -w 1 -c 1 -V 30 10.188.44.2
PING 10.188.44.2 (10.188.44.2): 56 data bytes
64 bytes from 10.188.44.2: icmp_seq=0 ttl=255 time=0.431 ms

--- 10.188.44.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.431/0.431/0.431/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap  ip and udp port 229 or 230 or 231 or 232 or 0 &
sleep 1  # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping -n -w 1 -c 1 -V 30 10.188.44.1
PING 10.188.44.1 (10.188.44.1): 56 data bytes
64 bytes from 10.188.44.1: icmp_seq=0 ttl=255 time=0.788 ms

--- 10.188.44.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.788/0.788/0.788/0.000 ms
sleep 1  # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'

2 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap |  fgrep ': [wg] data '
03:08:06.613439 127.0.0.1.230 > 127.0.0.1.229: [wg] data length 96 to 0x2203bad2 nonce 3
03:08:06.613802 127.0.0.1.229 > 127.0.0.1.230: [wg] data length 96 to 0xfbd68285 nonce 2

==== run-badkey-tunnel4-addr4-dst-src ====
# Ping foreign address with bad key.
doas -n ifconfig wg30  wgkey "`cat bad.key`"
! /sbin/ping -n -w 1 -c 1 -V 30 10.188.44.1
PING 10.188.44.1 (10.188.44.1): 56 data bytes

--- 10.188.44.1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg30  wgkey "`cat 30.key`"
/sbin/ping -n -w 1 -c 1 -V 30 10.188.44.1
PING 10.188.44.1 (10.188.44.1): 56 data bytes
64 bytes from 10.188.44.1: icmp_seq=0 ttl=255 time=6.058 ms

--- 10.188.44.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 6.058/6.058/6.058/0.000 ms

==== run-route-tunnel4-addr6-src-dst ====
# Get route to local address.
/sbin/route -n -T 29 get fdd7:e83e:66bc:46::1 |  grep 'interface: wg29$'
  interface: wg29
/sbin/route -n -T 29 get fdd7:e83e:66bc:46::1 |  grep 'flags: .*,LOCAL'
      flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 29 get fdd7:e83e:66bc:46::2 |  grep 'interface: wg29$'
  interface: wg29
/sbin/route -n -T 29 get fdd7:e83e:66bc:46::2 |  grep 'flags: .*,CLON'
      flags: <UP,DONE,CLONING,CONNECTED>

==== run-ping-tunnel4-addr6-src-dst ====
# Ping local address.
/sbin/ping6 -n -w 1 -c 1 -V 29 fdd7:e83e:66bc:46::1
PING fdd7:e83e:66bc:46::1 (fdd7:e83e:66bc:46::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::1: icmp_seq=0 hlim=64 time=0.316 ms

--- fdd7:e83e:66bc:46::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.316/0.316/0.316/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap  ip and udp port 229 or 230 or 231 or 232 or 0 &
sleep 1  # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping6 -n -w 1 -c 1 -V 29 fdd7:e83e:66bc:46::2
PING fdd7:e83e:66bc:46::2 (fdd7:e83e:66bc:46::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::2: icmp_seq=0 hlim=64 time=1.052 ms

--- fdd7:e83e:66bc:46::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.052/1.052/1.052/0.000 ms
sleep 1  # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'

2 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap |  fgrep ': [wg] data '
03:08:11.107585 127.0.0.1.229 > 127.0.0.1.230: [wg] data length 112 to 0x437937fa nonce 3
03:08:11.108042 127.0.0.1.230 > 127.0.0.1.229: [wg] data length 112 to 0xecf1d1bc nonce 2

==== run-badkey-tunnel4-addr6-src-dst ====
# Ping foreign address with bad key.
doas -n ifconfig wg29  wgkey "`cat bad.key`"
! /sbin/ping6 -n -w 1 -c 1 -V 29 fdd7:e83e:66bc:46::2
PING fdd7:e83e:66bc:46::2 (fdd7:e83e:66bc:46::2): 56 data bytes

--- fdd7:e83e:66bc:46::2 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg29  wgkey "`cat 29.key`"
/sbin/ping6 -n -w 1 -c 1 -V 29 fdd7:e83e:66bc:46::2
PING fdd7:e83e:66bc:46::2 (fdd7:e83e:66bc:46::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::2: icmp_seq=0 hlim=64 time=10.876 ms

--- fdd7:e83e:66bc:46::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 10.876/10.876/10.876/0.000 ms

