==== ifconfig ====
openssl rand -base64 32 -out 29.key
rm -f 29.pub.tmp
doas -n ifconfig wg29 create || true
doas -n ifconfig wg29 wgkey "`cat 29.key`"
doas -n ifconfig wg29 | awk '/wgpubkey/{print $2}' >29.pub.tmp
mv 29.pub.tmp 29.pub
openssl rand -base64 32 -out 30.key
rm -f 30.pub.tmp
doas -n ifconfig wg30 create || true
doas -n ifconfig wg30 wgkey "`cat 30.key`"
doas -n ifconfig wg30 | awk '/wgpubkey/{print $2}' >30.pub.tmp
mv 30.pub.tmp 30.pub
openssl rand -base64 32 -out 31.key
rm -f 31.pub.tmp
doas -n ifconfig wg31 create || true
doas -n ifconfig wg31 wgkey "`cat 31.key`"
doas -n ifconfig wg31 | awk '/wgpubkey/{print $2}' >31.pub.tmp
mv 31.pub.tmp 31.pub
openssl rand -base64 32 -out 32.key
rm -f 32.pub.tmp
doas -n ifconfig wg32 create || true
doas -n ifconfig wg32 wgkey "`cat 32.key`"
doas -n ifconfig wg32 | awk '/wgpubkey/{print $2}' >32.pub.tmp
mv 32.pub.tmp 32.pub
# destroy WireGuard and routing domain loopback interfaces
doas -n ifconfig wg29 destroy
doas -n ifconfig lo29 destroy
ifconfig: lo29: SIOCIFDESTROY: Device not configured
*** Error 1 in target 'unconfig' (ignored)
doas -n ifconfig wg30 destroy
doas -n ifconfig lo30 destroy
ifconfig: lo30: SIOCIFDESTROY: Device not configured
*** Error 1 in target 'unconfig' (ignored)
doas -n ifconfig wg31 destroy
doas -n ifconfig lo31 destroy
ifconfig: lo31: SIOCIFDESTROY: Device not configured
*** Error 1 in target 'unconfig' (ignored)
doas -n ifconfig wg32 destroy
doas -n ifconfig lo32 destroy
ifconfig: lo32: SIOCIFDESTROY: Device not configured
*** Error 1 in target 'unconfig' (ignored)
# create and configure WireGuard interfaces
doas -n ifconfig wg29 create wgport 229 wgkey "`cat 29.key`" rdomain 29
doas -n ifconfig wg30 create wgport 230 wgkey "`cat 30.key`" rdomain 30
doas -n ifconfig wg31 create wgport 231 wgkey "`cat 31.key`" rdomain 31
doas -n ifconfig wg32 create wgport 232 wgkey "`cat 32.key`" rdomain 32
# local SRC, foreign DST, tunnel 4
doas -n ifconfig wg29 wgpeer "`cat 30.pub`" wgendpoint 127.0.0.1 230 wgaip 10.188.44.2/32 wgaip fdd7:e83e:66bc:46::2/128
# local SRC, foreign DST, tunnel 6
doas -n ifconfig wg31 wgpeer "`cat 32.pub`" wgendpoint ::1 232 wgaip 10.188.64.2/32 wgaip fdd7:e83e:66bc:66::2/128
# local SRC, foreign DST, tunnel 4
doas -n ifconfig wg29 inet 10.188.44.1/24 alias
doas -n ifconfig wg29 inet6 fdd7:e83e:66bc:46::1/64 alias
# local SRC, foreign DST, tunnel 6
doas -n ifconfig wg31 inet 10.188.64.1/24 alias
doas -n ifconfig wg31 inet6 fdd7:e83e:66bc:66::1/64 alias
# local DST, foreign SRC, tunnel 4
doas -n ifconfig wg30 wgpeer "`cat 29.pub`" wgendpoint 127.0.0.1 229 wgaip 10.188.44.1/32 wgaip fdd7:e83e:66bc:46::1/128
# local DST, foreign SRC, tunnel 6
doas -n ifconfig wg32 wgpeer "`cat 31.pub`" wgendpoint ::1 231 wgaip 10.188.64.1/32 wgaip fdd7:e83e:66bc:66::1/128
# local DST, foreign SRC, tunnel 4
doas -n ifconfig wg30 inet 10.188.44.2/24 alias
doas -n ifconfig wg30 inet6 fdd7:e83e:66bc:46::2/64 alias
# local DST, foreign SRC, tunnel 6
doas -n ifconfig wg32 inet 10.188.64.2/24 alias
doas -n ifconfig wg32 inet6 fdd7:e83e:66bc:66::2/64 alias
sleep 1 # Wait until DAD for inet6 tunnel addresses has finished.
