net/amneziawg-kmod, net/amneziawg-kmod: new ports

AmneziaWG is a contemporary version of the popular VPN protocol,
WireGuard. It offers protection against detection
by Deep Packet Inspection (DPI) systems. At the same time,
it retains the simplified architecture and high performance
of the original.

Differential Revision:  https://reviews.freebsd.org/D51265

14 files changed, 558 insertions, 0 deletions

diff --git a/net/Makefile b/net/Makefile
index 1d7962c2c074..07dde2dad8f7 100644
--- a/net/Makefile
+++ b/net/Makefile
@@ -17,6 +17,8 @@
     SUBDIR += akonadi-search
     SUBDIR += alligator
     SUBDIR += aluminum
+    SUBDIR += amneziawg-kmod
+    SUBDIR += amneziawg-tools
     SUBDIR += amqpcat
     SUBDIR += aoe
     SUBDIR += apache-commons-net
diff --git a/net/amneziawg-kmod/Makefile b/net/amneziawg-kmod/Makefile
new file mode 100644
index 000000000000..c09d7aba58b0
--- /dev/null
+++ b/net/amneziawg-kmod/Makefile
@@ -0,0 +1,23 @@
+PORTNAME=	amneziawg
+PORTVERSION=	1.0.6
+DISTVERSIONPREFIX=	v
+CATEGORIES=	net net-vpn
+PKGNAMESUFFIX=	-kmod
+
+MAINTAINER=	vova@zote.me
+COMMENT=	AmneziaWG FreeBSD kernel module implementation
+WWW=		https://github.com/vgrebenschikov/wireguard-amnezia-kmod
+
+LICENSE=	MIT
+LICENSE_FILE=	${WRKSRC}/COPYING
+
+BROKEN_FreeBSD_13=	Depends on kernel sources of recent FreeBSD 14 or newer
+
+USES=		kmod uidfix
+USE_GITHUB=	yes
+GH_ACCOUNT=	vgrebenschikov
+GH_PROJECT=	wireguard-amnezia-kmod
+
+PLIST_FILES=	${KMODDIR}/if_awg.ko
+
+.include <bsd.port.mk>
diff --git a/net/amneziawg-kmod/distinfo b/net/amneziawg-kmod/distinfo
new file mode 100644
index 000000000000..56fc58cc48dc
--- /dev/null
+++ b/net/amneziawg-kmod/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1753385001
+SHA256 (vgrebenschikov-wireguard-amnezia-kmod-v1.0.6_GH0.tar.gz) = 916438447143bff815d0c6617796ff12c98c25dd5439413d67faab19c4dd65fd
+SIZE (vgrebenschikov-wireguard-amnezia-kmod-v1.0.6_GH0.tar.gz) = 52053
diff --git a/net/amneziawg-kmod/files/patch-Makefile b/net/amneziawg-kmod/files/patch-Makefile
new file mode 100644
index 000000000000..90abd540b7f1
--- /dev/null
+++ b/net/amneziawg-kmod/files/patch-Makefile
@@ -0,0 +1,9 @@
+--- Makefile.orig	2025-07-22 17:42:41 UTC
++++ Makefile
+@@ -1,5 +1,5 @@
+ 
+-KMOD= if_wg
++KMOD= if_awg
+ 
+ SRCS= if_wg.c wg_cookie.c wg_crypto.c wg_noise.c
+ SRCS+= opt_inet.h opt_inet6.h device_if.h bus_if.h
diff --git a/net/amneziawg-kmod/files/patch-if__wg.c b/net/amneziawg-kmod/files/patch-if__wg.c
new file mode 100644
index 000000000000..88733e895b1e
--- /dev/null
+++ b/net/amneziawg-kmod/files/patch-if__wg.c
@@ -0,0 +1,173 @@
+--- if_wg.c.orig	2025-07-22 17:38:01 UTC
++++ if_wg.c
+@@ -278,21 +278,21 @@ static volatile unsigned long peer_counter = 0;
+ static int clone_count;
+ static uma_zone_t wg_packet_zone;