==== run-route-tunnel4-addr6-dst-src ====
# Get route to local address.
/sbin/route -n -T 30 get fdd7:e83e:66bc:46::2 |  grep 'interface: wg30$'
  interface: wg30
/sbin/route -n -T 30 get fdd7:e83e:66bc:46::2 |  grep 'flags: .*,LOCAL'
      flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 30 get fdd7:e83e:66bc:46::1 |  grep 'interface: wg30$'
  interface: wg30
/sbin/route -n -T 30 get fdd7:e83e:66bc:46::1 |  grep 'flags: .*,CLON'
      flags: <UP,HOST,DONE,CLONED>

==== run-ping-tunnel4-addr6-dst-src ====
# Ping local address.
/sbin/ping6 -n -w 1 -c 1 -V 30 fdd7:e83e:66bc:46::2
PING fdd7:e83e:66bc:46::2 (fdd7:e83e:66bc:46::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::2: icmp_seq=0 hlim=64 time=0.720 ms

--- fdd7:e83e:66bc:46::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.720/0.720/0.720/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap  ip and udp port 229 or 230 or 231 or 232 or 0 &
sleep 1  # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping6 -n -w 1 -c 1 -V 30 fdd7:e83e:66bc:46::1
PING fdd7:e83e:66bc:46::1 (fdd7:e83e:66bc:46::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::1: icmp_seq=0 hlim=64 time=4.365 ms

--- fdd7:e83e:66bc:46::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 4.365/4.365/4.365/0.000 ms
sleep 1  # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'

2 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap |  fgrep ': [wg] data '
03:08:15.590477 127.0.0.1.230 > 127.0.0.1.229: [wg] data length 112 to 0x728f1c59 nonce 3
03:08:15.592424 127.0.0.1.229 > 127.0.0.1.230: [wg] data length 112 to 0x2a3c647f nonce 2

==== run-badkey-tunnel4-addr6-dst-src ====
# Ping foreign address with bad key.
doas -n ifconfig wg30  wgkey "`cat bad.key`"
! /sbin/ping6 -n -w 1 -c 1 -V 30 fdd7:e83e:66bc:46::1
PING fdd7:e83e:66bc:46::1 (fdd7:e83e:66bc:46::1): 56 data bytes

--- fdd7:e83e:66bc:46::1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg30  wgkey "`cat 30.key`"
/sbin/ping6 -n -w 1 -c 1 -V 30 fdd7:e83e:66bc:46::1
PING fdd7:e83e:66bc:46::1 (fdd7:e83e:66bc:46::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::1: icmp_seq=0 hlim=64 time=11.012 ms

--- fdd7:e83e:66bc:46::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 11.012/11.012/11.012/0.000 ms

==== run-route-tunnel6-addr4-src-dst ====
# Get route to local address.
/sbin/route -n -T 31 get 10.188.64.1 |  grep 'interface: wg31$'
  interface: wg31
/sbin/route -n -T 31 get 10.188.64.1 |  grep 'flags: .*,LOCAL'
      flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 31 get 10.188.64.2 |  grep 'interface: wg31$'
  interface: wg31
/sbin/route -n -T 31 get 10.188.64.2 |  grep 'flags: .*,CLON'
      flags: <UP,DONE,CLONING,CONNECTED>

==== run-ping-tunnel6-addr4-src-dst ====
# Ping local address.
/sbin/ping -n -w 1 -c 1 -V 31 10.188.64.1
PING 10.188.64.1 (10.188.64.1): 56 data bytes
64 bytes from 10.188.64.1: icmp_seq=0 ttl=255 time=3.010 ms

--- 10.188.64.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 3.010/3.010/3.010/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap  ip6 and udp port 229 or 230 or 231 or 232 or 0 &
sleep 1  # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping -n -w 1 -c 1 -V 31 10.188.64.2
PING 10.188.64.2 (10.188.64.2): 56 data bytes
64 bytes from 10.188.64.2: icmp_seq=0 ttl=255 time=17.068 ms

--- 10.188.64.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 17.068/17.068/17.068/0.000 ms
sleep 1  # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'

5 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap |  fgrep ': [wg] data '
03:08:20.061255 ::1.231 > ::1.232: [wg] data length 96 to 0xb4970b1a nonce 0
03:08:20.067869 ::1.232 > ::1.231: [wg] data length 96 to 0x79d48be8 nonce 1

