==== ifconfig ====
openssl rand -base64 32 -out 50.key
rm -f 50.pub.tmp
doas -n ifconfig wg50 create || true
doas -n ifconfig wg50 wgkey "`cat 50.key`"
doas -n ifconfig wg50 | awk '/wgpubkey/{print $2}' >50.pub.tmp
mv 50.pub.tmp 50.pub
openssl rand -base64 32 -out 51.key
rm -f 51.pub.tmp
doas -n ifconfig wg51 create || true
doas -n ifconfig wg51 wgkey "`cat 51.key`"
doas -n ifconfig wg51 | awk '/wgpubkey/{print $2}' >51.pub.tmp
mv 51.pub.tmp 51.pub
openssl rand -base64 32 -out 52.key
rm -f 52.pub.tmp
doas -n ifconfig wg52 create || true
doas -n ifconfig wg52 wgkey "`cat 52.key`"
doas -n ifconfig wg52 | awk '/wgpubkey/{print $2}' >52.pub.tmp
mv 52.pub.tmp 52.pub
openssl rand -base64 32 -out 53.key
rm -f 53.pub.tmp
doas -n ifconfig wg53 create || true
doas -n ifconfig wg53 wgkey "`cat 53.key`"
doas -n ifconfig wg53 | awk '/wgpubkey/{print $2}' >53.pub.tmp
mv 53.pub.tmp 53.pub
# destroy WireGuard and routing domain loopback interfaces
doas -n ifconfig wg50 destroy
doas -n ifconfig lo50 destroy
ifconfig: lo50: SIOCIFDESTROY: Device not configured
*** Error 1 in target 'unconfig' (ignored)
doas -n ifconfig wg51 destroy
doas -n ifconfig lo51 destroy
ifconfig: lo51: SIOCIFDESTROY: Device not configured
*** Error 1 in target 'unconfig' (ignored)
doas -n ifconfig wg52 destroy
doas -n ifconfig lo52 destroy
ifconfig: lo52: SIOCIFDESTROY: Device not configured
*** Error 1 in target 'unconfig' (ignored)
doas -n ifconfig wg53 destroy
doas -n ifconfig lo53 destroy
ifconfig: lo53: SIOCIFDESTROY: Device not configured
*** Error 1 in target 'unconfig' (ignored)
# create and configure WireGuard interfaces
doas -n ifconfig wg50  create  wgport 250  wgkey "`cat 50.key`"  rdomain 50
doas -n ifconfig wg51  create  wgport 251  wgkey "`cat 51.key`"  rdomain 51
doas -n ifconfig wg52  create  wgport 252  wgkey "`cat 52.key`"  rdomain 52
doas -n ifconfig wg53  create  wgport 253  wgkey "`cat 53.key`"  rdomain 53
# local SRC, foreign DST, tunnel 4
doas -n ifconfig wg50  wgpeer "`cat 51.pub`"  wgendpoint 127.0.0.1 251  wgaip 10.188.44.2/32  wgaip fdd7:e83e:66bc:46::2/128
# local SRC, foreign DST, tunnel 6
doas -n ifconfig wg52  wgpeer "`cat 53.pub`"  wgendpoint ::1 253  wgaip 10.188.64.2/32  wgaip fdd7:e83e:66bc:66::2/128
# local SRC, foreign DST, tunnel 4
doas -n ifconfig wg50  inet 10.188.44.1/24 alias
doas -n ifconfig wg50  inet6 fdd7:e83e:66bc:46::1/64 alias
# local SRC, foreign DST, tunnel 6
doas -n ifconfig wg52  inet 10.188.64.1/24 alias
doas -n ifconfig wg52  inet6 fdd7:e83e:66bc:66::1/64 alias
# local DST, foreign SRC, tunnel 4
doas -n ifconfig wg51  wgpeer "`cat 50.pub`"  wgendpoint 127.0.0.1 250  wgaip 10.188.44.1/32  wgaip fdd7:e83e:66bc:46::1/128
# local DST, foreign SRC, tunnel 6
doas -n ifconfig wg53  wgpeer "`cat 52.pub`"  wgendpoint ::1 252  wgaip 10.188.64.1/32  wgaip fdd7:e83e:66bc:66::1/128
# local DST, foreign SRC, tunnel 4
doas -n ifconfig wg51  inet 10.188.44.2/24 alias
doas -n ifconfig wg51  inet6 fdd7:e83e:66bc:46::2/64 alias
# local DST, foreign SRC, tunnel 6
doas -n ifconfig wg53  inet 10.188.64.2/24 alias
doas -n ifconfig wg53  inet6 fdd7:e83e:66bc:66::2/64 alias
sleep 1  # Wait until DAD for inet6 tunnel addresses has finished.

