Properties for device type tunnels:
Tunnels allow traffic to pass as if it was between systems on the same local
network, although systems may be far from each other but reachable via the
Internet. They may be used to support IPv6 traffic on a network where the ISP
does not provide the service, or to extend and “connect” separate local
networks. Please see https://en.wikipedia.org/wiki/Tunneling_protocol for
more general information about tunnels.
mode (scalar)
Defines the tunnel mode. Valid options are sit, gre, ip6gre,
ipip, ipip6, ip6ip6, vti, vti6 and wireguard.
Additionally, the networkd backend also supports gretap and
ip6gretap modes.
In addition, the NetworkManager backend supports isatap tunnels.
local (scalar)
Defines the address of the local endpoint of the tunnel.
remote (scalar)
Defines the address of the remote endpoint of the tunnel.
ttl (scalar) – since 0.103
Defines the TTL of the tunnel.
key (scalar or mapping)
Define keys to use for the tunnel. The key can be a number or a dotted
quad (an IPv4 address). For wireguard it can be a base64-encoded
private key or (as of networkd v242+) an absolute path to a file,
containing the private key (since 0.100).
It is used for identification of IP transforms. This is only required
for vti and vti6 when using the networkd backend, and for
gre or ip6gre tunnels when using the NetworkManager backend.
This field may be used as a scalar (meaning that a single key is
specified and to be used for input, output and private key), or as a
mapping, where you can further specify input/output/private.
input (scalar)
The input key for the tunnel
output (scalar)
The output key for the tunnel
private (scalar) – since 0.100
A base64-encoded private key required for WireGuard tunnels. When the
systemd-networkd backend (v242+) is used, this can also be an
absolute path to a file containing the private key.
keys (scalar or mapping)
Alternate name for the key field. See above.
Examples:
tunnels:
tun0:
mode: gre
local: ...
remote: ...
keys:
input: 1234
output: 5678
tunnels:
tun0:
mode: vti6
local: ...
remote: ...
key: 59568549
tunnels:
wg0:
mode: wireguard
addresses: [...]
peers:
- keys:
public: rlbInAj0qV69CysWPQY7KEBnKxpYCpaWqOs/dLevdWc=
shared: /path/to/shared.key
...
key: mNb7OIIXTdgW4khM7OFlzJ+UPs7lmcWHV7xjPgakMkQ=
tunnels:
wg0:
mode: wireguard
addresses: [...]
peers:
- keys:
public: rlbInAj0qV69CysWPQY7KEBnKxpYCpaWqOs/dLevdWc=
...
keys:
private: /path/to/priv.key
WireGuard specific keys:
mark (scalar) – since 0.100
Firewall mark for outgoing WireGuard packets from this interface,
optional.
port (scalar) – since 0.100
UDP port to listen at or auto. Optional, defaults to auto.
peers (sequence of mappings) – since 0.100
A list of peers, each having keys documented below.
Example:
tunnels:
wg0:
mode: wireguard
key: /path/to/private.key
mark: 42
port: 5182
peers:
- keys:
public: rlbInAj0qV69CysWPQY7KEBnKxpYCpaWqOs/dLevdWc=
allowed-ips: [0.0.0.0/0, "2001:fe:ad:de:ad:be:ef:1/24"]
keepalive: 23
endpoint: 1.2.3.4:5
- keys:
public: M9nt4YujIOmNrRmpIRTmYSfMdrpvE7u6WkG8FY8WjG4=
shared: /some/shared.key
allowed-ips: [10.10.10.20/24]
keepalive: 22
endpoint: 5.4.3.2:1
endpoint (scalar) – since 0.100
Remote endpoint IPv4/IPv6 address or a hostname, followed by a colon
and a port number.
allowed-ips (sequence of scalars) – since 0.100
A list of IP (v4 or v6) addresses with CIDR masks from which this peer
is allowed to send incoming traffic and to which outgoing traffic for
this peer is directed. The catch-all 0.0.0.0/0 may be specified for
matching all IPv4 addresses, and ::/0 may be specified for matching
all IPv6 addresses.
keepalive (scalar) – since 0.100
An interval in seconds, between 1 and 65535 inclusive, of how often to
send an authenticated empty packet to the peer for the purpose of
keeping a stateful firewall or NAT mapping valid persistently. Optional.
keys (mapping) – since 0.100
Define keys to use for the WireGuard peers.
This field can be used as a mapping, where you can further specify the
public and shared keys.
public (scalar) – since 0.100
A base64-encoded public key, required for WireGuard peers.
shared (scalar) – since 0.100
A base64-encoded preshared key. Optional for WireGuard peers.
When the systemd-networkd backend (v242+) is used, this can
also be an absolute path to a file containing the preshared key.