==== run-route-tunnel4-addr4-src-dst ====
# Get route to local address.
/sbin/route -n -T 29 get 10.188.44.1 | grep 'interface: wg29$'
interface: wg29
/sbin/route -n -T 29 get 10.188.44.1 | grep 'flags: .*,LOCAL'
flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 29 get 10.188.44.2 | grep 'interface: wg29$'
interface: wg29
/sbin/route -n -T 29 get 10.188.44.2 | grep 'flags: .*,CLON'
flags: <UP,DONE,CLONING,CONNECTED>
==== run-ping-tunnel4-addr4-src-dst ====
# Ping local address.
/sbin/ping -n -w 1 -c 1 -V 29 10.188.44.1
PING 10.188.44.1 (10.188.44.1): 56 data bytes
64 bytes from 10.188.44.1: icmp_seq=0 ttl=255 time=2.028 ms
--- 10.188.44.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.028/2.028/2.028/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap ip and udp port 229 or 230 or 231 or 232 or 0 &
sleep 1 # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping -n -w 1 -c 1 -V 29 10.188.44.2
PING 10.188.44.2 (10.188.44.2): 56 data bytes
64 bytes from 10.188.44.2: icmp_seq=0 ttl=255 time=20.183 ms
--- 10.188.44.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 20.183/20.183/20.183/0.000 ms
sleep 1 # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'
5 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap | fgrep ': [wg] data '
02:56:18.523456 127.0.0.1.229 > 127.0.0.1.230: [wg] data length 96 to 0xd1b27324 nonce 0
02:56:18.533529 127.0.0.1.230 > 127.0.0.1.229: [wg] data length 96 to 0x87fcd649 nonce 1
==== run-badkey-tunnel4-addr4-src-dst ====
openssl rand -base64 32 -out bad.key
# Ping foreign address with bad key.
doas -n ifconfig wg29 wgkey "`cat bad.key`"
! /sbin/ping -n -w 1 -c 1 -V 29 10.188.44.2
PING 10.188.44.2 (10.188.44.2): 56 data bytes
--- 10.188.44.2 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg29 wgkey "`cat 29.key`"
/sbin/ping -n -w 1 -c 1 -V 29 10.188.44.2
PING 10.188.44.2 (10.188.44.2): 56 data bytes
64 bytes from 10.188.44.2: icmp_seq=0 ttl=255 time=6.729 ms
--- 10.188.44.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 6.729/6.729/6.729/0.000 ms
==== run-route-tunnel4-addr4-dst-src ====
# Get route to local address.
/sbin/route -n -T 30 get 10.188.44.2 | grep 'interface: wg30$'
interface: wg30
/sbin/route -n -T 30 get 10.188.44.2 | grep 'flags: .*,LOCAL'
flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 30 get 10.188.44.1 | grep 'interface: wg30$'
interface: wg30
/sbin/route -n -T 30 get 10.188.44.1 | grep 'flags: .*,CLON'
flags: <UP,HOST,DONE,CLONED>
==== run-ping-tunnel4-addr4-dst-src ====
# Ping local address.
/sbin/ping -n -w 1 -c 1 -V 30 10.188.44.2
PING 10.188.44.2 (10.188.44.2): 56 data bytes
64 bytes from 10.188.44.2: icmp_seq=0 ttl=255 time=0.793 ms
--- 10.188.44.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.793/0.793/0.793/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap ip and udp port 229 or 230 or 231 or 232 or 0 &
sleep 1 # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping -n -w 1 -c 1 -V 30 10.188.44.1
PING 10.188.44.1 (10.188.44.1): 56 data bytes
64 bytes from 10.188.44.1: icmp_seq=0 ttl=255 time=5.074 ms
--- 10.188.44.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 5.074/5.074/5.074/0.000 ms
sleep 1 # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'
2 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap | fgrep ': [wg] data '
02:56:23.026454 127.0.0.1.230 > 127.0.0.1.229: [wg] data length 96 to 0x53aaac36 nonce 3
02:56:23.027751 127.0.0.1.229 > 127.0.0.1.230: [wg] data length 96 to 0xc4da6c02 nonce 2
