@@ -162,6 +162,14 @@ under `/lib/modules/` where the target kernel's modules are installed.
162162The ` genkey ` and ` pubkey ` ops in the final line are basic functionality tests.
163163If all is well, it will succeed, and print a random public key.
164164
165+ ** Note:** When the ` wolfguard.ko ` kernel module is loaded, ` wg genkey ` (and
166+ ` wg-fips genkey ` ) offloads key generation to the kernel module via netlink and
167+ therefore requires ` CAP_NET_ADMIN ` . Non-root users will receive a permission
168+ error. To resolve this, either run as root or via ` sudo ` , or build ` wg-fips `
169+ with ` NO_IPC_LLCRYPTO=1 ` (which selects the userspace key generation path), or
170+ grant the ` wg-fips ` binary the ` cap_net_admin ` file capability
171+ (` setcap cap_net_admin+ep wg-fips ` ).
172+
165173As for the ` wg-fips ` build above, compressed public key support can be enabled
166174by adding ` EXTRA_CFLAGS=-DWG_USE_PUBLIC_KEY_COMPRESSION ` to the above ` make `
167175recipe. The ` WG_USE_PUBLIC_KEY_COMPRESSION ` setting must be matched throughout
@@ -296,6 +304,14 @@ $ ../user-src/wg-fips genkey | ../user-src/wg-fips pubkey
296304The ` genkey ` and ` pubkey ` ops in the final line are basic functionality tests.
297305If all is well, it will succeed, and print a random public key.
298306
307+ ** Note:** When the ` wolfguard.ko ` kernel module is loaded, ` wg genkey ` (and
308+ ` wg-fips genkey ` ) offloads key generation to the kernel module via netlink and
309+ therefore requires ` CAP_NET_ADMIN ` . Non-root users will receive a permission
310+ error. To resolve this, either run as root or via ` sudo ` , or build ` wg-fips `
311+ with ` NO_IPC_LLCRYPTO=1 ` (which selects the userspace key generation path), or
312+ grant the ` wg-fips ` binary the ` cap_net_admin ` file capability
313+ (` setcap cap_net_admin+ep wg-fips ` ).
314+
299315As with the non-FIPS-certified procedure, if all of the above succeeds, then you
300316are now ready to bring up WolfGuard tunnels. Existing playbooks and scripting
301317for WireGuard can be used directly, provided you substitute ` /etc/wolfguard ` for
0 commit comments