Differences

This shows you the differences between two versions of the page.

--- documentation:examples:gre_ipsec_and_openvpn [2020/06/29 16:48] – [VM2: OpenVPN server] olivier
+++ documentation:examples:gre_ipsec_and_openvpn [2023/07/10 12:40] (current) – [Router 4] olivier
@@ Line 1: / Line 1: @@
 ====== VPN with GRE, GIF, IPSec, OpenVPN and Wireguard ======
-This lab shows some VPN examples with BSDRP 1.97.
+This lab shows some VPN examples with BSDRP 1.991.
 ===== Presentation =====
@@ Line 238: / Line 238: @@
 If you have previous gre configuration from the gre example: remove them.
-Here is the line to ADD to /etc/rc.conf file:
 <code>
@@ Line 252: / Line 250: @@
 service routing restart
 config save
+</code>
+Take care of avoiding fragmentation, TCP-MSS should be reduced on a gif using inet6, like with this pf.conf example:
+<code>
+set skip on lo0
+scrub on gif1 inet all max-mss 1200
+scrub on gif1 inet6 all max-mss 1180
+pass
 </code>
 ==== Router 4 ====
@@ Line 257: / Line 263: @@
 Configure the 2 gif tunnel using VM2 addresses as end-point.
-Here are the changes to apply to rc file:
 <code>
 sysrc cloned_interfaces="gif0 gif1"
@@ Line 679: / Line 684: @@
 Using Strongswan, the SP will be installed automatically and the SA will be negotiated by strongswan.
-Strongswan use Left (for Local) and Right (for Remote).
 === Router 2 ===
 Configure strongswan on VM2 with:
-  * IKEv2
+  * IKEv2 (version = 2)
-  * Preshared-key
+  * Preshared-key (psk)
-  * Disabling Mobile IP
+  * Disabling Mobile IP (mobike = no)
-  * forcing the tunnel going UP (auto=start)
+  * forcing the tunnel going UP (start_action = trap)
   * configuring Dead-Peer-Detection at 5 seconds
 <code>
-cat > /usr/local/etc/ipsec.conf <<'EOF'
+cat > /usr/local/etc/swanctl/conf.d/vm4.conf <<EOF
-config setup
+connections {
+  net-net {
+    local_addrs = 10.0.23.2
+    remote_addrs = 10.0.34.4
+    local {
+      auth = psk
+      id = vm2
+    }
+    remote {
+      auth = psk
+      id = vm4
+    }
+    children {
+      net-net {
+        local_ts  = 10.0.12.0/24
+        remote_ts = 10.0.45.0/24
+        start_action = trap
+      }
+    }
+    version = 2
+    mobike = no
+    dpd_delay = 5s
+  }
+}
-conn %default
+secrets {
-     authby=secret
+  ike-1 {
-     keyexchange=ikev2
+    id-1 = vm4
-     mobike=no
+    secret = "This is a strong password"
-     dpdaction=restart
+  }
-     dpddelay=5
+}
+EOF
-conn VM4
-    left=10.0.23.2
-    leftsubnet=10.0.12.0/24
-    leftid=VM2
-    right=10.0.34.4
-    rightsubnet=10.0.45.0/24
-    rightid=VM4
-    auto=start
-'EOF'
 </code>
-Then define the password to use for the remote site:
+Enable strongswan:
 <code>
-cat > /usr/local/etc/ipsec.secrets <<'EOF'
+service strongswan enable
-VM4 VM2 : PSK "This is a strong password"
+service strongswan restart
-'EOF'
 </code>
-Enable strongswan:
+And check if it correctly loaded its configuration:
 <code>
-sysrc strongswan_enable=YES
+root@VM2:~ # swanctl --list-conns
-service strongswan restart
+net-net: IKEv2, no reauthentication, rekeying every 14400s
+  local:  10.0.23.2
+  remote: 10.0.34.4
+  local pre-shared key authentication:
+    id: vm2
+  remote pre-shared key authentication:
+    id: vm4
+  net-net: TUNNEL, rekeying every 3600s
+    local:  10.0.12.0/24
+    remote: 10.0.45.0/24
 </code>
@@ Line 734: / Line 758: @@
   * Preshared-key
   * Disabling Mobile IP
-  * automatic traffic detection (auto=route)
+  * automatic traffic detection
   * configuring Dead-Peer-Detection at 5 seconds
 <code>
-cat > /usr/local/etc/ipsec.conf <<'EOF'
