• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Enable/Disable WireGuard peer by CLI

Scheduled Pinned Locked Moved WireGuard
8 Posts 3 Posters 3.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    simmarn
    last edited by simmarn Aug 15, 2021, 8:09 AM Aug 15, 2021, 8:09 AM

    What is the CLI command to enable and disable a WireGuard peer?

    S 1 Reply Last reply Jul 23, 2023, 2:31 PM Reply Quote 0
    • S
      swinster @simmarn
      last edited by Jul 23, 2023, 2:31 PM

      @simmarn , did you find an answer for this?

      1 Reply Last reply Reply Quote 0
      • S
        simmarn
        last edited by Jul 23, 2023, 3:35 PM

        No.

        S 1 Reply Last reply Jul 24, 2023, 12:02 AM Reply Quote 0
        • S
          swinster @simmarn
          last edited by swinster Jul 24, 2023, 12:03 AM Jul 24, 2023, 12:02 AM

          @simmarn OK. I asked as I am looking for a similar answer, as is another user. I have got a little way but not there yet. Check out https://forum.netgate.com/post/1116944.

          J 1 Reply Last reply Jul 30, 2023, 6:03 AM Reply Quote 1
          • J
            JustAnotherUser @swinster
            last edited by JustAnotherUser Jul 30, 2023, 6:04 AM Jul 30, 2023, 6:03 AM

            @swinster

            SSH >> 8. Shell

            wg show (find the peer, note the interface and peer key)
            wg set <interface> peer <key> remove

            NOTE: you are bypassing pfSense's control so weird things may happen and you may hate life afterwards.

            S 1 Reply Last reply Jul 30, 2023, 11:12 AM Reply Quote 0
            • S
              swinster @JustAnotherUser
              last edited by Jul 30, 2023, 11:12 AM

              @JustAnotherUser Thanks. We carried on this conversation in the other post (https://forum.netgate.com/topic/181689/wireguard-config-over-ssh). Indeed, you can use the wg command to set some config, but this is ephemeral and does not persist service or system restarts. You need to change the config.xml file to get stuff to persist.

              FWIW, the pfSense instance(s) I use are for labs. They are automatically deployed from an image and destroyed after the lab session. Whilst pfSense is not designed for this type of automated configuration, for me, if it is possible to do, then it would be ideal. PfSense is an excellent tool for these situations, so automating some configuration tasks would be fantastic and enable our labs to be taken to a new level.

              However, I think that Wireguard is simply not suitable for me as there is no way to automatically hand out peer tunnel IP addresses, which is a shame. It is just another configuration item that needs to be thought about, and this feels too much of a compromise.

              1 Reply Last reply Reply Quote 0
              • J
                JustAnotherUser
                last edited by Jul 30, 2023, 12:09 PM

                If you are trying to automate Wireguard from the CLI, look at OpenWRT. It has wireguard and is cli configured.

                Automatically creating WG config files should be pretty easy.

                1 Reply Last reply Reply Quote 0
                • S
                  simmarn
                  last edited by Jul 30, 2023, 12:54 PM

                  Thank guys,

                  I have a Wireguard client set up like https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-client.html with a gateway group that prefers routing over Wireguard (tun_wg0) and fails over to normal WAN GW in case of Wireguard failure.

                  I have found that the best way of disabling Wireguard from GUI is to disable the tun_wg0 interface. In that way traffic fails over to WAN GW.

                  If I do the same in CLI using ifconfig tun_wg0 down, the interface goes down, but traffic never fails over to WAN GW. What is the CLI equivalence of disabling tun_wg0 in GUI?

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received