13 files changed, 102 insertions, 156 deletions
diff --git a/docs/configuration/interfaces/bonding.rst b/docs/configuration/interfaces/bonding.rst
index 1e89e5f0..6db8e53b 100644
--- a/docs/configuration/interfaces/bonding.rst
+++ b/docs/configuration/interfaces/bonding.rst
@@ -271,13 +271,6 @@ Bond options
    The maximum number of targets that can be specified is 16. The default value
    is no IP address.
 
-Offloading
-----------
-
-.. cmdinclude:: /_include/interface-xdp.txt
-   :var0: bonding
-   :var1: bond0
-
 VLAN
 ====
 
diff --git a/docs/configuration/interfaces/dummy.rst b/docs/configuration/interfaces/dummy.rst
index e521f40d..945361c2 100644
--- a/docs/configuration/interfaces/dummy.rst
+++ b/docs/configuration/interfaces/dummy.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2022-08-26
+:lastproofread: 2023-01-20
 
 .. _dummy-interface:
 
@@ -68,7 +68,7 @@ Operation
 
    .. code-block:: none
 
-     vyos@vyos:~$ show interfaces ethernet eth0
+     vyos@vyos:~$ show interfaces dummy dum0
      dum0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
          link/ether 26:7c:8e:bc:fc:f5 brd ff:ff:ff:ff:ff:ff
          inet 172.18.254.201/32 scope global dum0
diff --git a/docs/configuration/interfaces/ethernet.rst b/docs/configuration/interfaces/ethernet.rst
index 6ed59bc0..071044f5 100644
--- a/docs/configuration/interfaces/ethernet.rst
+++ b/docs/configuration/interfaces/ethernet.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2022-08-26
+:lastproofread: 2023-01-20
 
 .. _ethernet-interface:
 
@@ -107,11 +107,6 @@ Offloading
   - it does not increase hardware device interrupt rate (although it does
     introduce inter-processor interrupts (IPIs)).
 
-
-.. cmdinclude:: /_include/interface-xdp.txt
-   :var0: ethernet
-   :var1: eth0
-
 Authentication (EAPoL)
 ----------------------
 
@@ -288,29 +283,3 @@ Operation
         BR margin, min          : 0%
         Vendor SN               : FNS092xxxxx
         Date code               : 0506xx
-
-.. stop_vyoslinter
-
-.. opcmd:: show interfaces ethernet <interface> xdp
-
-   Display XDP forwarding statistics
-
-   .. code-block:: none
-
-     vyos@vyos:~$ show interfaces ethernet eth1 xdp
-
-     Collecting stats from BPF map
-      - BPF map (bpf_map_type:6) id:176 name:xdp_stats_map key_size:4 value_size:16 max_entries:5
-     XDP-action
-     XDP_ABORTED            0 pkts (         0 pps)           0 Kbytes (     0 Mbits/s) period:0.250340
-     XDP_DROP               0 pkts (         0 pps)           0 Kbytes (     0 Mbits/s) period:0.250317
-     XDP_PASS               0 pkts (         0 pps)           0 Kbytes (     0 Mbits/s) period:0.250314
-     XDP_TX                 0 pkts (         0 pps)           0 Kbytes (     0 Mbits/s) period:0.250313
-     XDP_REDIRECT           0 pkts (         0 pps)           0 Kbytes (     0 Mbits/s) period:0.250313
-
-     XDP-action
-     XDP_ABORTED            0 pkts (         0 pps)           0 Kbytes (     0 Mbits/s) period:2.000410
-     XDP_DROP               0 pkts (         0 pps)           0 Kbytes (     0 Mbits/s) period:2.000414
-     XDP_PASS               0 pkts (         0 pps)           0 Kbytes (     0 Mbits/s) period:2.000414
-     XDP_TX                 0 pkts (         0 pps)           0 Kbytes (     0 Mbits/s) period:2.000414
-     XDP_REDIRECT           0 pkts (         0 pps)           0 Kbytes (     0 Mbits/s) period:2.000414
diff --git a/docs/configuration/interfaces/geneve.rst b/docs/configuration/interfaces/geneve.rst
index f81c6ba6..bf8b0920 100644
--- a/docs/configuration/interfaces/geneve.rst
+++ b/docs/configuration/interfaces/geneve.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2022-08-26
+:lastproofread: 2023-01-20
 