+cat > /usr/local/etc/swanctl/conf.d/vm2.conf <<EOF
-config setup
+connections {
+  net-net {
+    remote_addrs = 10.0.23.2
+    local_addrs = 10.0.34.4
+    remote {
+      auth = psk
+      id = vm2
+    }
+    local {
+      auth = psk
+      id = vm4
+    }
+    children {
+      net-net {
+        remote_ts  = 10.0.12.0/24
+        local_ts = 10.0.45.0/24
+        start_action = trap
+      }
+    }
+    version = 2
+    mobike = no
+    dpd_delay = 5s
+  }
+}
-conn %default
+secrets {
-    authby=secret
+  ike-1 {
-    keyexchange=ikev2
+    id-1 = vm2
-    mobike=no
+    secret = "This is a strong password"
-    dpdaction=restart
+  }
-    dpddelay=5
+}
-conn VM2
+EOF
-    left=10.0.34.4
-    leftsubnet=10.0.45.0/24
-    leftid=VM4
-    right=10.0.23.2
-    rightsubnet=10.0.12.0/24
-    rightid=VM2
-    auto=route
-'EOF'
-</code>
-Then define the password to use for the remote site:
-<code>
-cat > /usr/local/etc/ipsec.secrets <<'EOF'
-VM4 VM2 : PSK "This is a strong password"
-'EOF'
 </code>
@@ Line 769: / Line 801: @@
 <code>
-sysrc strongswan_enable=YES
+service strongswan enable
 service strongswan restart
+</code>
+And check the status:
+<code>
+root@VM4: # swanctl --list-conns
+net-net: IKEv2, no reauthentication, rekeying every 14400s
+  local:  10.0.34.4
+  remote: 10.0.23.2
+  local pre-shared key authentication:
+    id: vm4
+  remote pre-shared key authentication:
+    id: vm2
+  net-net: TUNNEL, rekeying every 3600s
+    local:  10.0.45.0/24
+    remote: 10.0.12.0/24
+root@VM4: # grep charon /var/log/daemon.log
+Jul  8 12:39:44 router charon[79963]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.6, FreeBSD 14.0-CURRENT, amd64)
+Jul  8 12:39:44 router charon[79963]: 00[KNL] unable to set UDP_ENCAP: Invalid argument
+Jul  8 12:39:44 router charon[79963]: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
+Jul  8 12:39:44 router charon[79963]: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
+Jul  8 12:39:44 router charon[79963]: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
+Jul  8 12:39:44 router charon[79963]: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
+Jul  8 12:39:44 router charon[79963]: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
+Jul  8 12:39:44 router charon[79963]: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
+Jul  8 12:39:44 router charon[79963]: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
+Jul  8 12:39:44 router charon[79963]: 00[CFG]   loaded IKE secret for VM4 VM2
+Jul  8 12:39:44 router charon[79963]: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation co
+nstraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg curl attr kernel-pf
+key kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whit
+elist addrblock counters
+Jul  8 12:39:44 router charon[79963]: 00[JOB] spawning 16 worker threads
+Jul  8 12:39:45 router charon[79963]: 13[CFG] loaded IKE shared key with id 'ike-1' for: 'vm2'
+Jul  8 12:39:45 router charon[79963]: 12[CFG] added vici connection: net-net
+Jul  8 12:39:45 router charon[79963]: 12[CFG] installing 'net-net'
 </code>
@@ Line 799: / Line 866: @@
 :46:56.918092 IP 10.0.23.2.500 > 10.0.34.4.500: isakmp: child_sa  inf2[I]
 :46:56.919263 IP 10.0.34.4.500 > 10.0.23.2.500: isakmp: child_sa  inf2[R]
-</code>
-Log file on VM2:
-<code>
-[root@VM2]~# tail -f /var/log/auth.log
-Jun  8 00:24:28 VM2 ipsec_starter[981]: no netkey IPsec stack detected
-Jun  8 00:24:28 VM2 ipsec_starter[981]: no KLIPS IPsec stack detected
-Jun  8 00:24:28 VM2 ipsec_starter[981]: no known IPsec stack detected, ignoring!
