START sys/net/wg 2025-03-08T05:40:01Z
==== ifconfig ====
openssl rand -base64 32 -out 11.key
rm -f 11.pub.tmp
ifconfig wg11 create || true
ifconfig wg11 wgkey "`cat 11.key`"
ifconfig wg11 | awk '/wgpubkey/{print $2}' >11.pub.tmp
mv 11.pub.tmp 11.pub
openssl rand -base64 32 -out 12.key
rm -f 12.pub.tmp
ifconfig wg12 create || true
ifconfig wg12 wgkey "`cat 12.key`"
ifconfig wg12 | awk '/wgpubkey/{print $2}' >12.pub.tmp
mv 12.pub.tmp 12.pub
openssl rand -base64 32 -out 13.key
rm -f 13.pub.tmp
ifconfig wg13 create || true
ifconfig wg13 wgkey "`cat 13.key`"
ifconfig wg13 | awk '/wgpubkey/{print $2}' >13.pub.tmp
mv 13.pub.tmp 13.pub
openssl rand -base64 32 -out 14.key
rm -f 14.pub.tmp
ifconfig wg14 create || true
ifconfig wg14 wgkey "`cat 14.key`"
ifconfig wg14 | awk '/wgpubkey/{print $2}' >14.pub.tmp
mv 14.pub.tmp 14.pub
# destroy WireGuard and routing domain loopback interfaces
ifconfig wg11 destroy
ifconfig lo11 destroy
ifconfig: lo11: SIOCIFDESTROY: Device not configured
*** Error 1 in target 'unconfig' (ignored)
ifconfig wg12 destroy
ifconfig lo12 destroy
ifconfig: lo12: SIOCIFDESTROY: Device not configured
*** Error 1 in target 'unconfig' (ignored)
ifconfig wg13 destroy
ifconfig lo13 destroy
ifconfig: lo13: SIOCIFDESTROY: Device not configured
*** Error 1 in target 'unconfig' (ignored)
ifconfig wg14 destroy
ifconfig lo14 destroy
ifconfig: lo14: SIOCIFDESTROY: Device not configured
*** Error 1 in target 'unconfig' (ignored)
# create and configure WireGuard interfaces
ifconfig wg11 create wgport 211 wgkey "`cat 11.key`" rdomain 11
ifconfig wg12 create wgport 212 wgkey "`cat 12.key`" rdomain 12
ifconfig wg13 create wgport 213 wgkey "`cat 13.key`" rdomain 13
ifconfig wg14 create wgport 214 wgkey "`cat 14.key`" rdomain 14
# local SRC, foreign DST, tunnel 4
ifconfig wg11 wgpeer "`cat 12.pub`" wgendpoint 127.0.0.1 212 wgaip 10.188.44.2/32 wgaip fdd7:e83e:66bc:46::2/128
# local SRC, foreign DST, tunnel 6
ifconfig wg13 wgpeer "`cat 14.pub`" wgendpoint ::1 214 wgaip 10.188.64.2/32 wgaip fdd7:e83e:66bc:66::2/128
# local SRC, foreign DST, tunnel 4
ifconfig wg11 inet 10.188.44.1/24 alias
ifconfig wg11 inet6 fdd7:e83e:66bc:46::1/64 alias
# local SRC, foreign DST, tunnel 6
ifconfig wg13 inet 10.188.64.1/24 alias
ifconfig wg13 inet6 fdd7:e83e:66bc:66::1/64 alias
# local DST, foreign SRC, tunnel 4
ifconfig wg12 wgpeer "`cat 11.pub`" wgendpoint 127.0.0.1 211 wgaip 10.188.44.1/32 wgaip fdd7:e83e:66bc:46::1/128
# local DST, foreign SRC, tunnel 6
ifconfig wg14 wgpeer "`cat 13.pub`" wgendpoint ::1 213 wgaip 10.188.64.1/32 wgaip fdd7:e83e:66bc:66::1/128
# local DST, foreign SRC, tunnel 4
ifconfig wg12 inet 10.188.44.2/24 alias
ifconfig wg12 inet6 fdd7:e83e:66bc:46::2/64 alias
# local DST, foreign SRC, tunnel 6
ifconfig wg14 inet 10.188.64.2/24 alias
ifconfig wg14 inet6 fdd7:e83e:66bc:66::2/64 alias
sleep 1 # Wait until DAD for inet6 tunnel addresses has finished.