==== run-badkey-tunnel4-addr4-dst-src ====
# Ping foreign address with bad key.
doas -n ifconfig wg30 wgkey "`cat bad.key`"
! /sbin/ping -n -w 1 -c 1 -V 30 10.188.44.1
PING 10.188.44.1 (10.188.44.1): 56 data bytes
--- 10.188.44.1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg30 wgkey "`cat 30.key`"
/sbin/ping -n -w 1 -c 1 -V 30 10.188.44.1
PING 10.188.44.1 (10.188.44.1): 56 data bytes
64 bytes from 10.188.44.1: icmp_seq=0 ttl=255 time=8.518 ms
--- 10.188.44.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 8.518/8.518/8.518/0.000 ms
==== run-route-tunnel4-addr6-src-dst ====
# Get route to local address.
/sbin/route -n -T 29 get fdd7:e83e:66bc:46::1 | grep 'interface: wg29$'
interface: wg29
/sbin/route -n -T 29 get fdd7:e83e:66bc:46::1 | grep 'flags: .*,LOCAL'
flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 29 get fdd7:e83e:66bc:46::2 | grep 'interface: wg29$'
interface: wg29
/sbin/route -n -T 29 get fdd7:e83e:66bc:46::2 | grep 'flags: .*,CLON'
flags: <UP,DONE,CLONING,CONNECTED>
==== run-ping-tunnel4-addr6-src-dst ====
# Ping local address.
/sbin/ping6 -n -w 1 -c 1 -V 29 fdd7:e83e:66bc:46::1
PING fdd7:e83e:66bc:46::1 (fdd7:e83e:66bc:46::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::1: icmp_seq=0 hlim=64 time=6.116 ms
--- fdd7:e83e:66bc:46::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 6.116/6.116/6.116/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap ip and udp port 229 or 230 or 231 or 232 or 0 &
sleep 1 # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping6 -n -w 1 -c 1 -V 29 fdd7:e83e:66bc:46::2
PING fdd7:e83e:66bc:46::2 (fdd7:e83e:66bc:46::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::2: icmp_seq=0 hlim=64 time=0.823 ms
--- fdd7:e83e:66bc:46::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.823/0.823/0.823/0.000 ms
sleep 1 # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'
2 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap | fgrep ': [wg] data '
02:56:27.535879 127.0.0.1.229 > 127.0.0.1.230: [wg] data length 112 to 0x8f1e9257 nonce 3
02:56:27.536282 127.0.0.1.230 > 127.0.0.1.229: [wg] data length 112 to 0xf30c5080 nonce 2
==== run-badkey-tunnel4-addr6-src-dst ====
# Ping foreign address with bad key.
doas -n ifconfig wg29 wgkey "`cat bad.key`"
! /sbin/ping6 -n -w 1 -c 1 -V 29 fdd7:e83e:66bc:46::2
PING fdd7:e83e:66bc:46::2 (fdd7:e83e:66bc:46::2): 56 data bytes
--- fdd7:e83e:66bc:46::2 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg29 wgkey "`cat 29.key`"
/sbin/ping6 -n -w 1 -c 1 -V 29 fdd7:e83e:66bc:46::2
PING fdd7:e83e:66bc:46::2 (fdd7:e83e:66bc:46::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::2: icmp_seq=0 hlim=64 time=16.718 ms
--- fdd7:e83e:66bc:46::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 16.718/16.718/16.718/0.000 ms
==== run-route-tunnel4-addr6-dst-src ====
# Get route to local address.
/sbin/route -n -T 30 get fdd7:e83e:66bc:46::2 | grep 'interface: wg30$'
interface: wg30
/sbin/route -n -T 30 get fdd7:e83e:66bc:46::2 | grep 'flags: .*,LOCAL'
flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 30 get fdd7:e83e:66bc:46::1 | grep 'interface: wg30$'
interface: wg30
/sbin/route -n -T 30 get fdd7:e83e:66bc:46::1 | grep 'flags: .*,CLON'
