From be08af94a76135df209bbbb93492a6bc1e1f769f Mon Sep 17 00:00:00 2001 From: Zach Walton Date: Fri, 17 Feb 2023 17:53:28 -0800 Subject: [PATCH] Clarify that CAP_NET_ADMIN is required (#328) --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 01821cf6..4c4195c1 100644 --- a/README.md +++ b/README.md @@ -74,7 +74,9 @@ arm-linux-androideabi | | ✓ | `x86-64`, `aarch64` and `armv7` architectures are supported. The behaviour should be identical to that of [wireguard-go](https://git.zx2c4.com/wireguard-go/about/), with the following difference: -`boringtun` will drop privileges when started. When privileges are dropped it is not possible to set `fwmark`. If `fwmark` is required, such as when using `wg-quick`, instead running with `sudo`, give the executable the `CAP_NET_ADMIN` capability using: `sudo setcap cap_net_admin+epi boringtun`. Alternatively run with `--disable-drop-privileges` or set the environment variable `WG_SUDO=1`. +`boringtun` will drop privileges when started. When privileges are dropped it is not possible to set `fwmark`. If `fwmark` is required, such as when using `wg-quick`, run with `--disable-drop-privileges` or set the environment variable `WG_SUDO=1`. + +You will need to give the executable the `CAP_NET_ADMIN` capability using: `sudo setcap cap_net_admin+epi boringtun`. sudo is not needed. #### macOS