FreeBSD port of amneziawg-tools

Installation

Download and build port as:

# git clone https://github.com/vgrebenschikov/amneziawg-tools
# cd amneziawg-tools
# make install

It will install:

$ pkg list amneziawg-tools
/usr/local/bin/awg
/usr/local/bin/awg-quick
/usr/local/etc/rc.d/wireguard-amnezia
/usr/local/share/bash-completion/completions/awg
/usr/local/share/bash-completion/completions/awg-quick
/usr/local/share/licenses/amneziawg-tools-1.0.20241018_2/GPLv2
/usr/local/share/licenses/amneziawg-tools-1.0.20241018_2/LICENSE
/usr/local/share/licenses/amneziawg-tools-1.0.20241018_2/catalog.mk
/usr/local/share/man/man8/awg-quick.8.gz
/usr/local/share/man/man8/awg.8.gz

Using Kernel AmneziaWG module

Install net/wireguard-amnezia-kmod

Unload original if_wg as and load updated from /boot/modules/if_wg.ko

# kldunload if_wg
# kldload /boot/modules/if_wg.ko

To make it automatically load from /boot/modules - add to /boot/loader.conf:

if_wg_name="/boot/modules/if_wg.ko"
if_wg_load="YES"

Configuration

Generally - same way as you will configure normal net/wireguard-tools:

# cd /usr/local/etc/wireguard
# cat > wg0.conf
[Interface]
PrivateKey = ...our.private.key.here...
ListenPort = 12345
Address = 192.168.1.1/24
Description = Test Wireguard

Jc = 7
Jmin = 150
Jmax = 1000
S1 = 117
S2 = 321
H1 = 2008066467
H2 = 2351746464
H3 = 3053333659
H4 = 1789444460

[Peer]
PublicKey = ...peer.public.key.here...
AllowedIPs = 192.168.1.2/32
^D

Then start:

# awg-quick up wg0
[#] ifconfig wg create name wg0 description Test Wireguard
[#] awg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 192.168.1.1/24 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] route -q -n add -inet 192.168.11.0/24 -interface wg0
[+] Backgrounding route monitor

# awg show
interface: wg0
  public key: CI...
  private key: (hidden)
  listening port: 12345
  jc: 7
  jmin: 150
  jmax: 1000
  s1: 117
  s2: 321
  h1: 2008066467
  h2: 2351746464
  h3: 3053333659
  h4: 1789444460

peer: kue...
  allowed ips: 192.168.1.2/32

To setup autostart (wireguard-amnezia rc.d script will load module):

# sysrc wireguard_amnezia_enable=YES wireguard_amnezia_interfaces="wg0"

Amnezia Wireguard config options

Jc

Number of junk packets before handshake.

1–128 (recomended 3–10)

Jmin

Minimum size of junk packets.

Jmin: < Jmax (recomended ~ 50)

Jmax

Maximum size of junk packets.

Jmax: ≤ 1280 (recomended ~ 1000)

S1

Size of handshake initiation packet prepend junk. Should be the same on both ends.

0–1280 (recomended 15–150), S1 != S2

S2

Size of handshake response packet prepend junk. Should be the same on both ends.

0–1280 (recomended 15–150), S1 != S2

H1-H4

Custom identifiers for initiation/response/cookie/data packets. Should be the same on both ends.

The unique value in range of 5 - 4,294,967,295 (0x5 - 0xFFFFFFFF), H1 != H2 != H3 != H4

Additional config options

Description

[Interface]
...
Description = Some Text

Will setup interface description visible in ifconfig and SNMP.

UserLand

Enforce to use amnezia-go instead of kernel driver, you can use port net/amnezia-wireguard-go to install it.

[Interface]
...
UserLand = true
...

Routes

List of routes for the peer to be installed into FIB - that option provides a way to have AllowedIPs list wider then routes installed. Empty list is allowed.

That is useful if routing protocol will work over the link. But remember that internal wireguard routing will happen according to AllowedIPs anyway.

...

[Peer]
PublicKey = ...peer.public.key.here...
AllowedIPs = 0.0.0.0/0
Routes = 192.168.1.2/32