==== run-badkey-tunnel6-addr4-src-dst ====
# Ping foreign address with bad key.
doas -n ifconfig wg31  wgkey "`cat bad.key`"
! /sbin/ping -n -w 1 -c 1 -V 31 10.188.64.2
PING 10.188.64.2 (10.188.64.2): 56 data bytes

--- 10.188.64.2 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg31  wgkey "`cat 31.key`"
/sbin/ping -n -w 1 -c 1 -V 31 10.188.64.2
PING 10.188.64.2 (10.188.64.2): 56 data bytes
64 bytes from 10.188.64.2: icmp_seq=0 ttl=255 time=19.830 ms

--- 10.188.64.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 19.830/19.830/19.830/0.000 ms

==== run-route-tunnel6-addr4-dst-src ====
# Get route to local address.
/sbin/route -n -T 32 get 10.188.64.2 |  grep 'interface: wg32$'
  interface: wg32
/sbin/route -n -T 32 get 10.188.64.2 |  grep 'flags: .*,LOCAL'
      flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 32 get 10.188.64.1 |  grep 'interface: wg32$'
  interface: wg32
/sbin/route -n -T 32 get 10.188.64.1 |  grep 'flags: .*,CLON'
      flags: <UP,HOST,DONE,CLONED>

==== run-ping-tunnel6-addr4-dst-src ====
# Ping local address.
/sbin/ping -n -w 1 -c 1 -V 32 10.188.64.2
PING 10.188.64.2 (10.188.64.2): 56 data bytes
64 bytes from 10.188.64.2: icmp_seq=0 ttl=255 time=0.914 ms

--- 10.188.64.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.914/0.914/0.914/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap  ip6 and udp port 229 or 230 or 231 or 232 or 0 &
sleep 1  # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping -n -w 1 -c 1 -V 32 10.188.64.1
PING 10.188.64.1 (10.188.64.1): 56 data bytes
64 bytes from 10.188.64.1: icmp_seq=0 ttl=255 time=0.410 ms

--- 10.188.64.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.410/0.410/0.410/0.000 ms
sleep 1  # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'

2 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap |  fgrep ': [wg] data '
03:08:24.543389 ::1.232 > ::1.231: [wg] data length 96 to 0xde85c445 nonce 3
03:08:24.543492 ::1.231 > ::1.232: [wg] data length 96 to 0x5e55ac72 nonce 2

==== run-badkey-tunnel6-addr4-dst-src ====
# Ping foreign address with bad key.
doas -n ifconfig wg32  wgkey "`cat bad.key`"
! /sbin/ping -n -w 1 -c 1 -V 32 10.188.64.1
PING 10.188.64.1 (10.188.64.1): 56 data bytes

--- 10.188.64.1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg32  wgkey "`cat 32.key`"
/sbin/ping -n -w 1 -c 1 -V 32 10.188.64.1
PING 10.188.64.1 (10.188.64.1): 56 data bytes
64 bytes from 10.188.64.1: icmp_seq=0 ttl=255 time=17.487 ms

--- 10.188.64.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 17.487/17.487/17.487/0.000 ms

==== run-route-tunnel6-addr6-src-dst ====
# Get route to local address.
/sbin/route -n -T 31 get fdd7:e83e:66bc:66::1 |  grep 'interface: wg31$'
  interface: wg31
/sbin/route -n -T 31 get fdd7:e83e:66bc:66::1 |  grep 'flags: .*,LOCAL'
      flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 31 get fdd7:e83e:66bc:66::2 |  grep 'interface: wg31$'
  interface: wg31
/sbin/route -n -T 31 get fdd7:e83e:66bc:66::2 |  grep 'flags: .*,CLON'
      flags: <UP,DONE,CLONING,CONNECTED>

==== run-ping-tunnel6-addr6-src-dst ====
# Ping local address.
/sbin/ping6 -n -w 1 -c 1 -V 31 fdd7:e83e:66bc:66::1
PING fdd7:e83e:66bc:66::1 (fdd7:e83e:66bc:66::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::1: icmp_seq=0 hlim=64 time=0.114 ms

--- fdd7:e83e:66bc:66::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.114/0.114/0.114/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap  ip6 and udp port 229 or 230 or 231 or 232 or 0 &
sleep 1  # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping6 -n -w 1 -c 1 -V 31 fdd7:e83e:66bc:66::2
PING fdd7:e83e:66bc:66::2 (fdd7:e83e:66bc:66::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::2: icmp_seq=0 hlim=64 time=3.369 ms