 .. _geneve-interface:
 
diff --git a/docs/configuration/interfaces/l2tpv3.rst b/docs/configuration/interfaces/l2tpv3.rst
index b40d7027..b8959816 100644
--- a/docs/configuration/interfaces/l2tpv3.rst
+++ b/docs/configuration/interfaces/l2tpv3.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2022-08-26
+:lastproofread: 2023-01-30
 
 .. include:: /_include/need_improvement.txt
 
diff --git a/docs/configuration/interfaces/loopback.rst b/docs/configuration/interfaces/loopback.rst
index 92edeb56..08be0c8a 100644
--- a/docs/configuration/interfaces/loopback.rst
+++ b/docs/configuration/interfaces/loopback.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2022-08-26
+:lastproofread: 2023-01-20
 
 .. _loopback-interface:
 
@@ -59,7 +59,7 @@ Operation
 
    .. code-block:: none
 
-     vyos@vyos:~$ show interfaces ethernet eth0
+     vyos@vyos:~$ show interfaces loopback lo
      lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
          link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
          inet 127.0.0.1/8 scope host lo
diff --git a/docs/configuration/interfaces/macsec.rst b/docs/configuration/interfaces/macsec.rst
index 6ee8f1fe..c56241c6 100644
--- a/docs/configuration/interfaces/macsec.rst
+++ b/docs/configuration/interfaces/macsec.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2022-08-26
+:lastproofread: 2023-01-30
 
 .. _macsec-interface:
 
@@ -29,14 +29,11 @@ Common interface configuration
 MACsec options
 ==============
 
-.. cfgcmd:: set interfaces macsec <interface> security cipher [gcm-aes-128]
+.. cfgcmd:: set interfaces macsec <interface> security cipher <gcm-aes-128|gcm-aes-256>
 
   Select cipher suite used for cryptographic operations. This setting is
   mandatory.
 
-  .. note:: gcm-aes-256 support planned once iproute2 package is updated to
-     version >=5.2.
-
 .. cfgcmd:: set interfaces macsec <interface> security encrypt
 
   MACsec only provides authentication by default, encryption is optional. This
@@ -56,11 +53,12 @@ individual peers.
 .. cfgcmd:: set interfaces macsec <interface> security mka cak <key>
 
   IEEE 802.1X/MACsec pre-shared key mode. This allows configuring MACsec with
-  a pre-shared key using a (CAK,CKN) pair.
+  a pre-shared key using a :abbr:`CAK (MACsec connectivity association key)` and
+  :abbr:`CKN (MACsec connectivity association name)` pair.
 
 .. cfgcmd:: set interfaces macsec <interface> security mka ckn <key>
 
-  CAK Name
+  :abbr:`CKN (MACsec connectivity association name)` key
 
 .. cfgcmd:: set interfaces macsec <interface> security mka priority <priority>
 
@@ -104,7 +102,7 @@ Operation
 
 .. opcmd:: show interfaces macsec
 
-  List all MACsec interfaces
+  List all MACsec interfaces.
 
   .. code-block:: none
 
diff --git a/docs/configuration/interfaces/pseudo-ethernet.rst b/docs/configuration/interfaces/pseudo-ethernet.rst
index 2a67c297..59b3581c 100644
--- a/docs/configuration/interfaces/pseudo-ethernet.rst
+++ b/docs/configuration/interfaces/pseudo-ethernet.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2022-08-26
+:lastproofread: 2023-01-26
 
 .. _pseudo-ethernet-interface:
 
diff --git a/docs/configuration/interfaces/tunnel.rst b/docs/configuration/interfaces/tunnel.rst
index 9ea825ac..bd7a8460 100644
--- a/docs/configuration/interfaces/tunnel.rst
+++ b/docs/configuration/interfaces/tunnel.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2022-08-26
+:lastproofread: 2023-01-26
 
 .. _tunnel-interface:
 
@@ -18,7 +18,7 @@ a closer look at the protocols and options currently supported by VyOS.
 Common interface configuration
 ------------------------------
 
-.. cmdinclude:: /_include/interface-common-without-dhcp.txt
+.. cmdinclude:: /_include/interface-common-without-dhcp1.txt
    :var0: tunnel
    :var1: tun0
 