flags: <UP,HOST,DONE,CLONED>
==== run-ping-tunnel4-addr6-dst-src ====
# Ping local address.
/sbin/ping6 -n -w 1 -c 1 -V 30 fdd7:e83e:66bc:46::2
PING fdd7:e83e:66bc:46::2 (fdd7:e83e:66bc:46::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::2: icmp_seq=0 hlim=64 time=1.657 ms
--- fdd7:e83e:66bc:46::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.657/1.657/1.657/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap ip and udp port 229 or 230 or 231 or 232 or 0 &
sleep 1 # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping6 -n -w 1 -c 1 -V 30 fdd7:e83e:66bc:46::1
PING fdd7:e83e:66bc:46::1 (fdd7:e83e:66bc:46::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::1: icmp_seq=0 hlim=64 time=0.370 ms
--- fdd7:e83e:66bc:46::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.370/0.370/0.370/0.000 ms
sleep 1 # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'
2 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap | fgrep ': [wg] data '
02:56:32.040891 127.0.0.1.230 > 127.0.0.1.229: [wg] data length 112 to 0x0424ced9 nonce 3
02:56:32.041038 127.0.0.1.229 > 127.0.0.1.230: [wg] data length 112 to 0xa83f03a8 nonce 2
==== run-badkey-tunnel4-addr6-dst-src ====
# Ping foreign address with bad key.
doas -n ifconfig wg30 wgkey "`cat bad.key`"
! /sbin/ping6 -n -w 1 -c 1 -V 30 fdd7:e83e:66bc:46::1
PING fdd7:e83e:66bc:46::1 (fdd7:e83e:66bc:46::1): 56 data bytes
--- fdd7:e83e:66bc:46::1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg30 wgkey "`cat 30.key`"
/sbin/ping6 -n -w 1 -c 1 -V 30 fdd7:e83e:66bc:46::1
PING fdd7:e83e:66bc:46::1 (fdd7:e83e:66bc:46::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::1: icmp_seq=0 hlim=64 time=9.043 ms
--- fdd7:e83e:66bc:46::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 9.043/9.043/9.043/0.000 ms
==== run-route-tunnel6-addr4-src-dst ====
# Get route to local address.
/sbin/route -n -T 31 get 10.188.64.1 | grep 'interface: wg31$'
interface: wg31
/sbin/route -n -T 31 get 10.188.64.1 | grep 'flags: .*,LOCAL'
flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 31 get 10.188.64.2 | grep 'interface: wg31$'
interface: wg31
/sbin/route -n -T 31 get 10.188.64.2 | grep 'flags: .*,CLON'
flags: <UP,DONE,CLONING,CONNECTED>
==== run-ping-tunnel6-addr4-src-dst ====
# Ping local address.
/sbin/ping -n -w 1 -c 1 -V 31 10.188.64.1
PING 10.188.64.1 (10.188.64.1): 56 data bytes
64 bytes from 10.188.64.1: icmp_seq=0 ttl=255 time=0.907 ms
--- 10.188.64.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.907/0.907/0.907/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap ip6 and udp port 229 or 230 or 231 or 232 or 0 &
sleep 1 # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping -n -w 1 -c 1 -V 31 10.188.64.2
PING 10.188.64.2 (10.188.64.2): 56 data bytes
64 bytes from 10.188.64.2: icmp_seq=0 ttl=255 time=8.489 ms
--- 10.188.64.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 8.489/8.489/8.489/0.000 ms
sleep 1 # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'
5 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap | fgrep ': [wg] data '
02:56:36.531392 ::1.231 > ::1.232: [wg] data length 96 to 0x91e8762c nonce 0
02:56:36.532302 ::1.232 > ::1.231: [wg] data length 96 to 0x2d85ccd4 nonce 1
==== run-badkey-tunnel6-addr4-src-dst ====
# Ping foreign address with bad key.
doas -n ifconfig wg31 wgkey "`cat bad.key`"
! /sbin/ping -n -w 1 -c 1 -V 31 10.188.64.2
PING 10.188.64.2 (10.188.64.2): 56 data bytes
--- 10.188.64.2 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg31 wgkey "`cat 31.key`"
/sbin/ping -n -w 1 -c 1 -V 31 10.188.64.2
PING 10.188.64.2 (10.188.64.2): 56 data bytes
64 bytes from 10.188.64.2: icmp_seq=0 ttl=255 time=21.938 ms
--- 10.188.64.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 21.938/21.938/21.938/0.000 ms