==== run-route-tunnel4-addr4-src-dst ====
# Get route to local address.
/sbin/route -n -T 11 get 10.188.44.1 | grep 'interface: wg11$'
interface: wg11
/sbin/route -n -T 11 get 10.188.44.1 | grep 'flags: .*,LOCAL'
flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 11 get 10.188.44.2 | grep 'interface: wg11$'
interface: wg11
/sbin/route -n -T 11 get 10.188.44.2 | grep 'flags: .*,CLON'
flags: <UP,DONE,CLONING,CONNECTED>
==== run-ping-tunnel4-addr4-src-dst ====
# Ping local address.
/sbin/ping -n -w 1 -c 1 -V 11 10.188.44.1
PING 10.188.44.1 (10.188.44.1): 56 data bytes
64 bytes from 10.188.44.1: icmp_seq=0 ttl=255 time=0.033 ms
--- 10.188.44.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.033/0.033/0.033/0.000 ms
# Ping foreign address.
tcpdump -ni lo0 -w wg.pcap ip and udp port 211 or 212 or 213 or 214 or 0 &
sleep 1 # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping -n -w 1 -c 1 -V 11 10.188.44.2
PING 10.188.44.2 (10.188.44.2): 56 data bytes
64 bytes from 10.188.44.2: icmp_seq=0 ttl=255 time=3.045 ms
--- 10.188.44.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 3.045/3.045/3.045/0.000 ms
sleep 1 # Wait until tcpdump has captured traffic.
pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'
5 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap | fgrep ': [wg] data '
06:40:04.378762 127.0.0.1.211 > 127.0.0.1.212: [wg] data length 96 to 0x0a66b62b nonce 0
06:40:04.378877 127.0.0.1.212 > 127.0.0.1.211: [wg] data length 96 to 0x9b2b488b nonce 1
==== run-badkey-tunnel4-addr4-src-dst ====
openssl rand -base64 32 -out bad.key
# Ping foreign address with bad key.
ifconfig wg11 wgkey "`cat bad.key`"
! /sbin/ping -n -w 1 -c 1 -V 11 10.188.44.2
PING 10.188.44.2 (10.188.44.2): 56 data bytes
--- 10.188.44.2 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
ifconfig wg11 wgkey "`cat 11.key`"
/sbin/ping -n -w 1 -c 1 -V 11 10.188.44.2
PING 10.188.44.2 (10.188.44.2): 56 data bytes
64 bytes from 10.188.44.2: icmp_seq=0 ttl=255 time=2.933 ms
--- 10.188.44.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.933/2.933/2.933/0.000 ms
==== run-route-tunnel4-addr4-dst-src ====
# Get route to local address.
/sbin/route -n -T 12 get 10.188.44.2 | grep 'interface: wg12$'
interface: wg12
/sbin/route -n -T 12 get 10.188.44.2 | grep 'flags: .*,LOCAL'
flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 12 get 10.188.44.1 | grep 'interface: wg12$'
interface: wg12
/sbin/route -n -T 12 get 10.188.44.1 | grep 'flags: .*,CLON'
flags: <UP,HOST,DONE,CLONED>
==== run-ping-tunnel4-addr4-dst-src ====
# Ping local address.
/sbin/ping -n -w 1 -c 1 -V 12 10.188.44.2
PING 10.188.44.2 (10.188.44.2): 56 data bytes
64 bytes from 10.188.44.2: icmp_seq=0 ttl=255 time=0.031 ms
--- 10.188.44.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.031/0.031/0.031/0.000 ms
# Ping foreign address.
tcpdump -ni lo0 -w wg.pcap ip and udp port 211 or 212 or 213 or 214 or 0 &
sleep 1 # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping -n -w 1 -c 1 -V 12 10.188.44.1
PING 10.188.44.1 (10.188.44.1): 56 data bytes
64 bytes from 10.188.44.1: icmp_seq=0 ttl=255 time=0.103 ms
--- 10.188.44.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.103/0.103/0.103/0.000 ms
sleep 1 # Wait until tcpdump has captured traffic.
pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'
2 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap | fgrep ': [wg] data '
06:40:08.605931 127.0.0.1.212 > 127.0.0.1.211: [wg] data length 96 to 0xa2bb3752 nonce 3
06:40:08.605972 127.0.0.1.211 > 127.0.0.1.212: [wg] data length 96 to 0x9a8cdc39 nonce 2
==== run-badkey-tunnel4-addr4-dst-src ====
# Ping foreign address with bad key.
ifconfig wg12 wgkey "`cat bad.key`"
! /sbin/ping -n -w 1 -c 1 -V 12 10.188.44.1
PING 10.188.44.1 (10.188.44.1): 56 data bytes
--- 10.188.44.1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
ifconfig wg12 wgkey "`cat 12.key`"
/sbin/ping -n -w 1 -c 1 -V 12 10.188.44.1
PING 10.188.44.1 (10.188.44.1): 56 data bytes
64 bytes from 10.188.44.1: icmp_seq=0 ttl=255 time=2.981 ms
--- 10.188.44.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.981/2.981/2.981/0.000 ms
==== run-route-tunnel4-addr6-src-dst ====
# Get route to local address.
/sbin/route -n -T 11 get fdd7:e83e:66bc:46::1 | grep 'interface: wg11$'
interface: wg11
/sbin/route -n -T 11 get fdd7:e83e:66bc:46::1 | grep 'flags: .*,LOCAL'
flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 11 get fdd7:e83e:66bc:46::2 | grep 'interface: wg11$'
interface: wg11
/sbin/route -n -T 11 get fdd7:e83e:66bc:46::2 | grep 'flags: .*,CLON'
flags: <UP,DONE,CLONING,CONNECTED>
==== run-ping-tunnel4-addr6-src-dst ====
# Ping local address.
/sbin/ping6 -n -w 1 -c 1 -V 11 fdd7:e83e:66bc:46::1
PING fdd7:e83e:66bc:46::1 (fdd7:e83e:66bc:46::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::1: icmp_seq=0 hlim=64 time=0.041 ms
--- fdd7:e83e:66bc:46::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.041/0.041/0.041/0.000 ms
# Ping foreign address.
tcpdump -ni lo0 -w wg.pcap ip and udp port 211 or 212 or 213 or 214 or 0 &
sleep 1 # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping6 -n -w 1 -c 1 -V 11 fdd7:e83e:66bc:46::2
PING fdd7:e83e:66bc:46::2 (fdd7:e83e:66bc:46::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::2: icmp_seq=0 hlim=64 time=0.199 ms
--- fdd7:e83e:66bc:46::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.199/0.199/0.199/0.000 ms
sleep 1 # Wait until tcpdump has captured traffic.
pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'
2 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap | fgrep ': [wg] data '
06:40:12.828167 127.0.0.1.211 > 127.0.0.1.212: [wg] data length 112 to 0x5f8f9b2c nonce 3
06:40:12.828242 127.0.0.1.212 > 127.0.0.1.211: [wg] data length 112 to 0xf60c7543 nonce 2
==== run-badkey-tunnel4-addr6-src-dst ====
# Ping foreign address with bad key.
ifconfig wg11 wgkey "`cat bad.key`"
! /sbin/ping6 -n -w 1 -c 1 -V 11 fdd7:e83e:66bc:46::2
PING fdd7:e83e:66bc:46::2 (fdd7:e83e:66bc:46::2): 56 data bytes
--- fdd7:e83e:66bc:46::2 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
ifconfig wg11 wgkey "`cat 11.key`"
/sbin/ping6 -n -w 1 -c 1 -V 11 fdd7:e83e:66bc:46::2
PING fdd7:e83e:66bc:46::2 (fdd7:e83e:66bc:46::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::2: icmp_seq=0 hlim=64 time=2.985 ms
--- fdd7:e83e:66bc:46::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.985/2.985/2.985/0.000 ms
==== run-route-tunnel4-addr6-dst-src ====
# Get route to local address.
/sbin/route -n -T 12 get fdd7:e83e:66bc:46::2 | grep 'interface: wg12$'
interface: wg12
/sbin/route -n -T 12 get fdd7:e83e:66bc:46::2 | grep 'flags: .*,LOCAL'
flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 12 get fdd7:e83e:66bc:46::1 | grep 'interface: wg12$'
interface: wg12
/sbin/route -n -T 12 get fdd7:e83e:66bc:46::1 | grep 'flags: .*,CLON'