@@ -114,12 +114,12 @@ over either IPv4 (gre) or IPv6 (ip6gre).
 Configuration
 ^^^^^^^^^^^^^
 
-A basic configuration requires a tunnel source (source-address), a tunnel destination
-(remote), an encapsulation type (gre), and an address (ipv4/ipv6). Below is a
-basic IPv4 only configuration example taken from a VyOS router and a Cisco IOS
-router. The main difference between these two configurations is that VyOS
-requires you explicitly configure the encapsulation type. The Cisco router
-defaults to GRE IP otherwise it would have to be configured as well.
+A basic configuration requires a tunnel source (source-address), a tunnel
+destination (remote), an encapsulation type (gre), and an address (ipv4/ipv6).
+Below is a basic IPv4 only configuration example taken from a VyOS router and
+a Cisco IOS router. The main difference between these two configurations is
+that VyOS requires you explicitly configure the encapsulation type. The Cisco
+router defaults to GRE IP otherwise it would have to be configured as well.
 
 **VyOS Router:**
 
@@ -203,22 +203,21 @@ An example:
    set interfaces tunnel tun0 address 172.16.17.18/24
    set interfaces tunnel tun0 parameters ip key 20
 
-GRE-Bridge
-^^^^^^^^^^
+GRETAP
+^^^^^^^
 
-While normal GRE is for layer 3, GRE-Bridge is for layer 2. GRE-Bridge can
-encapsulate Ethernet frames, thus it can be bridged with other interfaces to
-create datalink layer segments that span multiple remote sites.
-
-Layer 2 GRE example:
+While normal GRE is for layer 3, GRETAP is for layer 2. GRETAP can encapsulate
+Ethernet frames, thus it can be bridged with other interfaces to create 
+datalink layer segments that span multiple remote sites.
 
 .. code-block:: none
 
    set interfaces bridge br0 member interface eth0
    set interfaces bridge br0 member interface tun0
    set interfaces tunnel tun0 encapsulation gretap
-   set interfaces tunnel tun0 source-address 192.0.2.100
-   set interfaces tunnel tun0 remote 192.0.2.1
+   set interfaces tunnel tun0 source-address 198.51.100.2
+   set interfaces tunnel tun0 remote 203.0.113.10
+
 
 Troubleshooting
 ^^^^^^^^^^^^^^^
diff --git a/docs/configuration/interfaces/vxlan.rst b/docs/configuration/interfaces/vxlan.rst
index 08916309..cb638736 100644
--- a/docs/configuration/interfaces/vxlan.rst
+++ b/docs/configuration/interfaces/vxlan.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2022-08-26
+:lastproofread: 2023-01-26
 
 .. _vxlan-interface:
 
diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst
index bd7b4899..036a9063 100644
--- a/docs/configuration/interfaces/wireguard.rst
+++ b/docs/configuration/interfaces/wireguard.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2023-01-26
+
 .. _wireguard:
 
 #########
@@ -16,19 +18,12 @@ This diagram corresponds with the example site to site configuration below.
 
 .. figure:: /_static/images/wireguard_site2site_diagram.jpg
 
-*************
-Configuration
-*************
-
-
-
 ********
 Keypairs
 ********
 
-WireGuard requires the generation of a keypair, which includes a private
-key to decrypt incoming traffic, and a public key for peer(s) to encrypt
-traffic.
+WireGuard requires the generation of a keypair, which includes a private key to
+decrypt incoming traffic, and a public key for peer(s) to encrypt traffic.
 
 Generate Keypair
 ================
@@ -71,52 +66,48 @@ own keypairs.
 Interface configuration
 ***********************
 
-The next step is to configure your local side as well as the policy
-based trusted destination addresses. If you only initiate a connection,
-the listen port and address/port is optional; however, if you act as a
-server and endpoints initiate the connections to your system, you need to
-define a port your clients can connect to, otherwise the port is randomly
-chosen and may make connection difficult with firewall rules, since the port
-may be different each time the system is rebooted.
+The next step is to configure your local side as well as the policy based
+trusted destination addresses. If you only initiate a connection, the listen
+port and address/port is optional; however, if you act like a server and
+endpoints initiate the connections to your system, you need to define a port
+your clients can connect to, otherwise the port is randomly chosen and may
+make connection difficult with firewall rules, since the port may be different
+each time the system is rebooted.
 
