| WG(4) | Device Drivers Manual | WG(4) | 
wg —
pseudo-device wg
wg interface implements a roaming-capable virtual
  private network tunnel, configured with
  ifconfig(8) and
  wgconfig(8).
WARNING: wg is
    experimental.
Packets exchanged on a wg interface are
    authenticated and encrypted with a secret key negotiated with the peer, and
    the encapsulation is exchanged over IP or IPv6 using UDP.
Every wg interface can be configured with
    an IP address using
    ifconfig(8), a private key
    generated with
    wg-keygen(8), an optional
    listen port, and a collection of peers.
Each peer configured on an wg interface
    has a public key and a range of IP addresses the peer is allowed to use for
    its wg interface inside the tunnel. Each peer may
    also optionally have a preshared secret key and a fixed endpoint IP address
    outside the tunnel.
wm0 = 192.0.2.123                     bge0 = 198.51.100.45
Stationary server:                         Roaming client:
+---------+                                    +---------+
|    A    |                                    |    B    |
|---------|                                    |---------|
|        [wm0]-------------internet--------[bge0]        |
|    [wg0] port 1234 - - - (tunnel) - - - - - - [wg0]    |
|   10.0.1.0                  |               10.0.1.1   |
|         |                   |                |         |
+--[wm1]--+          +-----------------+       +---------+
     |               | VPN 10.0.1.0/24 |
     |               +-----------------+
+-----------------+
| LAN 10.0.0.0/24 |
+-----------------+
Generate key pairs on A and B:
A# (umask 0077; wg-keygen > /etc/wg/wg0) A# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub A# cat /etc/wg/wg0.pub N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y= B# (umask 0077; wg-keygen > /etc/wg/wg0) B# wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub B# cat /etc/wg/wg0.pub X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU=
Generate a pre-shared key on A and copy it to B to defend against potential future quantum cryptanalysis (not necessary for functionality):
A# (umask 0077; wg-keygen > /etc/wg/wg0.A-B)
Configure A to listen on port 1234 and allow connections from B to appear in the 10.0.1.0/24 subnet:
A# ifconfig wg0 create 10.0.1.0/24
A# wgconfig wg0 set private-key /etc/wg/wg0
A# wgconfig wg0 set listen-port 1234
A# wgconfig wg0 add peer B \
    X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU= \
    --preshared-key=/etc/wg/wg0.A-B \
    --allowed-ips=10.0.1.1/32
A# ifconfig wg0 up
A# ifconfig wg0
wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420
        inet 10.0.1.0/24 flags 0
        inet6 fe80::22f7:d6ff:fe3a:1e60%wg0/64 flags 0 scopeid 0x3
Configure B to connect to A at 192.0.2.123 on port 1234 and the packets can begin to flow:
B# ifconfig wg0 create 10.0.1.1/24
B# wgconfig wg0 set private-key /etc/wg/wg0
B# wgconfig wg0 add peer A \
    N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y= \
    --preshared-key=/etc/wg/wg0.A-B \
    --allowed-ips=10.0.1.0/32 \
    --endpoint=192.0.2.123:1234
B# ifconfig wg0 up
B# ifconfig wg0
wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420
        inet 10.0.1.1/24 flags 0
        inet6 fe80::56eb:59ff:fe3d:d413%wg0/64 flags 0 scopeid 0x3
B# ping -n 10.0.1.0
PING 10.0.1.0 (10.0.1.0): 56 data bytes
64 bytes from 10.0.1.0: icmp_seq=0 ttl=255 time=2.721110 ms
...
wg interface aims to be compatible with the
  WireGuard protocol, as described in:
Jason A. Donenfeld, WireGuard: Next Generation Kernel Network Tunnel, https://web.archive.org/web/20180805103233/https://www.wireguard.com/papers/wireguard.pdf, 2018-06-30, Document ID: 4846ada1492f5d92198df154f48c3d54205657bc.
wg interface first appeared in
  NetBSD 10.0.
wg interface was implemented by
  Ryota Ozaki
  <ozaki.ryota@gmail.com>.
| August 20, 2020 | NetBSD 10.0 |