+ static volatile unsigned long peer_counter = 0;
+-static const char wgname[] = "wg";
++static const char wgname[] = "awg";
+ static unsigned wg_osd_jail_slot;
+ 
+ static struct sx wg_sx;
+-SX_SYSINIT(wg_sx, &wg_sx, "wg_sx");
++SX_SYSINIT(wg_sx, &wg_sx, "awg_sx");
+ 
+ static LIST_HEAD(, wg_softc) wg_list = LIST_HEAD_INITIALIZER(wg_list);
+ 
+ static TASKQGROUP_DEFINE(wg_tqg, mp_ncpus, 1);
+ 
+-MALLOC_DEFINE(M_WG, "WG", "wireguard");
++MALLOC_DEFINE(M_WG, "AWG", "amneziawg");
+ 
+-VNET_DEFINE_STATIC(struct if_clone *, wg_cloner);
++VNET_DEFINE_STATIC(struct if_clone *, awg_cloner);
+ 
+-#define	V_wg_cloner	VNET(wg_cloner)
++#define	V_awg_cloner	VNET(awg_cloner)
+ #define	WG_CAPS		IFCAP_LINKSTATE
+ 
+ struct wg_timespec64 {
+@@ -386,10 +386,10 @@ static int wg_ioctl(if_t, u_long, caddr_t);
+ static void wg_reassign(if_t, struct vnet *, char *unused);
+ static void wg_init(void *);
+ static int wg_ioctl(if_t, u_long, caddr_t);
+-static void vnet_wg_init(const void *);
+-static void vnet_wg_uninit(const void *);
+-static int wg_module_init(void);
+-static void wg_module_deinit(void);
++static void vnet_awg_init(const void *);
++static void vnet_awg_uninit(const void *);
++static int awg_module_init(void);
++static void awg_module_deinit(void);
+ 
+ /* TODO Peer */
+ static struct wg_peer *
+@@ -408,7 +408,7 @@ wg_peer_alloc(struct wg_softc *sc, const uint8_t pub_k
+ 
+ 	cookie_maker_init(&peer->p_cookie, pub_key);
+ 
+-	rw_init(&peer->p_endpoint_lock, "wg_peer_endpoint");
++	rw_init(&peer->p_endpoint_lock, "awg_peer_endpoint");
+ 
+ 	wg_queue_init(&peer->p_stage_queue, "stageq");
+ 	wg_queue_init(&peer->p_encrypt_serial, "txq");
+@@ -428,9 +428,9 @@ wg_peer_alloc(struct wg_softc *sc, const uint8_t pub_k
+ 	peer->p_handshake_retries = 0;
+ 
+ 	GROUPTASK_INIT(&peer->p_send, 0, (gtask_fn_t *)wg_deliver_out, peer);
+-	taskqgroup_attach(qgroup_wg_tqg, &peer->p_send, peer, NULL, NULL, "wg send");
++	taskqgroup_attach(qgroup_wg_tqg, &peer->p_send, peer, NULL, NULL, "awg send");
+ 	GROUPTASK_INIT(&peer->p_recv, 0, (gtask_fn_t *)wg_deliver_in, peer);
+-	taskqgroup_attach(qgroup_wg_tqg, &peer->p_recv, peer, NULL, NULL, "wg recv");
++	taskqgroup_attach(qgroup_wg_tqg, &peer->p_recv, peer, NULL, NULL, "awg recv");
+ 
+ 	LIST_INIT(&peer->p_aips);
+ 	peer->p_aips_num = 0;
+@@ -3286,26 +3286,26 @@ static void
+ }
+ 
+ static void
+-vnet_wg_init(const void *unused __unused)
++vnet_awg_init(const void *unused __unused)
+ {
+ 	struct if_clone_addreq req = {
+ 		.create_f = wg_clone_create,
+ 		.destroy_f = wg_clone_destroy,
+ 		.flags = IFC_F_AUTOUNIT,
+ 	};
+-	V_wg_cloner = ifc_attach_cloner(wgname, &req);
++	V_awg_cloner = ifc_attach_cloner(wgname, &req);
+ }
+-VNET_SYSINIT(vnet_wg_init, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY,
+-	     vnet_wg_init, NULL);
