Tunnels allow traffic to pass as if it was between systems on the same local
network, although systems may be far from each other but reachable via the
Internet. They may be used to support IPv6 traffic on a network where the ISP
does not provide the service, or to extend and “connect” separate local
networks. Please see https://en.wikipedia.org/wiki/Tunneling_protocol for
more general information about tunnels.
Defines the tunnel mode. Valid options are
networkdbackend also supports
In addition, the
Defines the address of the local endpoint of the tunnel.
Defines the address of the remote endpoint of the tunnel.
key(scalar or mapping)
Define keys to use for the tunnel. The key can be a number or a dotted
quad (an IPv4 address). For
wireguardit can be a base64-encoded
private key or (as of
networkdv242+) an absolute path to a file,
containing the private key (since 0.100).
It is used for identification of IP transforms. This is only required
vti6when using the networkd backend, and for
ip6gretunnels when using the NetworkManager backend.
This field may be used as a scalar (meaning that a single key is
specified and to be used for input, output and private key), or as a
mapping, where you can further specify
- The input key for the tunnel
- The output key for the tunnel
private(scalar) – since 0.100
- A base64-encoded private key required for Wireguard tunnels. When the
systemd-networkdbackend (v242+) is used, this can also be an
absolute path to a file containing the private key.
keys(scalar or mapping)
Alternate name for the
keyfield. See above.
tunnels: tun0: mode: gre local: ... remote: ... keys: input: 1234 output: 5678 tunnels: tun0: mode: vti6 local: ... remote: ... key: 59568549 tunnels: wg0: mode: wireguard addresses: [...] peers: - keys: public: rlbInAj0qV69CysWPQY7KEBnKxpYCpaWqOs/dLevdWc= shared: /path/to/shared.key ... key: mNb7OIIXTdgW4khM7OFlzJ+UPs7lmcWHV7xjPgakMkQ= tunnels: wg0: mode: wireguard addresses: [...] peers: - keys: public: rlbInAj0qV69CysWPQY7KEBnKxpYCpaWqOs/dLevdWc= ... keys: private: /path/to/priv.key
Wireguard specific keys:
``mark`` (scalar) – since **0.100** : Firewall mark for outgoing WireGuard packets from this interface, optional. ``port`` (scalar) – since **0.100** : UDP port to listen at or ``auto``. Optional, defaults to ``auto``. ``peers`` (sequence of mappings) – since **0.100** : A list of peers, each having keys documented below. Example: tunnels: wg0: mode: wireguard key: /path/to/private.key mark: 42 port: 5182 peers: - keys: public: rlbInAj0qV69CysWPQY7KEBnKxpYCpaWqOs/dLevdWc= allowed-ips: [0.0.0.0/0, "2001:fe:ad:de:ad:be:ef:1/24"] keepalive: 23 endpoint: 126.96.36.199:5 - keys: public: M9nt4YujIOmNrRmpIRTmYSfMdrpvE7u6WkG8FY8WjG4= shared: /some/shared.key allowed-ips: [10.10.10.20/24] keepalive: 22 endpoint: 188.8.131.52:1 ``endpoint`` (scalar) – since **0.100** : Remote endpoint IPv4/IPv6 address or a hostname, followed by a colon and a port number. ``allowed-ips`` (sequence of scalars) – since **0.100** : A list of IP (v4 or v6) addresses with CIDR masks from which this peer is allowed to send incoming traffic and to which outgoing traffic for this peer is directed. The catch-all 0.0.0.0/0 may be specified for matching all IPv4 addresses, and ::/0 may be specified for matching all IPv6 addresses. ``keepalive`` (scalar) – since **0.100** : An interval in seconds, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. Optional. ``keys`` (mapping) – since **0.100** : Define keys to use for the Wireguard peers. This field can be used as a mapping, where you can further specify the ``public`` and ``shared`` keys. ``public`` (scalar) – since **0.100** : A base64-encoded public key, requried for Wireguard peers. ``shared`` (scalar) – since **0.100** : A base64-encoded preshared key. Optional for Wireguard peers. When the ``systemd-networkd`` backend (v242+) is used, this can also be an absolute path to a file containing the preshared key.