==== run-route-tunnel6-addr4-dst-src ====
# Get route to local address.
/sbin/route -n -T 32 get 10.188.64.2 | grep 'interface: wg32$'
interface: wg32
/sbin/route -n -T 32 get 10.188.64.2 | grep 'flags: .*,LOCAL'
flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 32 get 10.188.64.1 | grep 'interface: wg32$'
interface: wg32
/sbin/route -n -T 32 get 10.188.64.1 | grep 'flags: .*,CLON'
flags: <UP,HOST,DONE,CLONED>
==== run-ping-tunnel6-addr4-dst-src ====
# Ping local address.
/sbin/ping -n -w 1 -c 1 -V 32 10.188.64.2
PING 10.188.64.2 (10.188.64.2): 56 data bytes
64 bytes from 10.188.64.2: icmp_seq=0 ttl=255 time=0.729 ms
--- 10.188.64.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.729/0.729/0.729/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap ip6 and udp port 229 or 230 or 231 or 232 or 0 &
sleep 1 # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping -n -w 1 -c 1 -V 32 10.188.64.1
PING 10.188.64.1 (10.188.64.1): 56 data bytes
64 bytes from 10.188.64.1: icmp_seq=0 ttl=255 time=2.952 ms
--- 10.188.64.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.952/2.952/2.952/0.000 ms
sleep 1 # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'
2 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap | fgrep ': [wg] data '
02:56:40.995521 ::1.232 > ::1.231: [wg] data length 96 to 0xe695bba9 nonce 3
02:56:40.996536 ::1.231 > ::1.232: [wg] data length 96 to 0xd736687a nonce 2
==== run-badkey-tunnel6-addr4-dst-src ====
# Ping foreign address with bad key.
doas -n ifconfig wg32 wgkey "`cat bad.key`"
! /sbin/ping -n -w 1 -c 1 -V 32 10.188.64.1
PING 10.188.64.1 (10.188.64.1): 56 data bytes
--- 10.188.64.1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg32 wgkey "`cat 32.key`"
/sbin/ping -n -w 1 -c 1 -V 32 10.188.64.1
PING 10.188.64.1 (10.188.64.1): 56 data bytes
64 bytes from 10.188.64.1: icmp_seq=0 ttl=255 time=8.246 ms
--- 10.188.64.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 8.246/8.246/8.246/0.000 ms
==== run-route-tunnel6-addr6-src-dst ====
# Get route to local address.
/sbin/route -n -T 31 get fdd7:e83e:66bc:66::1 | grep 'interface: wg31$'
interface: wg31
/sbin/route -n -T 31 get fdd7:e83e:66bc:66::1 | grep 'flags: .*,LOCAL'
flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 31 get fdd7:e83e:66bc:66::2 | grep 'interface: wg31$'
interface: wg31
/sbin/route -n -T 31 get fdd7:e83e:66bc:66::2 | grep 'flags: .*,CLON'
flags: <UP,DONE,CLONING,CONNECTED>
==== run-ping-tunnel6-addr6-src-dst ====
# Ping local address.
/sbin/ping6 -n -w 1 -c 1 -V 31 fdd7:e83e:66bc:66::1
PING fdd7:e83e:66bc:66::1 (fdd7:e83e:66bc:66::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::1: icmp_seq=0 hlim=64 time=0.136 ms
--- fdd7:e83e:66bc:66::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.136/0.136/0.136/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap ip6 and udp port 229 or 230 or 231 or 232 or 0 &
sleep 1 # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping6 -n -w 1 -c 1 -V 31 fdd7:e83e:66bc:66::2
PING fdd7:e83e:66bc:66::2 (fdd7:e83e:66bc:66::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::2: icmp_seq=0 hlim=64 time=0.549 ms
--- fdd7:e83e:66bc:66::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.549/0.549/0.549/0.000 ms
sleep 1 # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'
3 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap | fgrep ': [wg] data '