++VNET_SYSINIT(vnet_awg_init, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY,
++	     vnet_awg_init, NULL);
+ 
+ static void
+-vnet_wg_uninit(const void *unused __unused)
++vnet_awg_uninit(const void *unused __unused)
+ {
+-	if (V_wg_cloner)
+-		ifc_detach_cloner(V_wg_cloner);
++	if (V_awg_cloner)
++		ifc_detach_cloner(V_awg_cloner);
+ }
+-VNET_SYSUNINIT(vnet_wg_uninit, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY,
+-	       vnet_wg_uninit, NULL);
++VNET_SYSUNINIT(vnet_awg_uninit, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY,
++    vnet_awg_uninit, NULL);
+ 
+ static int
+ wg_prison_remove(void *obj, void *data __unused)
+@@ -3352,14 +3352,14 @@ static int
+ #endif
+ 
+ static int
+-wg_module_init(void)
++awg_module_init(void)
+ {
+ 	int ret;
+ 	osd_method_t methods[PR_MAXMETHOD] = {
+ 		[PR_METHOD_REMOVE] = wg_prison_remove,
+ 	};
+ 
+-	wg_packet_zone = uma_zcreate("wg packet", sizeof(struct wg_packet),
++	wg_packet_zone = uma_zcreate("awg packet", sizeof(struct wg_packet),
+ 	     NULL, NULL, NULL, NULL, 0, 0);
+ 
+ 	ret = crypto_init();
+@@ -3378,15 +3378,15 @@ static void
+ }
+ 
+ static void
+-wg_module_deinit(void)
++awg_module_deinit(void)
+ {
+ 	VNET_ITERATOR_DECL(vnet_iter);
+ 	VNET_LIST_RLOCK();
+ 	VNET_FOREACH(vnet_iter) {
+-		struct if_clone *clone = VNET_VNET(vnet_iter, wg_cloner);
++		struct if_clone *clone = VNET_VNET(vnet_iter, awg_cloner);
+ 		if (clone) {
+ 			ifc_detach_cloner(clone);
+-			VNET_VNET(vnet_iter, wg_cloner) = NULL;
++			VNET_VNET(vnet_iter, awg_cloner) = NULL;
+ 		}
+ 	}
+ 	VNET_LIST_RUNLOCK();
+@@ -3401,13 +3401,13 @@ static int
+ }
+ 
+ static int
+-wg_module_event_handler(module_t mod, int what, void *arg)
++awg_module_event_handler(module_t mod, int what, void *arg)
+ {
+ 	switch (what) {
+ 		case MOD_LOAD:
+-			return wg_module_init();
++			return awg_module_init();
+ 		case MOD_UNLOAD:
+-			wg_module_deinit();
++			awg_module_deinit();
+ 			break;
+ 		default:
+ 			return (EOPNOTSUPP);
+@@ -3415,12 +3415,12 @@ wg_module_event_handler(module_t mod, int what, void *
+ 	return (0);
+ }
+ 
+-static moduledata_t wg_moduledata = {
+-	"if_wg",
+-	wg_module_event_handler,
++static moduledata_t awg_moduledata = {
++	"if_awg",
++	awg_module_event_handler,
+ 	NULL
+ };
+ 
+-DECLARE_MODULE(if_wg, wg_moduledata, SI_SUB_PSEUDO, SI_ORDER_ANY);
+-MODULE_VERSION(if_wg, WIREGUARD_VERSION);
+-MODULE_DEPEND(if_wg, crypto, 1, 1, 1);
++DECLARE_MODULE(if_awg, awg_moduledata, SI_SUB_PSEUDO, SI_ORDER_ANY);
++MODULE_VERSION(if_awg, WIREGUARD_VERSION);
++MODULE_DEPEND(if_awg, crypto, 1, 1, 1);
diff --git a/net/amneziawg-kmod/pkg-descr b/net/amneziawg-kmod/pkg-descr
new file mode 100644
index 000000000000..d493982cbd6e
--- /dev/null
+++ b/net/amneziawg-kmod/pkg-descr
@@ -0,0 +1,12 @@
+AmneziaWG is a contemporary version of the popular VPN protocol, WireGuard.