-Jun  8 00:24:28 VM2 ipsec_starter[984]: charon (986) started after 20 ms
-Jun  8 00:25:26 VM2 login: login on ttyu0 as root
-Jun  8 00:25:26 VM2 login: ROOT LOGIN (root) ON ttyu0
-Jun  8 00:34:53 VM2 charon: 12[IKE] initiating IKE_SA VM4[1] to 10.0.34.4
-Jun  8 00:34:53 VM2 charon: 12[IKE] establishing CHILD_SA VM4
-Jun  8 00:34:53 VM2 charon: 12[IKE] IKE_SA VM4[1] established between 10.0.23.2[VM2]...10.0.34.4[VM4]
-Jun  8 00:34:53 VM2 charon: 12[IKE] CHILD_SA VM4{1} established with SPIs c6d01ce8_i c2357cdd_o and TS 10.0.12.0/24 === 10.0.45.0/24
 </code>
@@ Line 1010: / Line 1062: @@
 </code>
-==== VM2: OpenVPN server ====
+==== Standard userland mode (slow) ====
+=== VM2: OpenVPN server ===
 Create the openvpn configuration file for server mode as /usr/local/etc/openvpn/openvpn.conf:
@@ Line 1058: / Line 1112: @@
 <code>
-cat > /usr/local/etc/openvpn/VM4-openvpn.conf <<'EOF'
+cat > /usr/local/etc/openvpn/VM4-openvpn.conf <<EOF
 client
 dev tun
 remote 10.0.23.2
 <ca>
-'EOF'
+EOF
 cat /usr/local/etc/easy-rsa/pki/ca.crt >> /usr/local/etc/openvpn/VM4-openvpn.conf
 echo '</ca>' >> /usr/local/etc/openvpn/VM4-openvpn.conf
@@ Line 1073: / Line 1127: @@
 echo '</key>' >> /usr/local/etc/openvpn/VM4-openvpn.conf
 </code>
-==== VM4: OpenVPN client ====
+=== VM4: OpenVPN client ===
 As OpenVPN client, VM4 should get its openvpn configuration file (that embedded certificate and key) from VM2 and put them in /usr/local/etc/openvpn.