==== run-route-tunnel4-addr4-src-dst ====
# Get route to local address.
/sbin/route -n -T 50 get 10.188.44.1 |  grep 'interface: wg50$'
  interface: wg50
/sbin/route -n -T 50 get 10.188.44.1 |  grep 'flags: .*,LOCAL'
      flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 50 get 10.188.44.2 |  grep 'interface: wg50$'
  interface: wg50
/sbin/route -n -T 50 get 10.188.44.2 |  grep 'flags: .*,CLON'
      flags: <UP,DONE,CLONING,CONNECTED>

==== run-ping-tunnel4-addr4-src-dst ====
# Ping local address.
/sbin/ping -n -w 1 -c 1 -V 50 10.188.44.1
PING 10.188.44.1 (10.188.44.1): 56 data bytes
64 bytes from 10.188.44.1: icmp_seq=0 ttl=255 time=3.703 ms

--- 10.188.44.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 3.703/3.703/3.703/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap  ip and udp port 250 or 251 or 252 or 253 or 0 &
sleep 1  # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping -n -w 1 -c 1 -V 50 10.188.44.2
PING 10.188.44.2 (10.188.44.2): 56 data bytes
64 bytes from 10.188.44.2: icmp_seq=0 ttl=255 time=8.247 ms

--- 10.188.44.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 8.247/8.247/8.247/0.000 ms
sleep 1  # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'

5 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap |  fgrep ': [wg] data '
03:07:20.437411 127.0.0.1.250 > 127.0.0.1.251: [wg] data length 96 to 0x7318a21a nonce 0
03:07:20.439173 127.0.0.1.251 > 127.0.0.1.250: [wg] data length 96 to 0x8077a86d nonce 1

==== run-badkey-tunnel4-addr4-src-dst ====
openssl rand -base64 32 -out bad.key
# Ping foreign address with bad key.
doas -n ifconfig wg50  wgkey "`cat bad.key`"
! /sbin/ping -n -w 1 -c 1 -V 50 10.188.44.2
PING 10.188.44.2 (10.188.44.2): 56 data bytes

--- 10.188.44.2 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg50  wgkey "`cat 50.key`"
/sbin/ping -n -w 1 -c 1 -V 50 10.188.44.2
PING 10.188.44.2 (10.188.44.2): 56 data bytes
64 bytes from 10.188.44.2: icmp_seq=0 ttl=255 time=11.929 ms

--- 10.188.44.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 11.929/11.929/11.929/0.000 ms

==== run-route-tunnel4-addr4-dst-src ====
# Get route to local address.
/sbin/route -n -T 51 get 10.188.44.2 |  grep 'interface: wg51$'
  interface: wg51
/sbin/route -n -T 51 get 10.188.44.2 |  grep 'flags: .*,LOCAL'
      flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 51 get 10.188.44.1 |  grep 'interface: wg51$'
  interface: wg51
/sbin/route -n -T 51 get 10.188.44.1 |  grep 'flags: .*,CLON'
      flags: <UP,HOST,DONE,CLONED>

==== run-ping-tunnel4-addr4-dst-src ====
# Ping local address.
/sbin/ping -n -w 1 -c 1 -V 51 10.188.44.2
PING 10.188.44.2 (10.188.44.2): 56 data bytes
64 bytes from 10.188.44.2: icmp_seq=0 ttl=255 time=1.080 ms

--- 10.188.44.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.080/1.080/1.080/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap  ip and udp port 250 or 251 or 252 or 253 or 0 &
sleep 1  # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping -n -w 1 -c 1 -V 51 10.188.44.1
PING 10.188.44.1 (10.188.44.1): 56 data bytes
64 bytes from 10.188.44.1: icmp_seq=0 ttl=255 time=0.899 ms

--- 10.188.44.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.899/0.899/0.899/0.000 ms
sleep 1  # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'