-You will also need the public key of your peer as well as the network(s)
-you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The
-public key below is always the public key from your peer, not your local
-one.
+You will also need the public key of your peer as well as the network(s) you
+want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key
+below is always the public key from your peer, not your local one.
 
 **local side - commands**
 
+- WireGuard interface itself uses address 10.1.0.1/30
+- We only allow the 192.168.2.0/24 subnet to travel over the tunnel
+- Our remote end of the tunnel for peer `to-wg02` is reachable at 192.0.2.1
+  port 51820
+- The remote peer `to-wg02` uses XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI=
+  as its public key portion
+- We listen on port 51820
+- We route all traffic for the 192.168.2.0/24 network to interface `wg01`
+
 .. code-block:: none
 
   set interfaces wireguard wg01 address '10.1.0.1/30'
   set interfaces wireguard wg01 description 'VPN-to-wg02'
   set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.2.0/24'
-  set interfaces wireguard wg01 peer to-wg02 address '<Site1 Pub IP>'
+  set interfaces wireguard wg01 peer to-wg02 address '192.0.2.1'
   set interfaces wireguard wg01 peer to-wg02 port '51820'
   set interfaces wireguard wg01 peer to-wg02 pubkey 'XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI='
   set interfaces wireguard wg01 port '51820'
-  set protocols static interface-route 192.168.2.0/24 next-hop-interface wg01
 
-**local side - annotated commands**
+  set protocols static interface-route 192.168.2.0/24 next-hop-interface wg01
 
-.. code-block:: none
+The last step is to define an interface route for 192.168.2.0/24 to get through
+the WireGuard interface `wg01`. Multiple IPs or networks can be defined and
+routed. The last check is allowed-ips which either prevents or allows the
+traffic.
 
-  set interfaces wireguard wg01 address '10.1.0.1/30'                          # Address of the wg01 tunnel interface.          
-  set interfaces wireguard wg01 description 'VPN-to-wg02'
-  set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.2.0/24'      # Subnets that are allowed to travel over the tunnel
-  set interfaces wireguard wg01 peer to-wg02 address '<Site2 Pub IP>'          # Public IP of the peer
-  set interfaces wireguard wg01 peer to-wg02 port '58120'                      # Port of the Peer
-  set interfaces wireguard wg01 peer to-wg02 pubkey '<pubkey>'                 # Public Key of the Peer
-  set interfaces wireguard wg01 port '51820'                                   # Port of own server
-  set protocols static interface-route 192.168.2.0/24 next-hop-interface wg01  # Static route to remote subnet
-
-The last step is to define an interface route for 192.168.2.0/24 to get
-through the WireGuard interface `wg01`. Multiple IPs or networks can be
-defined and routed. The last check is allowed-ips which either prevents
-or allows the traffic.
-
-.. note:: You can not assign the same allowed-ips statement to multiple
-   WireGuard peers. This a a design decision. For more information please
+.. warning:: You can not assign the same allowed-ips statement to multiple
+   WireGuard peers. This a design decision. For more information please
    check the `WireGuard mailing list`_.
 
 .. cfgcmd:: set interfaces wireguard <interface> private-key <name>
@@ -131,38 +122,26 @@ or allows the traffic.
   The command :opcmd:`show wireguard keypairs pubkey KP01` will then show the
   public key, which needs to be shared with the peer.
 
-
 **remote side - commands**
 
 .. code-block:: none
 
   set interfaces wireguard wg01 address '10.1.0.2/30'
   set interfaces wireguard wg01 description 'VPN-to-wg01'
-  set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.1.0/24'
-  set interfaces wireguard wg01 peer to-wg02 address '<Site1 Pub IP>'
-  set interfaces wireguard wg01 peer to-wg02 port '51820'
-  set interfaces wireguard wg01 peer to-wg02 pubkey 'u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk='
+  set interfaces wireguard wg01 peer to-wg01 allowed-ips '192.168.1.0/24'
+  set interfaces wireguard wg01 peer to-wg01 address '192.0.2.2'
+  set interfaces wireguard wg01 peer to-wg01 port '51820'
+  set interfaces wireguard wg01 peer to-wg01 public-key 'EKY0dxRrSD98QHjfHOK13mZ5PJ7hnddRZt5woB3szyw='
   set interfaces wireguard wg01 port '51820'
-  set protocols static route 192.168.1.0/24 interface wg01
-
-**remote side - annotated commands**
 
