Enable/Disable WireGuard peer by CLI
-
What is the CLI command to enable and disable a WireGuard peer?
-
@simmarn , did you find an answer for this?
-
No.
-
@simmarn OK. I asked as I am looking for a similar answer, as is another user. I have got a little way but not there yet. Check out https://forum.netgate.com/post/1116944.
-
SSH >> 8. Shell
wg show (find the peer, note the interface and peer key)
wg set <interface> peer <key> removeNOTE: you are bypassing pfSense's control so weird things may happen and you may hate life afterwards.
-
@JustAnotherUser Thanks. We carried on this conversation in the other post (https://forum.netgate.com/topic/181689/wireguard-config-over-ssh). Indeed, you can use the
wgcommand to set some config, but this is ephemeral and does not persist service or system restarts. You need to change the config.xml file to get stuff to persist.FWIW, the pfSense instance(s) I use are for labs. They are automatically deployed from an image and destroyed after the lab session. Whilst pfSense is not designed for this type of automated configuration, for me, if it is possible to do, then it would be ideal. PfSense is an excellent tool for these situations, so automating some configuration tasks would be fantastic and enable our labs to be taken to a new level.
However, I think that Wireguard is simply not suitable for me as there is no way to automatically hand out peer tunnel IP addresses, which is a shame. It is just another configuration item that needs to be thought about, and this feels too much of a compromise.
-
If you are trying to automate Wireguard from the CLI, look at OpenWRT. It has wireguard and is cli configured.
Automatically creating WG config files should be pretty easy.
-
Thank guys,
I have a Wireguard client set up like https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-client.html with a gateway group that prefers routing over Wireguard (tun_wg0) and fails over to normal WAN GW in case of Wireguard failure.
I have found that the best way of disabling Wireguard from GUI is to disable the tun_wg0 interface. In that way traffic fails over to WAN GW.
If I do the same in CLI using ifconfig tun_wg0 down, the interface goes down, but traffic never fails over to WAN GW. What is the CLI equivalence of disabling tun_wg0 in GUI?