2 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap |  fgrep ': [wg] data '
03:07:24.920221 127.0.0.1.251 > 127.0.0.1.250: [wg] data length 96 to 0xdf358041 nonce 3
03:07:24.920472 127.0.0.1.250 > 127.0.0.1.251: [wg] data length 96 to 0xdf39e45e nonce 2

==== run-badkey-tunnel4-addr4-dst-src ====
# Ping foreign address with bad key.
doas -n ifconfig wg51  wgkey "`cat bad.key`"
! /sbin/ping -n -w 1 -c 1 -V 51 10.188.44.1
PING 10.188.44.1 (10.188.44.1): 56 data bytes

--- 10.188.44.1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg51  wgkey "`cat 51.key`"
/sbin/ping -n -w 1 -c 1 -V 51 10.188.44.1
PING 10.188.44.1 (10.188.44.1): 56 data bytes
64 bytes from 10.188.44.1: icmp_seq=0 ttl=255 time=8.999 ms

--- 10.188.44.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 8.999/8.999/8.999/0.000 ms

==== run-route-tunnel4-addr6-src-dst ====
# Get route to local address.
/sbin/route -n -T 50 get fdd7:e83e:66bc:46::1 |  grep 'interface: wg50$'
  interface: wg50
/sbin/route -n -T 50 get fdd7:e83e:66bc:46::1 |  grep 'flags: .*,LOCAL'
      flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 50 get fdd7:e83e:66bc:46::2 |  grep 'interface: wg50$'
  interface: wg50
/sbin/route -n -T 50 get fdd7:e83e:66bc:46::2 |  grep 'flags: .*,CLON'
      flags: <UP,DONE,CLONING,CONNECTED>

==== run-ping-tunnel4-addr6-src-dst ====
# Ping local address.
/sbin/ping6 -n -w 1 -c 1 -V 50 fdd7:e83e:66bc:46::1
PING fdd7:e83e:66bc:46::1 (fdd7:e83e:66bc:46::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::1: icmp_seq=0 hlim=64 time=0.771 ms

--- fdd7:e83e:66bc:46::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.771/0.771/0.771/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap  ip and udp port 250 or 251 or 252 or 253 or 0 &
sleep 1  # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping6 -n -w 1 -c 1 -V 50 fdd7:e83e:66bc:46::2
PING fdd7:e83e:66bc:46::2 (fdd7:e83e:66bc:46::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::2: icmp_seq=0 hlim=64 time=5.546 ms

--- fdd7:e83e:66bc:46::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 5.546/5.546/5.546/0.000 ms
sleep 1  # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'

2 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap |  fgrep ': [wg] data '
03:07:29.396195 127.0.0.1.250 > 127.0.0.1.251: [wg] data length 112 to 0x59e67209 nonce 3
03:07:29.400974 127.0.0.1.251 > 127.0.0.1.250: [wg] data length 112 to 0xfc0d33d1 nonce 2

==== run-badkey-tunnel4-addr6-src-dst ====
# Ping foreign address with bad key.
doas -n ifconfig wg50  wgkey "`cat bad.key`"
! /sbin/ping6 -n -w 1 -c 1 -V 50 fdd7:e83e:66bc:46::2
PING fdd7:e83e:66bc:46::2 (fdd7:e83e:66bc:46::2): 56 data bytes

--- fdd7:e83e:66bc:46::2 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg50  wgkey "`cat 50.key`"
/sbin/ping6 -n -w 1 -c 1 -V 50 fdd7:e83e:66bc:46::2
PING fdd7:e83e:66bc:46::2 (fdd7:e83e:66bc:46::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::2: icmp_seq=0 hlim=64 time=5.802 ms

--- fdd7:e83e:66bc:46::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 5.802/5.802/5.802/0.000 ms

==== run-route-tunnel4-addr6-dst-src ====
# Get route to local address.
/sbin/route -n -T 51 get fdd7:e83e:66bc:46::2 |  grep 'interface: wg51$'
  interface: wg51
/sbin/route -n -T 51 get fdd7:e83e:66bc:46::2 |  grep 'flags: .*,LOCAL'
      flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 51 get fdd7:e83e:66bc:46::1 |  grep 'interface: wg51$'
  interface: wg51
/sbin/route -n -T 51 get fdd7:e83e:66bc:46::1 |  grep 'flags: .*,CLON'
      flags: <UP,HOST,DONE,CLONED>