-.. code-block:: none
-
-  set interfaces wireguard wg01 address '10.1.0.2/30'                     # Address of the wg01 tunnel interface.
-  set interfaces wireguard wg01 description 'VPN-to-wg01'
-  set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.1.0/24' # Subnets that are allowed to travel over the tunnel
-  set interfaces wireguard wg01 peer to-wg02 address 'Site1 Pub IP'       # Public IP address of the Peer
-  set interfaces wireguard wg01 peer to-wg02 port '51820'                 # Port of the Peer
-  set interfaces wireguard wg01 peer to-wg02 pubkey '<pubkey>'            # Public key of the Peer  
-  set interfaces wireguard wg01 port '51820'                              # Port of own server
-  set protocols static route 192.168.1.0/24 interface wg01                # Static route to remote subnet
+  set protocols static route 192.168.1.0/24 interface wg01
 
 *******************
 Firewall Exceptions
 *******************
 
-For the WireGuard traffic to pass through the WAN interface, you must create a firewall exception.
+For the WireGuard traffic to pass through the WAN interface, you must create a
+firewall exception.
 
 .. code-block:: none
 
@@ -177,13 +156,15 @@ For the WireGuard traffic to pass through the WAN interface, you must create a f
     set firewall name OUTSIDE_LOCAL rule 20 protocol udp
     set firewall name OUTSIDE_LOCAL rule 20 source
 
-You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local).
+You should also ensure that the OUTISDE_LOCAL firewall group is applied to the
+WAN interface and a direction (local).
 
 .. code-block:: none
 
     set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'
 
-Assure that your firewall rules allow the traffic, in which case you have a working VPN using WireGuard.
+Assure that your firewall rules allow the traffic, in which case you have a
+working VPN using WireGuard.
 
 .. code-block:: none
 
@@ -223,23 +204,28 @@ With WireGuard, a Road Warrior VPN config is similar to a site-to-site
 VPN. It just lacks the ``address`` and ``port`` statements.
 
 In the following example, the IPs for the remote clients are defined in
-the peers. This allows the peers to interact with one another.
+the peers. This allows the peers to interact with one another. In
+comparison to the site-to-site example the ``persistent-keepalive``
+flag is set to 15 seconds to assure the connection is kept alive.
+This is mainly relevant if one of the peers is behind NAT and can't
+be connected to if the connection is lost. To be effective this
+value needs to be lower than the UDP timeout.
 
 .. code-block:: none
 
-    wireguard wg0 {
+    wireguard wg01 {
         address 10.172.24.1/24
-        address 2001:DB8:470:22::1/64
+        address 2001:db8:470:22::1/64
         description RoadWarrior
         peer MacBook {
             allowed-ips 10.172.24.30/32
-            allowed-ips 2001:DB8:470:22::30/128
+            allowed-ips 2001:db8:470:22::30/128
             persistent-keepalive 15
             pubkey F5MbW7ye7DsoxdOaixjdrudshjjxN5UdNV+pGFHqehc=
         }
         peer iPhone {
             allowed-ips 10.172.24.20/32
-            allowed-ips 2001:DB8:470:22::20/128
+            allowed-ips 2001:db8:470:22::20/128
             persistent-keepalive 15
             pubkey BknHcLFo8nOo8Dwq2CjaC/TedchKQ0ebxC7GYn7Al00=
         }
@@ -254,7 +240,7 @@ through the connection.
 
     [Interface]
     PrivateKey = ARAKLSDJsadlkfjasdfiowqeruriowqeuasdf=
-    Address = 10.172.24.20/24, 2001:DB8:470:22::20/64
+    Address = 10.172.24.20/24, 2001:db8:470:22::20/64
     DNS = 10.0.0.53, 10.0.0.54
 
     [Peer]
@@ -263,19 +249,19 @@ through the connection.
     Endpoint = 192.0.2.1:2224
     PersistentKeepalive = 25
 
-However, split-tunneling can be achieved by specifing the remote subnets.
-This ensures that only traffic destined for the remote site is sent over the tunnel.
-All other traffic is unaffected.
+However, split-tunneling can be achieved by specifying the remote subnets.
+This ensures that only traffic destined for the remote site is sent over the
+tunnel. All other traffic is unaffected.
 
