Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   systemd.netdev    ( 5 )

конфигурация виртуального сетевого устройства (Virtual Network Device configuration)
  Name  |  Synopsis  |  Description  |  Supported netdev kinds  |  Match section options  |  [netdev] section options  |  [bridge] section options  |  [vlan] section options  |  [macvlan] section options  |  [macvtap] section options  |  [ipvlan] section options  |  [ipvtap] section options  |  [vxlan] section options  |  [geneve] section options  |  [bareudp] section options  |  [l2tp] section options  |  [l2tpsession] section options  |  [macsec] section options  |  [macsecreceivechannel] section options  |  [macsectransmitassociation] section options  |  [macsecreceiveassociation] section options  |  [tunnel] section options  |  [foooverudp] section options  |  [peer] section options  |  [vxcan] section options  |  [tun] section options  |  [tap] section options  |  [wireguard] section options  |    [wireguardpeer] section options    |  [bond] section options  |  [xfrm] section options  |  [vrf] section options  |  [batmanadvanced] section options  |  Examples  |  See also  |  Note  |

[WIREGUARDPEER] SECTION OPTIONS

The [WireGuardPeer] section accepts the following keys:

PublicKey= Sets a Base64 encoded public key calculated by wg pubkey (see wg(8)) from a private key, and usually transmitted out of band to the author of the configuration file. This option is mandatory for this section.

PresharedKey= Optional preshared key for the interface. It can be generated by the wg genpsk command. This option adds an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance. Note that because this information is secret, you may want to set the permissions of the .netdev file to be owned by "root:systemd-network" with a "0640" file mode.

PresharedKeyFile= Takes an absolute path to a file which contains the Base64 encoded preshared key for the peer. When this option is specified, then PresharedKey= is ignored. Note that the file must be readable by the user "systemd-network", so it should be, e.g., owned by "root:systemd-network" with a "0640" file mode. If the path refers to an AF_UNIX stream socket in the file system a connection is made to it and the key read from it.

AllowedIPs= Sets a comma-separated list of IP (v4 or v6) addresses with CIDR masks from which this peer is allowed to send incoming traffic and to which outgoing traffic for this peer is directed.

The catch-all 0.0.0.0/0 may be specified for matching all IPv4 addresses, and ::/0 may be specified for matching all IPv6 addresses.

Note that this only affects routing inside the network interface itself, i.e. the packets that pass through the tunnel itself. To cause packets to be sent via the tunnel in the first place, an appropriate route needs to be added as well — either in the "[Routes]" section on the ".network" matching the wireguard interface, or externally to systemd-networkd.

Endpoint= Sets an endpoint IP address or hostname, followed by a colon, and then a port number. This endpoint will be updated automatically once to the most recent source IP address and port of correctly authenticated packets from the peer at configuration time.

PersistentKeepalive= Sets a seconds interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. For example, if the interface very rarely sends traffic, but it might at anytime receive traffic from a peer, and it is behind NAT, the interface might benefit from having a persistent keepalive interval of 25 seconds. If set to 0 or "off", this option is disabled. By default or when unspecified, this option is off. Most users will not need this.