==== run-ping-tunnel4-addr6-dst-src ====
# Ping local address.
/sbin/ping6 -n -w 1 -c 1 -V 51 fdd7:e83e:66bc:46::2
PING fdd7:e83e:66bc:46::2 (fdd7:e83e:66bc:46::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::2: icmp_seq=0 hlim=64 time=0.560 ms

--- fdd7:e83e:66bc:46::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.560/0.560/0.560/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap  ip and udp port 250 or 251 or 252 or 253 or 0 &
sleep 1  # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping6 -n -w 1 -c 1 -V 51 fdd7:e83e:66bc:46::1
PING fdd7:e83e:66bc:46::1 (fdd7:e83e:66bc:46::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::1: icmp_seq=0 hlim=64 time=0.965 ms

--- fdd7:e83e:66bc:46::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.965/0.965/0.965/0.000 ms
sleep 1  # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'

2 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap |  fgrep ': [wg] data '
03:07:33.906008 127.0.0.1.251 > 127.0.0.1.250: [wg] data length 112 to 0xb95f29f9 nonce 3
03:07:33.906427 127.0.0.1.250 > 127.0.0.1.251: [wg] data length 112 to 0xb1fde422 nonce 2

==== run-badkey-tunnel4-addr6-dst-src ====
# Ping foreign address with bad key.
doas -n ifconfig wg51  wgkey "`cat bad.key`"
! /sbin/ping6 -n -w 1 -c 1 -V 51 fdd7:e83e:66bc:46::1
PING fdd7:e83e:66bc:46::1 (fdd7:e83e:66bc:46::1): 56 data bytes

--- fdd7:e83e:66bc:46::1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg51  wgkey "`cat 51.key`"
/sbin/ping6 -n -w 1 -c 1 -V 51 fdd7:e83e:66bc:46::1
PING fdd7:e83e:66bc:46::1 (fdd7:e83e:66bc:46::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::1: icmp_seq=0 hlim=64 time=6.609 ms

--- fdd7:e83e:66bc:46::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 6.609/6.609/6.609/0.000 ms

==== run-route-tunnel6-addr4-src-dst ====
# Get route to local address.
/sbin/route -n -T 52 get 10.188.64.1 |  grep 'interface: wg52$'
  interface: wg52
/sbin/route -n -T 52 get 10.188.64.1 |  grep 'flags: .*,LOCAL'
      flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 52 get 10.188.64.2 |  grep 'interface: wg52$'
  interface: wg52
/sbin/route -n -T 52 get 10.188.64.2 |  grep 'flags: .*,CLON'
      flags: <UP,DONE,CLONING,CONNECTED>

==== run-ping-tunnel6-addr4-src-dst ====
# Ping local address.
/sbin/ping -n -w 1 -c 1 -V 52 10.188.64.1
PING 10.188.64.1 (10.188.64.1): 56 data bytes
64 bytes from 10.188.64.1: icmp_seq=0 ttl=255 time=0.227 ms

--- 10.188.64.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.227/0.227/0.227/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap  ip6 and udp port 250 or 251 or 252 or 253 or 0 &
sleep 1  # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping -n -w 1 -c 1 -V 52 10.188.64.2
PING 10.188.64.2 (10.188.64.2): 56 data bytes
64 bytes from 10.188.64.2: icmp_seq=0 ttl=255 time=6.445 ms

--- 10.188.64.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 6.445/6.445/6.445/0.000 ms
sleep 1  # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'

5 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap |  fgrep ': [wg] data '
03:07:38.387350 ::1.252 > ::1.253: [wg] data length 96 to 0x980721f7 nonce 0
03:07:38.387801 ::1.253 > ::1.252: [wg] data length 96 to 0xf2f6435a nonce 1

==== run-badkey-tunnel6-addr4-src-dst ====
# Ping foreign address with bad key.
doas -n ifconfig wg52  wgkey "`cat bad.key`"
! /sbin/ping -n -w 1 -c 1 -V 52 10.188.64.2
PING 10.188.64.2 (10.188.64.2): 56 data bytes