02:56:45.499187 ::1.231 > ::1.232: [wg] data length 112 to 0x754c9715 nonce 3
02:56:45.499431 ::1.232 > ::1.231: [wg] data length 112 to 0x27f7c5ea nonce 2
==== run-badkey-tunnel6-addr6-src-dst ====
# Ping foreign address with bad key.
doas -n ifconfig wg31 wgkey "`cat bad.key`"
! /sbin/ping6 -n -w 1 -c 1 -V 31 fdd7:e83e:66bc:66::2
PING fdd7:e83e:66bc:66::2 (fdd7:e83e:66bc:66::2): 56 data bytes
--- fdd7:e83e:66bc:66::2 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg31 wgkey "`cat 31.key`"
/sbin/ping6 -n -w 1 -c 1 -V 31 fdd7:e83e:66bc:66::2
PING fdd7:e83e:66bc:66::2 (fdd7:e83e:66bc:66::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::2: icmp_seq=0 hlim=64 time=5.447 ms
--- fdd7:e83e:66bc:66::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 5.447/5.447/5.447/0.000 ms
==== run-route-tunnel6-addr6-dst-src ====
# Get route to local address.
/sbin/route -n -T 32 get fdd7:e83e:66bc:66::2 | grep 'interface: wg32$'
interface: wg32
/sbin/route -n -T 32 get fdd7:e83e:66bc:66::2 | grep 'flags: .*,LOCAL'
flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 32 get fdd7:e83e:66bc:66::1 | grep 'interface: wg32$'
interface: wg32
/sbin/route -n -T 32 get fdd7:e83e:66bc:66::1 | grep 'flags: .*,CLON'
flags: <UP,HOST,DONE,CLONED>
==== run-ping-tunnel6-addr6-dst-src ====
# Ping local address.
/sbin/ping6 -n -w 1 -c 1 -V 32 fdd7:e83e:66bc:66::2
PING fdd7:e83e:66bc:66::2 (fdd7:e83e:66bc:66::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::2: icmp_seq=0 hlim=64 time=0.183 ms
--- fdd7:e83e:66bc:66::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.183/0.183/0.183/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap ip6 and udp port 229 or 230 or 231 or 232 or 0 &
sleep 1 # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping6 -n -w 1 -c 1 -V 32 fdd7:e83e:66bc:66::1
PING fdd7:e83e:66bc:66::1 (fdd7:e83e:66bc:66::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::1: icmp_seq=0 hlim=64 time=0.520 ms
--- fdd7:e83e:66bc:66::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.520/0.520/0.520/0.000 ms
sleep 1 # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'
2 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap | fgrep ': [wg] data '
02:56:49.958797 ::1.232 > ::1.231: [wg] data length 112 to 0x834d5c0a nonce 3
02:56:49.959044 ::1.231 > ::1.232: [wg] data length 112 to 0xd44cd5bb nonce 2
==== run-badkey-tunnel6-addr6-dst-src ====
# Ping foreign address with bad key.
doas -n ifconfig wg32 wgkey "`cat bad.key`"
! /sbin/ping6 -n -w 1 -c 1 -V 32 fdd7:e83e:66bc:66::1
PING fdd7:e83e:66bc:66::1 (fdd7:e83e:66bc:66::1): 56 data bytes
--- fdd7:e83e:66bc:66::1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg32 wgkey "`cat 32.key`"
/sbin/ping6 -n -w 1 -c 1 -V 32 fdd7:e83e:66bc:66::1
PING fdd7:e83e:66bc:66::1 (fdd7:e83e:66bc:66::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::1: icmp_seq=0 hlim=64 time=5.169 ms
--- fdd7:e83e:66bc:66::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 5.169/5.169/5.169/0.000 ms
==== unconfig ====
# destroy WireGuard and routing domain loopback interfaces
doas -n ifconfig wg29 destroy
doas -n ifconfig lo29 destroy
doas -n ifconfig wg30 destroy
doas -n ifconfig lo30 destroy
doas -n ifconfig wg31 destroy
doas -n ifconfig lo31 destroy
doas -n ifconfig wg32 destroy
doas -n ifconfig lo32 destroy