+It offers protection against detection by Deep Packet Inspection (DPI) systems.
+At the same time, it retains the simplified architecture and high performance
+of the original.
+
+The progenitor of AmneziaWG, WireGuard, is known for its efficiency, but
+it does have issues with detection due to distinctive packet signatures.
+AmneziaWG addresses this problem by employing advanced obfuscation methods,
+allowing its traffic to blend seamlessly with regular internet traffic.
+As a result, AmneziaWG maintains high performance while adding an extra layer
+of stealth, making it a superb choice for those seeking a fast and discreet
+VPN connection.
diff --git a/net/amneziawg-tools/Makefile b/net/amneziawg-tools/Makefile
new file mode 100644
index 000000000000..99af37f70786
--- /dev/null
+++ b/net/amneziawg-tools/Makefile
@@ -0,0 +1,36 @@
+PORTNAME=	amneziawg-tools
+PORTVERSION=	1.0.20241018
+CATEGORIES=	net net-vpn
+MASTER_SITES=	https://github.com/amnezia-vpn/amneziawg-tools/
+
+MAINTAINER=	vova@zote.me
+COMMENT=	Fast, modern and secure VPN Tunnel with AmneziaVPN anti-detection
+WWW=		https://github.com/amnezia-vpn/amneziawg-tools/
+
+LICENSE=	GPLv2
+
+RUN_DEPENDS=	bash:shells/bash
+
+USES=		gmake
+USE_GITHUB=	yes
+GH_ACCOUNT=	amnezia-vpn
+GH_TAGNAME=	v${PORTVERSION}
+
+WRKSRC_SUBDIR=	src
+MAKE_ARGS+=	DEBUG=no WITH_BASHCOMPLETION=yes WITH_SYSTEMDUNITS=no
+MAKE_ENV+=	MANDIR="${PREFIX}/share/man" \
+		SYSCONFDIR="${PREFIX}/etc"
+
+USE_RC_SUBR=	amneziawg
+
+.include <bsd.port.options.mk>
+
+post-patch:
+	@${REINPLACE_CMD} -e 's|wg s|awg s|g' \
+		${WRKSRC}/completion/wg-quick.bash-completion
+
+post-install:
+	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/amnezia/amneziawg
+	${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/awg
+
+.include <bsd.port.mk>
diff --git a/net/amneziawg-tools/distinfo b/net/amneziawg-tools/distinfo
new file mode 100644
index 000000000000..3703c8bf36a2
--- /dev/null
+++ b/net/amneziawg-tools/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1744661306
+SHA256 (amnezia-vpn-amneziawg-tools-1.0.20241018-v1.0.20241018_GH0.tar.gz) = 60f1cec1774fb871a2d8dc24e4f731625516d90f663d6e0d2c77d9247222f2f9
+SIZE (amnezia-vpn-amneziawg-tools-1.0.20241018-v1.0.20241018_GH0.tar.gz) = 156259
diff --git a/net/amneziawg-tools/files/amneziawg.in b/net/amneziawg-tools/files/amneziawg.in
new file mode 100644
index 000000000000..beb12e026827
--- /dev/null
+++ b/net/amneziawg-tools/files/amneziawg.in
@@ -0,0 +1,74 @@
+#!/bin/sh
+
+# PROVIDE: amneziawg
+# REQUIRE: NETWORKING
+# KEYWORD: shutdown
+#
+# amneziawg_enable (bool):    Set to "YES" to enable amneziawg.