--- 10.188.64.2 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg52  wgkey "`cat 52.key`"
/sbin/ping -n -w 1 -c 1 -V 52 10.188.64.2
PING 10.188.64.2 (10.188.64.2): 56 data bytes
64 bytes from 10.188.64.2: icmp_seq=0 ttl=255 time=15.691 ms

--- 10.188.64.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 15.691/15.691/15.691/0.000 ms

==== run-route-tunnel6-addr4-dst-src ====
# Get route to local address.
/sbin/route -n -T 53 get 10.188.64.2 |  grep 'interface: wg53$'
  interface: wg53
/sbin/route -n -T 53 get 10.188.64.2 |  grep 'flags: .*,LOCAL'
      flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 53 get 10.188.64.1 |  grep 'interface: wg53$'
  interface: wg53
/sbin/route -n -T 53 get 10.188.64.1 |  grep 'flags: .*,CLON'
      flags: <UP,HOST,DONE,CLONED>

==== run-ping-tunnel6-addr4-dst-src ====
# Ping local address.
/sbin/ping -n -w 1 -c 1 -V 53 10.188.64.2
PING 10.188.64.2 (10.188.64.2): 56 data bytes
64 bytes from 10.188.64.2: icmp_seq=0 ttl=255 time=6.125 ms

--- 10.188.64.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 6.125/6.125/6.125/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap  ip6 and udp port 250 or 251 or 252 or 253 or 0 &
sleep 1  # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping -n -w 1 -c 1 -V 53 10.188.64.1
PING 10.188.64.1 (10.188.64.1): 56 data bytes
64 bytes from 10.188.64.1: icmp_seq=0 ttl=255 time=4.154 ms

--- 10.188.64.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 4.154/4.154/4.154/0.000 ms
sleep 1  # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'

2 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap |  fgrep ': [wg] data '
03:07:42.847348 ::1.253 > ::1.252: [wg] data length 96 to 0x51adff6d nonce 3
03:07:42.849292 ::1.252 > ::1.253: [wg] data length 96 to 0xa7a48cf3 nonce 2

==== run-badkey-tunnel6-addr4-dst-src ====
# Ping foreign address with bad key.
doas -n ifconfig wg53  wgkey "`cat bad.key`"
! /sbin/ping -n -w 1 -c 1 -V 53 10.188.64.1
PING 10.188.64.1 (10.188.64.1): 56 data bytes

--- 10.188.64.1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg53  wgkey "`cat 53.key`"
/sbin/ping -n -w 1 -c 1 -V 53 10.188.64.1
PING 10.188.64.1 (10.188.64.1): 56 data bytes
64 bytes from 10.188.64.1: icmp_seq=0 ttl=255 time=18.730 ms

--- 10.188.64.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 18.730/18.730/18.730/0.000 ms

==== run-route-tunnel6-addr6-src-dst ====
# Get route to local address.
/sbin/route -n -T 52 get fdd7:e83e:66bc:66::1 |  grep 'interface: wg52$'
  interface: wg52
/sbin/route -n -T 52 get fdd7:e83e:66bc:66::1 |  grep 'flags: .*,LOCAL'
      flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 52 get fdd7:e83e:66bc:66::2 |  grep 'interface: wg52$'
  interface: wg52
/sbin/route -n -T 52 get fdd7:e83e:66bc:66::2 |  grep 'flags: .*,CLON'
      flags: <UP,DONE,CLONING,CONNECTED>

==== run-ping-tunnel6-addr6-src-dst ====
# Ping local address.
/sbin/ping6 -n -w 1 -c 1 -V 52 fdd7:e83e:66bc:66::1
PING fdd7:e83e:66bc:66::1 (fdd7:e83e:66bc:66::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::1: icmp_seq=0 hlim=64 time=3.204 ms

--- fdd7:e83e:66bc:66::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 3.204/3.204/3.204/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap  ip6 and udp port 250 or 251 or 252 or 253 or 0 &
sleep 1  # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping6 -n -w 1 -c 1 -V 52 fdd7:e83e:66bc:66::2
PING fdd7:e83e:66bc:66::2 (fdd7:e83e:66bc:66::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::2: icmp_seq=0 hlim=64 time=11.708 ms

--- fdd7:e83e:66bc:66::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 11.708/11.708/11.708/0.000 ms
sleep 1  # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'