@@ Line 1080: / Line 1135: @@
 <code>
 mkdir /usr/local/etc/openvpn
-scp 10.0.23.2:/usr/local/etc/openvpn/vm4-openvpn.conf /usr/local/etc/openvpn/openvpn.conf
+scp 10.0.23.2:/usr/local/etc/openvpn/VM4-openvpn.conf /usr/local/etc/openvpn/openvpn.conf
 </code>
 Enable and start openvpn:
@@ Line 1089: / Line 1143: @@
 service openvpn start
 </code>
-==== Testing ====
+=== Testing ===
 Pinging VM5 from VM1:
@@ Line 1162: / Line 1217: @@
 :52:40.744771 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 114
 :52:40.744786 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 22
+</code>
+==== Data Channel Offload (DCO), kernel mode (fast) ====
+Start with a working userland configuration, then modify existing configuration files like that:
+  * Need to load if_ovpn module on both side
+  * Need to enable subnet topology on the server side
+=== VM2: OpenVPN server ===
+<code>
+service openvpn stop
+sysrc kld_list="if_ovpn"
+kldload if_ovpn
+echo "topology subnet" >> /usr/local/etc/openvpn/openvpn.conf
+service openvpn start
+</code>
+=== VM4: OpenVPN client ===
+<code>
+service openvpn stop
+sysrc kld_list="if_ovpn"
+kldload if_ovpn
+service openvpn start
+</code>
+=== Testing ===
+Pinging VM5 from VM1:
+<code>
+root@VM1:~ # ping -c 2 10.0.45.5
+PING 10.0.45.5 (10.0.45.5): 56 data bytes
+bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=1.700 ms
+bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=1.629 ms
+--- 10.0.45.5 ping statistics ---
+packets transmitted, 2 packets received, 0.0% packet loss
+round-trip min/avg/max/stddev = 1.629/1.665/1.700/0.035 ms
+root@VM1:~ # ping -c 2 2001:db8:45::5
+PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
+bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=2.699 ms
+bytes from 2001:db8:45::5, icmp_seq=1 hlim=62 time=1.618 ms
+--- 2001:db8:45::5 ping6 statistics ---
+packets transmitted, 2 packets received, 0.0% packet loss
+round-trip min/avg/max/std-dev = 1.618/2.158/2.699/0.541 ms
+</code>
+OpenVPN log file on VM2 (error installing route are due to DCO restriction):
+<code>
+Oct  4 18:29:40 VM2 openvpn[89399]: OpenVPN 2.6_git [git:734de8f9aa2df56bcb45ebab7cfa799a23f36403] amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] [DCO] built on Oct  4 2022
+Oct  4 18:29:40 VM2 openvpn[89399]: library versions: OpenSSL 1.1.1q-freebsd  5 Jul 2022, LZO 2.10
+Oct  4 18:29:40 VM2 openvpn[89399]: WARNING: --keepalive option is missing from server config
+Oct  4 18:29:40 VM2 openvpn[89399]: DCO device tun0 opened
+Oct  4 18:29:40 VM2 openvpn[89399]: /sbin/ifconfig tun0 10.0.24.1 10.0.24.2 mtu 1500 netmask 255.255.255.0 up
+Oct  4 18:29:40 VM2 openvpn[89399]: /sbin/ifconfig tun0 inet6 2001:db8:24::1/64 mtu 1500 up
+Oct  4 18:29:41 VM2 openvpn[89399]: /sbin/ifconfig tun0 inet6 -ifdisabled
+Oct  4 18:29:41 VM2 openvpn[89399]: add_route_ipv6(2001:db8:45::/64 -> 2001:db8:24::2 metric 200) dev tun0
+Oct  4 18:29:41 VM2 openvpn[89399]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
+Oct  4 18:29:41 VM2 openvpn[89399]: setsockopt(IPV6_V6ONLY=0)
+Oct  4 18:29:41 VM2 openvpn[89399]: UDPv6 link local (bound): [AF_INET6][undef]:1194
+Oct  4 18:29:41 VM2 openvpn[89399]: UDPv6 link remote: [AF_UNSPEC]
+Oct  4 18:29:41 VM2 openvpn[89399]: NOTE: IPv4 pool size is 253, IPv6 pool size is 65536. IPv4 pool size limits the number of clients that can be served from the pool
+Oct  4 18:29:41 VM2 openvpn[89399]: ifconfig_pool_read(), in='VM4,10.0.24.4,2001:db8:24::1002'
+Oct  4 18:29:41 VM2 openvpn[89399]: succeeded -> ifconfig_pool_set(hand=2)