 .. code-block:: none
 
     [Interface]
     PrivateKey = 8Iasdfweirousd1EVGUk5XsT+wYFZ9mhPnQhmjzaJE6Go=
-    Address = 10.172.24.30/24, 2001:DB8:470:22::30/64
+    Address = 10.172.24.30/24, 2001:db8:470:22::30/64
 
     [Peer]
     PublicKey = RIbtUTCfgzNjnLNPQ/ulkGnnB2vMWHm7l2H/xUfbyjc=
-    AllowedIPs = 10.172.24.30/24, 2001:DB8:470:22::/64
+    AllowedIPs = 10.172.24.30/24, 2001:db8:470:22::/64
     Endpoint = 192.0.2.1:2224
     PersistentKeepalive = 25
 
@@ -296,7 +282,7 @@ Status
     Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
     Interface        IP Address                        S/L  Description
     ---------        ----------                        ---  -----------
-    wg0              10.0.0.1/24                       u/u
+    wg01             10.0.0.1/24                       u/u
 
 
 .. opcmd:: show interfaces wireguard <interface>
@@ -306,7 +292,7 @@ Status
   .. code-block:: none
 
     vyos@vyos:~$ show interfaces wireguard wg01
-    interface: wg0
+    interface: wg01
       address: 10.0.0.1/24
       public key: h1HkYlSuHdJN6Qv4Hz4bBzjGg5WUty+U1L7DJsZy1iE=
       private key: (hidden)
@@ -358,14 +344,15 @@ Some users tend to connect their mobile devices using WireGuard to their VyOS
 router. To ease deployment one can generate a "per mobile" configuration from
 the VyOS CLI.
 
-.. warning:: From a security perspective it is not recommended to let a third
-  party create and share the private key for a secured connection. You should create the
-  private portion on your own and only hand out the public key. Please keep this
-  in mind when using this convenience feature.
+.. warning:: From a security perspective, it is not recommended to let a third
+  party create and share the private key for a secured connection.
+  You should create the private portion on your own and only hand out the
+  public key. Please keep this in mind when using this convenience feature.
 
-.. opcmd:: generate wireguard client-config <name> interface <interface> server <ip|fqdn> address <client-ip>
+.. opcmd:: generate wireguard client-config <name> interface <interface> server
+   <ip|fqdn> address <client-ip>
 
-  Using this command you will create a new client configuration which can
+  Using this command, you will create a new client configuration which can
   connect to ``interface`` on this router. The public key from the specified
   interface is automatically extracted and embedded into the configuration.
 
@@ -375,7 +362,7 @@ the VyOS CLI.
 
   In addition you will specifiy the IP address or FQDN for the client where it
   will connect to. The address parameter can be used up to two times and is used
-  to assign the client its specific IPv4 (/32) or IPv6 (/128) address.
+  to assign the clients specific IPv4 (/32) or IPv6 (/128) address.
 
   .. figure:: /_static/images/wireguard_qrcode.jpg
      :alt: WireGuard Client QR code
diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst
index eeb54401..f45101b5 100644
--- a/docs/configuration/interfaces/wireless.rst
+++ b/docs/configuration/interfaces/wireless.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2022-08-26
+:lastproofread: 2023-01-26
 
 .. _wireless-interface:
 
@@ -305,7 +305,7 @@ default physical device (``phy0``) is used.
   set interfaces wireless wlan0 type station
   set interfaces wireless wlan0 address dhcp
   set interfaces wireless wlan0 ssid Test
-  set interfaces wireless wlan0 security wpa
+  set interfaces wireless wlan0 security wpa passphrase '12345678'
 
 Resulting in
 
diff --git a/docs/configuration/interfaces/wwan.rst b/docs/configuration/interfaces/wwan.rst
index 457445e3..45b18387 100644
--- a/docs/configuration/interfaces/wwan.rst
+++ b/docs/configuration/interfaces/wwan.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2022-08-26
+:lastproofread: 2023-01-27
 
 .. _wwan-interface: