Ideally, private keys never leave the host they're generated on - like
SSH. Setting generatePrivateKeyFile to true causes the PK to be
generate automatically.
Wireguard is now split into two pretty much independent packages:
`wireguard` (Linux-specific kernel module) and `wireguard-tools`,
which is cross-platform.
This is more in line with what other services do; also looks cleaner.
It changes configuration entries for pre-and post-hooks type to lines from
lists of strings which are more logical for them; coersion is provided for
backwards compatibility.
Finally, add several steps to improve robustness:
1. Load kernel module on start if not loaded;
2. Don't remove wireguard interface on start; it is removed on service stop. If
it's not something is wrong.
Sometimes (especially in the default route case) it is required to NOT
add routes for all allowed IP ranges. One might run it's own custom
routing on-top of wireguard and only use the wireguard addresses to
exchange prefixes with the remote host.
Do the right thing, and use multiple interfaces for policy routing. For example, WireGuard interfaces do not allow multiple routes for the same CIDR range.
This adds a convenient per-peer option to set the routing table that associated routes are added to. This functionality is very useful for isolating interfaces from the kernel's global routing and forcing all traffic of a virtual interface (or a group of processes, via e.g. "ip rule add uidrange 10000-10009 lookup 42") through Wireguard.
It was deprecated and removed from all modules in the tree by #18319.
The wireguard module PR (#17933) was still in the review at the time and
the deprecated usage managed to slip inside.