+Oct  4 18:29:41 VM2 openvpn[89399]: Initialization Sequence Completed
+Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_VER=2.6_git
+Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_PLAT=freebsd
+Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_TCPNL=1
+Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_NCP=2
+Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
+Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_PROTO=94
+Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_LZO_STUB=1
+Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_COMP_STUB=1
+Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_COMP_STUBv2=1
+Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 [VM4] Peer Connection Initiated with [AF_INET6]::ffff:10.0.34.4:10468
+Oct  4 18:30:11 VM2 openvpn[89399]: VM4/10.0.34.4:10468 MULTI_sva: pool returned IPv4=10.0.24.4, IPv6=2001:db8:24::1002
+Oct  4 18:30:11 VM2 openvpn[89399]: VM4/10.0.34.4:10468 /sbin/route add -net 10.0.45.0/24 10.0.24.4 -fib 0
+Oct  4 18:30:11 VM2 openvpn[89399]: VM4/10.0.34.4:10468 ERROR: FreeBSD route add command failed: external program exited with error status: 1
+Oct  4 18:30:11 VM2 openvpn[89399]: VM4/10.0.34.4:10468 /sbin/route -6 add -net 2001:db8:45::/64 2001:db8:24::1002 -fib 0
+Oct  4 18:30:11 VM2 openvpn[89399]: VM4/10.0.34.4:10468 ERROR: FreeBSD route add command failed: external program exited with error status: 1
+</code>
+OpenVPN log file on VM4:
+<code>
+Oct  4 18:30:11 VM4 openvpn[86737]: OpenVPN 2.6_git [git:734de8f9aa2df56bcb45ebab7cfa799a23f36403] amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] [DCO] built on Oct  4 2022
+Oct  4 18:30:11 VM4 openvpn[86737]: library versions: OpenSSL 1.1.1q-freebsd  5 Jul 2022, LZO 2.10
+Oct  4 18:30:11 VM4 openvpn[86737]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
+Oct  4 18:30:11 VM4 openvpn[86737]: TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.23.2:1194
+Oct  4 18:30:11 VM4 openvpn[86737]: UDPv4 link local: (not bound)
+Oct  4 18:30:11 VM4 openvpn[86737]: UDPv4 link remote: [AF_INET]10.0.23.2:1194
+Oct  4 18:30:11 VM4 openvpn[86737]: [VM2] Peer Connection Initiated with [AF_INET]10.0.23.2:1194
+Oct  4 18:30:11 VM4 openvpn[86737]: DCO device tun0 opened
+Oct  4 18:30:11 VM4 openvpn[86737]: /sbin/ifconfig tun0 10.0.24.4 10.0.24.1 mtu 1500 netmask 255.255.255.0 up
+Oct  4 18:30:11 VM4 openvpn[86737]: /sbin/ifconfig tun0 inet6 2001:db8:24::1002/64 mtu 1500 up
+Oct  4 18:30:12 VM4 openvpn[86737]: /sbin/ifconfig tun0 inet6 -ifdisabled
+Oct  4 18:30:12 VM4 openvpn[86737]: add_route_ipv6(2001:db8:12::/64 -> 2001:db8:24::1 metric 200) dev tun0
+Oct  4 18:30:12 VM4 openvpn[86737]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
+Oct  4 18:30:12 VM4 openvpn[86737]: Initialization Sequence Completed
 </code>
 ===== Wireguard =====
-==== Key pairs generation ====
+On current (14.0) needs only wireguard-tools (kernel module included), on older (12 or 13) needs wireguard-kmod.
+==== Key pairs generation on VM2 and VM4 ====
 The first step is to generate a couple of private and public keys on each wireguard endpoint.
-On VM2 and on VM4, generate the keys:
+The standard way of generating keys is using this command:
 <code>
@@ Line 1179: / Line 1336: @@
 </code>
+But on this example, we will use static keys as example.
 ==== Router 2 ====
-Display router 2 private key, and router 4 public key.
+Write example-only static and public key, on real-life, used the one generated by wg.
