Properties for device type
Tunnels allow traffic to pass as if it was between systems on the same local
network, although systems may be far from each other but reachable via the
Internet. They may be used to support IPv6 traffic on a network where the ISP
does not provide the service, or to extend and “connect” separate local
networks. Please see https://en.wikipedia.org/wiki/Tunneling_protocol for
more general information about tunnels.
Defines the tunnel mode. Valid options are
networkd backend also supports
In addition, the
NetworkManager backend supports
Defines the address of the local endpoint of the tunnel.
Defines the address of the remote endpoint of the tunnel.
ttl (scalar) – since 0.103
Defines the TTL of the tunnel.
key (scalar or mapping)
Define keys to use for the tunnel. The key can be a number or a dotted
quad (an IPv4 address). For
wireguard it can be a base64-encoded
private key or (as of
networkd v242+) an absolute path to a file,
containing the private key (since 0.100).
It is used for identification of IP transforms. This is only required
vti6 when using the networkd backend, and for
ip6gre tunnels when using the NetworkManager backend.
This field may be used as a scalar (meaning that a single key is
specified and to be used for input, output and private key), or as a
mapping, where you can further specify
The input key for the tunnel
The output key for the tunnel
private (scalar) – since 0.100
A base64-encoded private key required for WireGuard tunnels. When the
systemd-networkd backend (v242+) is used, this can also be an
absolute path to a file containing the private key.
keys (scalar or mapping)
Alternate name for the
key field. See above.
tunnels: tun0: mode: gre local: ... remote: ... keys: input: 1234 output: 5678 tunnels: tun0: mode: vti6 local: ... remote: ... key: 59568549 tunnels: wg0: mode: wireguard addresses: [...] peers: - keys: public: rlbInAj0qV69CysWPQY7KEBnKxpYCpaWqOs/dLevdWc= shared: /path/to/shared.key ... key: mNb7OIIXTdgW4khM7OFlzJ+UPs7lmcWHV7xjPgakMkQ= tunnels: wg0: mode: wireguard addresses: [...] peers: - keys: public: rlbInAj0qV69CysWPQY7KEBnKxpYCpaWqOs/dLevdWc= ... keys: private: /path/to/priv.key
WireGuard specific keys:
mark (scalar) – since 0.100
Firewall mark for outgoing WireGuard packets from this interface,
port (scalar) – since 0.100
UDP port to listen at or
auto. Optional, defaults to
peers (sequence of mappings) – since 0.100
A list of peers, each having keys documented below.
tunnels: wg0: mode: wireguard key: /path/to/private.key mark: 42 port: 5182 peers: - keys: public: rlbInAj0qV69CysWPQY7KEBnKxpYCpaWqOs/dLevdWc= allowed-ips: [0.0.0.0/0, "2001:fe:ad:de:ad:be:ef:1/24"] keepalive: 23 endpoint: 22.214.171.124:5 - keys: public: M9nt4YujIOmNrRmpIRTmYSfMdrpvE7u6WkG8FY8WjG4= shared: /some/shared.key allowed-ips: [10.10.10.20/24] keepalive: 22 endpoint: 126.96.36.199:1
endpoint (scalar) – since 0.100
Remote endpoint IPv4/IPv6 address or a hostname, followed by a colon
and a port number.
allowed-ips (sequence of scalars) – since 0.100
A list of IP (v4 or v6) addresses with CIDR masks from which this peer
is allowed to send incoming traffic and to which outgoing traffic for
this peer is directed. The catch-all 0.0.0.0/0 may be specified for
matching all IPv4 addresses, and ::/0 may be specified for matching
all IPv6 addresses.
keepalive (scalar) – since 0.100
An interval in seconds, between 1 and 65535 inclusive, of how often to
send an authenticated empty packet to the peer for the purpose of
keeping a stateful firewall or NAT mapping valid persistently. Optional.
keys (mapping) – since 0.100
Define keys to use for the WireGuard peers.
This field can be used as a mapping, where you can further specify the
public (scalar) – since 0.100
A base64-encoded public key, required for WireGuard peers.
shared (scalar) – since 0.100
A base64-encoded preshared key. Optional for WireGuard peers.
systemd-networkd backend (v242+) is used, this can
also be an absolute path to a file containing the preshared key.