+#                             (default: "NO")
+#
+# amneziawg_interfaces (str): List of interfaces to bring up/down
+#                             on start/stop. (eg: "awg0 awg1")
+#                             (default: "")
+# amneziawg_env (str):        Environment variables for the userspace
+#                             implementation. (eg: "LOG_LEVEL=debug")
+
+. /etc/rc.subr
+
+name=amneziawg
+rcvar=amneziawg_enable
+extra_commands="reload status"
+
+start_cmd="${name}_start"
+stop_cmd="${name}_stop"
+reload_cmd="${name}_reload"
+status_cmd="${name}_status"
+
+amneziawg_start()
+{
+	${amneziawg_env:+eval export $amneziawg_env}
+    kldload -n if_awg
+
+	for interface in ${amneziawg_interfaces}; do
+		%%PREFIX%%/bin/awg-quick up ${interface}
+	done
+}
+
+amneziawg_stop()
+{
+	for interface in ${amneziawg_interfaces}; do
+		%%PREFIX%%/bin/awg-quick down ${interface}
+	done
+}
+
+amneziawg_reload()
+{
+	${amneziawg_env:+eval export $amneziawg_env}
+
+	for interface in ${amneziawg_interfaces}; do
+		tmpfile="`mktemp`"
+		%%PREFIX%%/bin/awg-quick strip ${interface} > ${tmpfile}
+		%%PREFIX%%/bin/awg syncconf ${interface} ${tmpfile}
+		rm -f ${tmpfile}
+	done
+}
+
+amneziawg_status()
+{
+	${amneziawg_env:+eval export $amneziawg_env}
+	amneziawg_status="0"
+
+	for interface in ${amneziawg_interfaces}; do
+		%%PREFIX%%/bin/awg show ${interface} || amneziawg_status="1"
+	done
+
+	return ${amneziawg_status}
+}
+
+load_rc_config $name
+
+: ${amneziawg_enable="NO"}
+: ${amneziawg_interfaces=""}
+: ${amneziawg_env=""}
+
+run_rc_command "$1"
diff --git a/net/amneziawg-tools/files/patch-config.c b/net/amneziawg-tools/files/patch-config.c
new file mode 100644
index 000000000000..6e00e1f19d4d
--- /dev/null
+++ b/net/amneziawg-tools/files/patch-config.c
@@ -0,0 +1,11 @@
+--- config.c.orig	2025-06-13 09:33:11 UTC
++++ config.c
+@@ -252,7 +252,7 @@ static inline bool parse_endpoint(struct sockaddr *end
+ 		 *
+ 		 * So this is what we do, except FreeBSD removed EAI_NODATA some time ago, so that's conditional.
+ 		 */
+-		if (ret == EAI_NONAME || ret == EAI_FAIL ||
++		if (/* ret == EAI_NONAME || */ ret == EAI_FAIL ||
+ 			#ifdef EAI_NODATA
+ 				ret == EAI_NODATA ||
+ 			#endif
diff --git a/net/amneziawg-tools/files/patch-ipc-freebsd.h b/net/amneziawg-tools/files/patch-ipc-freebsd.h
new file mode 100644
index 000000000000..9660fa0126ed
--- /dev/null
+++ b/net/amneziawg-tools/files/patch-ipc-freebsd.h
@@ -0,0 +1,11 @@
+--- ipc-freebsd.h.orig	2025-07-22 19:01:39 UTC
++++ ipc-freebsd.h
+@@ -21,7 +21,7 @@ static int kernel_get_wireguard_interfaces(struct stri
+ 
+ static int kernel_get_wireguard_interfaces(struct string_list *list)
+ {
+-	struct ifgroupreq ifgr = { .ifgr_name = "wg" };
++	struct ifgroupreq ifgr = { .ifgr_name = "awg" };
+ 	struct ifg_req *ifg;
+ 	int s = get_dgram_socket(), ret = 0;
+ 
diff --git a/net/amneziawg-tools/files/patch-wg-quick_freebsd.bash b/net/amneziawg-tools/files/patch-wg-quick_freebsd.bash
new file mode 100644
index 000000000000..c259697256a7
--- /dev/null
+++ b/net/amneziawg-tools/files/patch-wg-quick_freebsd.bash
@@ -0,0 +1,192 @@
+--- wg-quick/freebsd.bash.orig	2024-10-01 13:02:42 UTC
++++ wg-quick/freebsd.bash
+@@ -25,11 +25,17 @@ CONFIG_FILE=""
+ POST_DOWN=( )
+ SAVE_CONFIG=0
+ CONFIG_FILE=""
++DESCRIPTION=""
++USERLAND=0
+ PROGRAM="${0##*/}"
+ ARGS=( "$@" )
+ 
+ IS_ASESCURITY_ON=0
+ 
++
++declare -A ROUTES
++
++
+ cmd() {
+ 	echo "[#] $*" >&3
+ 	"$@"
+@@ -40,7 +46,7 @@ die() {
+ 	exit 1
+ }
+ 
+-CONFIG_SEARCH_PATHS=( /etc/amnezia/amneziawg /usr/local/etc/amnezia/amneziawg )
++CONFIG_SEARCH_PATHS=( /usr/local/etc/amnezia/amneziawg  /usr/local/etc/wireguard )
+ 
+ unset ORIGINAL_TMPDIR
+ make_temp() {
+@@ -64,7 +70,7 @@ parse_options() {
+ }
+ 
+ parse_options() {
+-	local interface_section=0 line key value stripped path v
++	local interface_section=0 line key value stripped path v last_public_key 
+ 	CONFIG_FILE="$1"
+ 	if [[ $CONFIG_FILE =~ ^[a-zA-Z0-9_=+.-]{1,15}$ ]]; then
+ 		for path in "${CONFIG_SEARCH_PATHS[@]}"; do
+@@ -82,7 +88,7 @@ parse_options() {
+ 		stripped="${line%%\#*}"
+ 		key="${stripped%%=*}"; key="${key##*([[:space:]])}"; key="${key%%*([[:space:]])}"
+ 		value="${stripped#*=}"; value="${value##*([[:space:]])}"; value="${value%%*([[:space:]])}"
+-		[[ $key == "["* ]] && interface_section=0
++		[[ $key == "["* ]] && interface_section=0 && last_public_key=""
+ 		[[ $key == "[Interface]" ]] && interface_section=1
+ 		if [[ $interface_section -eq 1 ]]; then
+ 			case "$key" in
+@@ -96,9 +102,12 @@ parse_options() {
+ 			PreDown) PRE_DOWN+=( "$value" ); continue ;;
+ 			PostUp) POST_UP+=( "$value" ); continue ;;
+ 			PostDown) POST_DOWN+=( "$value" ); continue ;;
++			Description) DESCRIPTION="$value"; continue ;;
+ 			SaveConfig) read_bool SAVE_CONFIG "$value"; continue ;;
++			UserLand) read_bool USERLAND "$value"; continue ;;
+ 			esac
+ 			case "$key" in
++			
+ 			Jc);&
+ 			Jmin);&
+ 			Jmax);&
+@@ -109,6 +118,12 @@ parse_options() {
+ 			H3);&
+ 			H4) IS_ASESCURITY_ON=1;;
+ 			esac
++		else
++			case "$key" in
++			PublicKey) last_public_key="$value" ;;
++			Routes) ROUTES["$last_public_key"]="$value"; continue ;;
++			DynamicRoutes) continue ;;
++			esac
+ 		fi
+ 		WG_CONFIG+="$line"$'\n'
+ 	done < "$CONFIG_FILE"
+@@ -130,11 +145,14 @@ add_if() {
+ add_if() {
+ 	local ret rc
+-	local cmd="ifconfig wg create name "$INTERFACE""
+-	if [[ $IS_ASESCURITY_ON == 1 ]]; then
++	local cmd="ifconfig awg create name "$INTERFACE""
++	if [[ $USERLAND == 1 ]]; then
+ 		cmd="amneziawg-go "$INTERFACE"";
+ 	fi
+-	if ret="$(cmd $cmd 2>&1 >/dev/null)"; then
+-		return 0
++	if [ -n "$DESCRIPTION" ]; then
++		ret="$(cmd $cmd description "$DESCRIPTION" 2>&1 >/dev/null)" && return 0
++	else
++
++		ret="$(cmd $cmd 2>&1 >/dev/null)" && return 0
+ 	fi
+ 	rc=$?