 <code>
+echo "oFsqDWpgtlma4Dy3YkPd918d3Nw9xdV9MBVn4YT1N38=" > /usr/local/etc/wireguard/private
+echo "z9wBhxr/K405uQeYnCoGRi6VGWu/QAhym7JgH1BguxE=" > /usr/local/etc/wireguard/public
 cat > /usr/local/etc/wireguard/wg0.conf <<EOF
 [Interface]
-PrivateKey = 8Og1cCmvirK+zcGus/EyaA8aiFdzjjtS9GbuBa/bqFQ=
+PrivateKey = oFsqDWpgtlma4Dy3YkPd918d3Nw9xdV9MBVn4YT1N38=
 ListenPort = 51820
 [Peer]
-PublicKey = FSvVqj2s1FZqsSIvPLrE1RRTgbaPLbfG87P36F21M1g=
+PublicKey = o267Qf43WlVTawLq/8nrET4GQKijrjWFKiux9iNLv04=
-AllowedIPs = 10.0.45.0/24,2001:db8:45::2/64
+AllowedIPs = 10.0.45.0/24,2001:db8:45::/64
 Endpoint = 10.0.34.4:51820
 EOF
@@ Line 1202: / Line 1362: @@
 ==== Router 4 ====
-Display router 4 private key, and router 2 public key.
+Generate example-only router 4 wg keys, and declare 2 public key.
 <code>
+echo "4HRXmxN77CVb5VykdNX6mqkzCh2ycu4hfWfYHTvkLGE=" > /usr/local/etc/wireguard/private
+echo "o267Qf43WlVTawLq/8nrET4GQKijrjWFKiux9iNLv04=" > /usr/local/etc/wireguard/public
 cat > /usr/local/etc/wireguard/wg0.conf <<EOF
 [Interface]
-PrivateKey = ADfm6+sXZnoyDAkG/MXXy062pjSgh2GgfAIKwX+ewGg=
+PrivateKey = 4HRXmxN77CVb5VykdNX6mqkzCh2ycu4hfWfYHTvkLGE=
 ListenPort = 51820
 [Peer]
-PublicKey = gaQij176wrz3g+2RTJ/S1oEnc7rx2reU1Z0Thrv4oXc=
+PublicKey = z9wBhxr/K405uQeYnCoGRi6VGWu/QAhym7JgH1BguxE=
-AllowedIPs = 10.0.12.0/24,2001:db8:12::2/64
+AllowedIPs = 10.0.12.0/24,2001:db8:12::/64
 Endpoint = 10.0.23.2:51820
 EOF
@@ Line 1243: / Line 1405: @@
 packets transmitted, 2 packets received, 0.0% packet loss
 round-trip min/avg/max/std-dev = 0.764/1.272/1.779/0.507 ms
+</code>
+Are we using the kernel module?
+<code>
+root@VM2:~ # kldstat -v -n if_wg.ko
+Id Refs Address                Size Name
+    1 0xffffffff82b17000    2e550 if_wg.ko (/boot/kernel/if_wg.ko)
+        Contains modules:
+                 Id Name
+wg
+</code>
+Displaying wg status on VM2:
+<code>
+root@VM2:~ # ifconfig wg0
+wg0: flags=80c1<UP,RUNNING,NOARP,MULTICAST> metric 0 mtu 1420
+        options=80000<LINKSTATE>
+        groups: wg
+        nd6 options=101<PERFORMNUD,NO_DAD>
+root@VM2:~ # netstat -rn | grep "Dest\|wg0"
+Destination        Gateway            Flags     Netif Expire
+.0.45.0/24       link#7             US          wg0
+Destination                       Gateway                       Flags     Netif Expire
+:db8:45::/64                  link#7                        US          wg0
+root@VM2:~ # wg show
+interface: wg0
+  public key: z9wBhxr/K405uQeYnCoGRi6VGWu/QAhym7JgH1BguxE=
+  private key: (hidden)
+  listening port: 51820
+peer: o267Qf43WlVTawLq/8nrET4GQKijrjWFKiux9iNLv04=
+  endpoint: 10.0.34.4:51820
+  allowed ips: 2001:db8:45::/64, 10.0.45.0/24
+  latest handshake: 32 seconds ago
+  transfer: 356 B received, 436 B sent
 </code>