--- fdd7:e83e:66bc:66::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 3.369/3.369/3.369/0.000 ms
sleep 1  # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'

3 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap |  fgrep ': [wg] data '
03:08:29.055553 ::1.231 > ::1.232: [wg] data length 112 to 0x6c59d1f5 nonce 3
03:08:29.058096 ::1.232 > ::1.231: [wg] data length 112 to 0xf3b18d42 nonce 2

==== run-badkey-tunnel6-addr6-src-dst ====
# Ping foreign address with bad key.
doas -n ifconfig wg31  wgkey "`cat bad.key`"
! /sbin/ping6 -n -w 1 -c 1 -V 31 fdd7:e83e:66bc:66::2
PING fdd7:e83e:66bc:66::2 (fdd7:e83e:66bc:66::2): 56 data bytes

--- fdd7:e83e:66bc:66::2 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg31  wgkey "`cat 31.key`"
/sbin/ping6 -n -w 1 -c 1 -V 31 fdd7:e83e:66bc:66::2
PING fdd7:e83e:66bc:66::2 (fdd7:e83e:66bc:66::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::2: icmp_seq=0 hlim=64 time=6.098 ms

--- fdd7:e83e:66bc:66::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 6.098/6.098/6.098/0.000 ms

==== run-route-tunnel6-addr6-dst-src ====
# Get route to local address.
/sbin/route -n -T 32 get fdd7:e83e:66bc:66::2 |  grep 'interface: wg32$'
  interface: wg32
/sbin/route -n -T 32 get fdd7:e83e:66bc:66::2 |  grep 'flags: .*,LOCAL'
      flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 32 get fdd7:e83e:66bc:66::1 |  grep 'interface: wg32$'
  interface: wg32
/sbin/route -n -T 32 get fdd7:e83e:66bc:66::1 |  grep 'flags: .*,CLON'
      flags: <UP,HOST,DONE,CLONED>

==== run-ping-tunnel6-addr6-dst-src ====
# Ping local address.
/sbin/ping6 -n -w 1 -c 1 -V 32 fdd7:e83e:66bc:66::2
PING fdd7:e83e:66bc:66::2 (fdd7:e83e:66bc:66::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::2: icmp_seq=0 hlim=64 time=0.246 ms

--- fdd7:e83e:66bc:66::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.246/0.246/0.246/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap  ip6 and udp port 229 or 230 or 231 or 232 or 0 &
sleep 1  # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping6 -n -w 1 -c 1 -V 32 fdd7:e83e:66bc:66::1
PING fdd7:e83e:66bc:66::1 (fdd7:e83e:66bc:66::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::1: icmp_seq=0 hlim=64 time=0.552 ms

--- fdd7:e83e:66bc:66::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.552/0.552/0.552/0.000 ms
sleep 1  # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'

2 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap |  fgrep ': [wg] data '
03:08:33.541401 ::1.232 > ::1.231: [wg] data length 112 to 0x5c56f7b2 nonce 3
03:08:33.541574 ::1.231 > ::1.232: [wg] data length 112 to 0xf7dd12b6 nonce 2

==== run-badkey-tunnel6-addr6-dst-src ====
# Ping foreign address with bad key.
doas -n ifconfig wg32  wgkey "`cat bad.key`"
! /sbin/ping6 -n -w 1 -c 1 -V 32 fdd7:e83e:66bc:66::1
PING fdd7:e83e:66bc:66::1 (fdd7:e83e:66bc:66::1): 56 data bytes

--- fdd7:e83e:66bc:66::1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg32  wgkey "`cat 32.key`"
/sbin/ping6 -n -w 1 -c 1 -V 32 fdd7:e83e:66bc:66::1
PING fdd7:e83e:66bc:66::1 (fdd7:e83e:66bc:66::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::1: icmp_seq=0 hlim=64 time=5.884 ms

--- fdd7:e83e:66bc:66::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 5.884/5.884/5.884/0.000 ms

==== unconfig ====
# destroy WireGuard and routing domain loopback interfaces
doas -n ifconfig wg29 destroy
doas -n ifconfig lo29 destroy
doas -n ifconfig wg30 destroy
doas -n ifconfig lo30 destroy
doas -n ifconfig wg31 destroy
doas -n ifconfig lo31 destroy
doas -n ifconfig wg32 destroy
doas -n ifconfig lo32 destroy