+ 	if [[ $ret == *"ifconfig: ioctl SIOCSIFNAME (set name): File exists"* ]]; then
+@@ -209,7 +227,7 @@ set_mtu() {
+ 		[[ ${BASH_REMATCH[1]} == *:* ]] && family=inet6
+ 		output="$(route -n get "-$family" "${BASH_REMATCH[1]}" || true)"
+ 		[[ $output =~ interface:\ ([^ ]+)$'\n' && $(ifconfig "${BASH_REMATCH[1]}") =~ mtu\ ([0-9]+) && ${BASH_REMATCH[1]} -gt $mtu ]] && mtu="${BASH_REMATCH[1]}"
+-	done < <(wg show "$INTERFACE" endpoints)
++	done < <(awg show "$INTERFACE" endpoints)
+ 	if [[ $mtu -eq 0 ]]; then
+ 		read -r output < <(route -n get default || true) || true
+ 		[[ $output =~ interface:\ ([^ ]+)$'\n' && $(ifconfig "${BASH_REMATCH[1]}") =~ mtu\ ([0-9]+) && ${BASH_REMATCH[1]} -gt $mtu ]] && mtu="${BASH_REMATCH[1]}"
+@@ -242,7 +260,7 @@ collect_endpoints() {
+ 	while read -r _ endpoint; do
+ 		[[ $endpoint =~ ^\[?([a-z0-9:.]+)\]?:[0-9]+$ ]] || continue
+ 		ENDPOINTS+=( "${BASH_REMATCH[1]}" )
+-	done < <(wg show "$INTERFACE" endpoints)
++	done < <(awg show "$INTERFACE" endpoints)
+ }
+ 
+ set_endpoint_direct_route() {
+@@ -301,14 +319,13 @@ monitor_daemon() {
+ 	(make_temp
+ 	trap 'del_routes; clean_temp; exit 0' INT TERM EXIT
+ 	exec >/dev/null 2>&1
+-	exec 19< <(exec route -n monitor)
++	exec 19< <(exec stdbuf -oL route -n monitor)
+ 	local event pid=$!
+ 	# TODO: this should also check to see if the endpoint actually changes
+ 	# in response to incoming packets, and then call set_endpoint_direct_route
+ 	# then too. That function should be able to gracefully cleanup if the
+ 	# endpoints change.