flags: <UP,HOST,DONE,CLONED>
==== run-ping-tunnel4-addr6-dst-src ====
# Ping local address.
/sbin/ping6 -n -w 1 -c 1 -V 12 fdd7:e83e:66bc:46::2
PING fdd7:e83e:66bc:46::2 (fdd7:e83e:66bc:46::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::2: icmp_seq=0 hlim=64 time=0.038 ms
--- fdd7:e83e:66bc:46::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.038/0.038/0.038/0.000 ms
# Ping foreign address.
tcpdump -ni lo0 -w wg.pcap ip and udp port 211 or 212 or 213 or 214 or 0 &
sleep 1 # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping6 -n -w 1 -c 1 -V 12 fdd7:e83e:66bc:46::1
PING fdd7:e83e:66bc:46::1 (fdd7:e83e:66bc:46::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::1: icmp_seq=0 hlim=64 time=0.142 ms
--- fdd7:e83e:66bc:46::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.142/0.142/0.142/0.000 ms
sleep 1 # Wait until tcpdump has captured traffic.
pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'
2 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap | fgrep ': [wg] data '
06:40:17.058197 127.0.0.1.212 > 127.0.0.1.211: [wg] data length 112 to 0x35dfe3c3 nonce 3
06:40:17.058248 127.0.0.1.211 > 127.0.0.1.212: [wg] data length 112 to 0x054d3316 nonce 2
==== run-badkey-tunnel4-addr6-dst-src ====
# Ping foreign address with bad key.
ifconfig wg12 wgkey "`cat bad.key`"
! /sbin/ping6 -n -w 1 -c 1 -V 12 fdd7:e83e:66bc:46::1
PING fdd7:e83e:66bc:46::1 (fdd7:e83e:66bc:46::1): 56 data bytes
--- fdd7:e83e:66bc:46::1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
ifconfig wg12 wgkey "`cat 12.key`"
/sbin/ping6 -n -w 1 -c 1 -V 12 fdd7:e83e:66bc:46::1
PING fdd7:e83e:66bc:46::1 (fdd7:e83e:66bc:46::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:46::1: icmp_seq=0 hlim=64 time=2.951 ms
--- fdd7:e83e:66bc:46::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.951/2.951/2.951/0.000 ms
==== run-route-tunnel6-addr4-src-dst ====
# Get route to local address.
/sbin/route -n -T 13 get 10.188.64.1 | grep 'interface: wg13$'
interface: wg13
/sbin/route -n -T 13 get 10.188.64.1 | grep 'flags: .*,LOCAL'
flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 13 get 10.188.64.2 | grep 'interface: wg13$'
interface: wg13
/sbin/route -n -T 13 get 10.188.64.2 | grep 'flags: .*,CLON'
flags: <UP,DONE,CLONING,CONNECTED>
==== run-ping-tunnel6-addr4-src-dst ====
# Ping local address.
/sbin/ping -n -w 1 -c 1 -V 13 10.188.64.1
PING 10.188.64.1 (10.188.64.1): 56 data bytes
64 bytes from 10.188.64.1: icmp_seq=0 ttl=255 time=0.042 ms
--- 10.188.64.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.042/0.042/0.042/0.000 ms
# Ping foreign address.
tcpdump -ni lo0 -w wg.pcap ip6 and udp port 211 or 212 or 213 or 214 or 0 &
sleep 1 # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping -n -w 1 -c 1 -V 13 10.188.64.2
PING 10.188.64.2 (10.188.64.2): 56 data bytes
64 bytes from 10.188.64.2: icmp_seq=0 ttl=255 time=2.971 ms
--- 10.188.64.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.971/2.971/2.971/0.000 ms
sleep 1 # Wait until tcpdump has captured traffic.
pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'
5 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap | fgrep ': [wg] data '
06:40:21.288592 ::1.213 > ::1.214: [wg] data length 96 to 0xd5b6dbd2 nonce 0
06:40:21.288691 ::1.214 > ::1.213: [wg] data length 96 to 0x42b1d5cb nonce 1
==== run-badkey-tunnel6-addr4-src-dst ====
# Ping foreign address with bad key.
ifconfig wg13 wgkey "`cat bad.key`"
! /sbin/ping -n -w 1 -c 1 -V 13 10.188.64.2
PING 10.188.64.2 (10.188.64.2): 56 data bytes
--- 10.188.64.2 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
ifconfig wg13 wgkey "`cat 13.key`"
/sbin/ping -n -w 1 -c 1 -V 13 10.188.64.2
PING 10.188.64.2 (10.188.64.2): 56 data bytes
64 bytes from 10.188.64.2: icmp_seq=0 ttl=255 time=2.972 ms
--- 10.188.64.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.972/2.972/2.972/0.000 ms