3 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap |  fgrep ': [wg] data '
03:07:47.338182 ::1.252 > ::1.253: [wg] data length 112 to 0x6abfbda4 nonce 3
03:07:47.348893 ::1.253 > ::1.252: [wg] data length 112 to 0xaa13ba82 nonce 2

==== run-badkey-tunnel6-addr6-src-dst ====
# Ping foreign address with bad key.
doas -n ifconfig wg52  wgkey "`cat bad.key`"
! /sbin/ping6 -n -w 1 -c 1 -V 52 fdd7:e83e:66bc:66::2
PING fdd7:e83e:66bc:66::2 (fdd7:e83e:66bc:66::2): 56 data bytes

--- fdd7:e83e:66bc:66::2 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg52  wgkey "`cat 52.key`"
/sbin/ping6 -n -w 1 -c 1 -V 52 fdd7:e83e:66bc:66::2
PING fdd7:e83e:66bc:66::2 (fdd7:e83e:66bc:66::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::2: icmp_seq=0 hlim=64 time=23.676 ms

--- fdd7:e83e:66bc:66::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 23.676/23.676/23.676/0.000 ms

==== run-route-tunnel6-addr6-dst-src ====
# Get route to local address.
/sbin/route -n -T 53 get fdd7:e83e:66bc:66::2 |  grep 'interface: wg53$'
  interface: wg53
/sbin/route -n -T 53 get fdd7:e83e:66bc:66::2 |  grep 'flags: .*,LOCAL'
      flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 53 get fdd7:e83e:66bc:66::1 |  grep 'interface: wg53$'
  interface: wg53
/sbin/route -n -T 53 get fdd7:e83e:66bc:66::1 |  grep 'flags: .*,CLON'
      flags: <UP,HOST,DONE,CLONED>

==== run-ping-tunnel6-addr6-dst-src ====
# Ping local address.
/sbin/ping6 -n -w 1 -c 1 -V 53 fdd7:e83e:66bc:66::2
PING fdd7:e83e:66bc:66::2 (fdd7:e83e:66bc:66::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::2: icmp_seq=0 hlim=64 time=5.245 ms

--- fdd7:e83e:66bc:66::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 5.245/5.245/5.245/0.000 ms
# Ping foreign address.
doas -n tcpdump -ni lo0 -w wg.pcap  ip6 and udp port 250 or 251 or 252 or 253 or 0 &
sleep 1  # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping6 -n -w 1 -c 1 -V 53 fdd7:e83e:66bc:66::1
PING fdd7:e83e:66bc:66::1 (fdd7:e83e:66bc:66::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::1: icmp_seq=0 hlim=64 time=0.662 ms

--- fdd7:e83e:66bc:66::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.662/0.662/0.662/0.000 ms
sleep 1  # Wait until tcpdump has captured traffic.
doas -n pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'

2 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap |  fgrep ': [wg] data '
03:07:51.888055 ::1.253 > ::1.252: [wg] data length 112 to 0xe80d9924 nonce 3
03:07:51.888340 ::1.252 > ::1.253: [wg] data length 112 to 0xb920caaa nonce 2

==== run-badkey-tunnel6-addr6-dst-src ====
# Ping foreign address with bad key.
doas -n ifconfig wg53  wgkey "`cat bad.key`"
! /sbin/ping6 -n -w 1 -c 1 -V 53 fdd7:e83e:66bc:66::1
PING fdd7:e83e:66bc:66::1 (fdd7:e83e:66bc:66::1): 56 data bytes

--- fdd7:e83e:66bc:66::1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
doas -n ifconfig wg53  wgkey "`cat 53.key`"
/sbin/ping6 -n -w 1 -c 1 -V 53 fdd7:e83e:66bc:66::1
PING fdd7:e83e:66bc:66::1 (fdd7:e83e:66bc:66::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::1: icmp_seq=0 hlim=64 time=5.815 ms

--- fdd7:e83e:66bc:66::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 5.815/5.815/5.815/0.000 ms

==== unconfig ====
# destroy WireGuard and routing domain loopback interfaces
doas -n ifconfig wg50 destroy
doas -n ifconfig lo50 destroy
doas -n ifconfig wg51 destroy
doas -n ifconfig lo51 destroy
doas -n ifconfig wg52 destroy
doas -n ifconfig lo52 destroy
doas -n ifconfig wg53 destroy
doas -n ifconfig lo53 destroy