+ 	while read -u 19 -r event; do
+-		[[ $event == RTM_* ]] || continue
+ 		ifconfig "$INTERFACE" >/dev/null 2>&1 || break
+ 		[[ $AUTO_ROUTE4 -eq 1 || $AUTO_ROUTE6 -eq 1 ]] && set_endpoint_direct_route
+ 		# TODO: set the mtu as well, but only if up
+@@ -354,7 +371,7 @@ set_config() {
+ }
+ 
+ set_config() {
+-	echo "$WG_CONFIG" | cmd wg setconf "$INTERFACE" /dev/stdin
++	echo "$WG_CONFIG" | cmd awg setconf "$INTERFACE" /dev/stdin
+ }
+ 
+ save_config() {
+@@ -386,7 +403,7 @@ save_config() {
+ 	done
+ 	old_umask="$(umask)"
+ 	umask 077
+-	current_config="$(cmd wg showconf "$INTERFACE")"
++	current_config="$(cmd awg showconf "$INTERFACE")"
+ 	trap 'rm -f "$CONFIG_FILE.tmp"; clean_temp; exit' INT TERM EXIT
+ 	echo "${current_config/\[Interface\]$'\n'/$new_config}" > "$CONFIG_FILE.tmp" || die "Could not write configuration file"
+ 	sync "$CONFIG_FILE.tmp"
+@@ -433,6 +450,20 @@ cmd_usage() {
+ 	_EOF
+ }
+ 
++get_routes() {
++	while read -r pub_key i; do
++		if [[ -v "ROUTES[$pub_key]" ]]; then
++			for route in ${ROUTES[$pub_key]//,/ }; do
++				echo "$route"
++			done
++		else
++			for j in $i; do 
++				[[ $j =~ ^[0-9a-z:.]+/[0-9]+$ ]] && echo "$j"
++			done
++		fi
++	done < <(awg show "$INTERFACE" allowed-ips) | sort -nr -k 2 -t /
++}
++
+ cmd_up() {
+ 	local i
+ 	[[ -z $(ifconfig "$INTERFACE" 2>/dev/null) ]] || die "\`$INTERFACE' already exists"
+@@ -446,7 +477,7 @@ cmd_up() {
+ 	set_mtu
+ 	up_if
+ 	set_dns
+-	for i in $(while read -r _ i; do for i in $i; do [[ $i =~ ^[0-9a-z:.]+/[0-9]+$ ]] && echo "$i"; done; done < <(wg show "$INTERFACE" allowed-ips) | sort -nr -k 2 -t /); do
++	for i in $(get_routes); do
+ 		add_route "$i"
+ 	done
+ 	[[ $AUTO_ROUTE4 -eq 1 || $AUTO_ROUTE6 -eq 1 ]] && set_endpoint_direct_route
+@@ -456,7 +487,7 @@ cmd_down() {
+ }
+ 
+ cmd_down() {
+-	[[ " $(wg show interfaces) " == *" $INTERFACE "* ]] || die "\`$INTERFACE' is not a WireGuard interface"
++	[[ " $(awg show interfaces) " == *" $INTERFACE "* ]] || die "\`$INTERFACE' is not a WireGuard interface"
+ 	execute_hooks "${PRE_DOWN[@]}"
+ 	[[ $SAVE_CONFIG -eq 0 ]] || save_config
+ 	del_if
+@@ -465,7 +496,7 @@ cmd_save() {
+ }
+ 
+ cmd_save() {
+-	[[ " $(wg show interfaces) " == *" $INTERFACE "* ]] || die "\`$INTERFACE' is not a WireGuard interface"
++	[[ " $(awg show interfaces) " == *" $INTERFACE "* ]] || die "\`$INTERFACE' is not a WireGuard interface"
+ 	save_config
+ }
+ 
diff --git a/net/amneziawg-tools/pkg-descr b/net/amneziawg-tools/pkg-descr
new file mode 100644
index 000000000000..fdd8572d80a5
--- /dev/null
+++ b/net/amneziawg-tools/pkg-descr
@@ -0,0 +1,2 @@
+This supplies the main userspace tooling for using and configuring
+WireGuard tunnels, including the wg(8) and wg-quick(8) utilities.
diff --git a/net/amneziawg-tools/pkg-plist b/net/amneziawg-tools/pkg-plist
new file mode 100644
index 000000000000..c0a76bc03aa3
--- /dev/null
+++ b/net/amneziawg-tools/pkg-plist
@@ -0,0 +1,7 @@
+bin/awg
+bin/awg-quick
+share/bash-completion/completions/awg
+share/bash-completion/completions/awg-quick
+share/man/man8/awg.8.gz
+share/man/man8/awg-quick.8.gz
+@dir etc/amnezia/amneziawg