==== run-route-tunnel6-addr4-dst-src ====
# Get route to local address.
/sbin/route -n -T 14 get 10.188.64.2 | grep 'interface: wg14$'
interface: wg14
/sbin/route -n -T 14 get 10.188.64.2 | grep 'flags: .*,LOCAL'
flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 14 get 10.188.64.1 | grep 'interface: wg14$'
interface: wg14
/sbin/route -n -T 14 get 10.188.64.1 | grep 'flags: .*,CLON'
flags: <UP,HOST,DONE,CLONED>
==== run-ping-tunnel6-addr4-dst-src ====
# Ping local address.
/sbin/ping -n -w 1 -c 1 -V 14 10.188.64.2
PING 10.188.64.2 (10.188.64.2): 56 data bytes
64 bytes from 10.188.64.2: icmp_seq=0 ttl=255 time=0.031 ms
--- 10.188.64.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.031/0.031/0.031/0.000 ms
# Ping foreign address.
tcpdump -ni lo0 -w wg.pcap ip6 and udp port 211 or 212 or 213 or 214 or 0 &
sleep 1 # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping -n -w 1 -c 1 -V 14 10.188.64.1
PING 10.188.64.1 (10.188.64.1): 56 data bytes
64 bytes from 10.188.64.1: icmp_seq=0 ttl=255 time=0.138 ms
--- 10.188.64.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.138/0.138/0.138/0.000 ms
sleep 1 # Wait until tcpdump has captured traffic.
pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'
2 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap | fgrep ': [wg] data '
06:40:25.515923 ::1.214 > ::1.213: [wg] data length 96 to 0x23142fe2 nonce 3
06:40:25.515969 ::1.213 > ::1.214: [wg] data length 96 to 0x89d10e94 nonce 2
==== run-badkey-tunnel6-addr4-dst-src ====
# Ping foreign address with bad key.
ifconfig wg14 wgkey "`cat bad.key`"
! /sbin/ping -n -w 1 -c 1 -V 14 10.188.64.1
PING 10.188.64.1 (10.188.64.1): 56 data bytes
--- 10.188.64.1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
ifconfig wg14 wgkey "`cat 14.key`"
/sbin/ping -n -w 1 -c 1 -V 14 10.188.64.1
PING 10.188.64.1 (10.188.64.1): 56 data bytes
64 bytes from 10.188.64.1: icmp_seq=0 ttl=255 time=2.982 ms
--- 10.188.64.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.982/2.982/2.982/0.000 ms
==== run-route-tunnel6-addr6-src-dst ====
# Get route to local address.
/sbin/route -n -T 13 get fdd7:e83e:66bc:66::1 | grep 'interface: wg13$'
interface: wg13
/sbin/route -n -T 13 get fdd7:e83e:66bc:66::1 | grep 'flags: .*,LOCAL'
flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 13 get fdd7:e83e:66bc:66::2 | grep 'interface: wg13$'
interface: wg13
/sbin/route -n -T 13 get fdd7:e83e:66bc:66::2 | grep 'flags: .*,CLON'
flags: <UP,DONE,CLONING,CONNECTED>
==== run-ping-tunnel6-addr6-src-dst ====
# Ping local address.
/sbin/ping6 -n -w 1 -c 1 -V 13 fdd7:e83e:66bc:66::1
PING fdd7:e83e:66bc:66::1 (fdd7:e83e:66bc:66::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::1: icmp_seq=0 hlim=64 time=0.039 ms
--- fdd7:e83e:66bc:66::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.039/0.039/0.039/0.000 ms
# Ping foreign address.
tcpdump -ni lo0 -w wg.pcap ip6 and udp port 211 or 212 or 213 or 214 or 0 &
sleep 1 # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping6 -n -w 1 -c 1 -V 13 fdd7:e83e:66bc:66::2
PING fdd7:e83e:66bc:66::2 (fdd7:e83e:66bc:66::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::2: icmp_seq=0 hlim=64 time=0.178 ms
--- fdd7:e83e:66bc:66::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.178/0.178/0.178/0.000 ms
sleep 1 # Wait until tcpdump has captured traffic.
pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'
3 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap | fgrep ': [wg] data '
06:40:29.738027 ::1.213 > ::1.214: [wg] data length 112 to 0x225c6428 nonce 3
06:40:29.738097 ::1.214 > ::1.213: [wg] data length 112 to 0x4dd8fbfe nonce 2
==== run-badkey-tunnel6-addr6-src-dst ====
# Ping foreign address with bad key.
ifconfig wg13 wgkey "`cat bad.key`"
! /sbin/ping6 -n -w 1 -c 1 -V 13 fdd7:e83e:66bc:66::2
PING fdd7:e83e:66bc:66::2 (fdd7:e83e:66bc:66::2): 56 data bytes
--- fdd7:e83e:66bc:66::2 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
ifconfig wg13 wgkey "`cat 13.key`"
/sbin/ping6 -n -w 1 -c 1 -V 13 fdd7:e83e:66bc:66::2
PING fdd7:e83e:66bc:66::2 (fdd7:e83e:66bc:66::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::2: icmp_seq=0 hlim=64 time=2.979 ms
--- fdd7:e83e:66bc:66::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.979/2.979/2.979/0.000 ms
==== run-route-tunnel6-addr6-dst-src ====
# Get route to local address.
/sbin/route -n -T 14 get fdd7:e83e:66bc:66::2 | grep 'interface: wg14$'
interface: wg14
/sbin/route -n -T 14 get fdd7:e83e:66bc:66::2 | grep 'flags: .*,LOCAL'
flags: <UP,HOST,DONE,LLINFO,LOCAL>
# Get route to foreign address.
/sbin/route -n -T 14 get fdd7:e83e:66bc:66::1 | grep 'interface: wg14$'
interface: wg14
/sbin/route -n -T 14 get fdd7:e83e:66bc:66::1 | grep 'flags: .*,CLON'
flags: <UP,HOST,DONE,CLONED>
==== run-ping-tunnel6-addr6-dst-src ====
# Ping local address.
/sbin/ping6 -n -w 1 -c 1 -V 14 fdd7:e83e:66bc:66::2
PING fdd7:e83e:66bc:66::2 (fdd7:e83e:66bc:66::2): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::2: icmp_seq=0 hlim=64 time=0.049 ms
--- fdd7:e83e:66bc:66::2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.049/0.049/0.049/0.000 ms
# Ping foreign address.
tcpdump -ni lo0 -w wg.pcap ip6 and udp port 211 or 212 or 213 or 214 or 0 &
sleep 1 # Wait until tcpdump is up.
tcpdump: listening on lo0, link-type LOOP
/sbin/ping6 -n -w 1 -c 1 -V 14 fdd7:e83e:66bc:66::1
PING fdd7:e83e:66bc:66::1 (fdd7:e83e:66bc:66::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::1: icmp_seq=0 hlim=64 time=0.134 ms
--- fdd7:e83e:66bc:66::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.134/0.134/0.134/0.000 ms
sleep 1 # Wait until tcpdump has captured traffic.
pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'
2 packets received by filter
0 packets dropped by kernel
# Check WireGuard encrypted traffic
/usr/sbin/tcpdump -n -r wg.pcap | fgrep ': [wg] data '
06:40:33.967862 ::1.214 > ::1.213: [wg] data length 112 to 0xe241be26 nonce 3
06:40:33.967924 ::1.213 > ::1.214: [wg] data length 112 to 0x6959d7b1 nonce 2
==== run-badkey-tunnel6-addr6-dst-src ====
# Ping foreign address with bad key.
ifconfig wg14 wgkey "`cat bad.key`"
! /sbin/ping6 -n -w 1 -c 1 -V 14 fdd7:e83e:66bc:66::1
PING fdd7:e83e:66bc:66::1 (fdd7:e83e:66bc:66::1): 56 data bytes
--- fdd7:e83e:66bc:66::1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
# Restore key and test it.
ifconfig wg14 wgkey "`cat 14.key`"
/sbin/ping6 -n -w 1 -c 1 -V 14 fdd7:e83e:66bc:66::1
PING fdd7:e83e:66bc:66::1 (fdd7:e83e:66bc:66::1): 56 data bytes
64 bytes from fdd7:e83e:66bc:66::1: icmp_seq=0 hlim=64 time=2.971 ms
--- fdd7:e83e:66bc:66::1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.971/2.971/2.971/0.000 ms
==== unconfig ====
# destroy WireGuard and routing domain loopback interfaces
ifconfig wg11 destroy
ifconfig lo11 destroy
ifconfig wg12 destroy
ifconfig lo12 destroy
ifconfig wg13 destroy
ifconfig lo13 destroy
ifconfig wg14 destroy
ifconfig lo14 destroy
PASS sys/net/wg Duration 0m36.33s