Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Enable/Disable WireGuard peer by CLI

    Scheduled Pinned Locked Moved WireGuard
    8 Posts 3 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      simmarn
      last edited by simmarn

      What is the CLI command to enable and disable a WireGuard peer?

      S 1 Reply Last reply Reply Quote 0
      • S
        swinster @simmarn
        last edited by

        @simmarn , did you find an answer for this?

        1 Reply Last reply Reply Quote 0
        • S
          simmarn
          last edited by

          No.

          S 1 Reply Last reply Reply Quote 0
          • S
            swinster @simmarn
            last edited by swinster

            @simmarn OK. I asked as I am looking for a similar answer, as is another user. I have got a little way but not there yet. Check out https://forum.netgate.com/post/1116944.

            JustAnotherUserJ 1 Reply Last reply Reply Quote 1
            • JustAnotherUserJ
              JustAnotherUser @swinster
              last edited by JustAnotherUser

              @swinster

              SSH >> 8. Shell

              wg show (find the peer, note the interface and peer key)
              wg set <interface> peer <key> remove

              NOTE: you are bypassing pfSense's control so weird things may happen and you may hate life afterwards.

              S 1 Reply Last reply Reply Quote 0
              • S
                swinster @JustAnotherUser
                last edited by

                @JustAnotherUser Thanks. We carried on this conversation in the other post (https://forum.netgate.com/topic/181689/wireguard-config-over-ssh). Indeed, you can use the wg command to set some config, but this is ephemeral and does not persist service or system restarts. You need to change the config.xml file to get stuff to persist.

                FWIW, the pfSense instance(s) I use are for labs. They are automatically deployed from an image and destroyed after the lab session. Whilst pfSense is not designed for this type of automated configuration, for me, if it is possible to do, then it would be ideal. PfSense is an excellent tool for these situations, so automating some configuration tasks would be fantastic and enable our labs to be taken to a new level.

                However, I think that Wireguard is simply not suitable for me as there is no way to automatically hand out peer tunnel IP addresses, which is a shame. It is just another configuration item that needs to be thought about, and this feels too much of a compromise.

                1 Reply Last reply Reply Quote 0
                • JustAnotherUserJ
                  JustAnotherUser
                  last edited by

                  If you are trying to automate Wireguard from the CLI, look at OpenWRT. It has wireguard and is cli configured.

                  Automatically creating WG config files should be pretty easy.

                  1 Reply Last reply Reply Quote 0
                  • S
                    simmarn
                    last edited by

                    Thank guys,

                    I have a Wireguard client set up like https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-client.html with a gateway group that prefers routing over Wireguard (tun_wg0) and fails over to normal WAN GW in case of Wireguard failure.

                    I have found that the best way of disabling Wireguard from GUI is to disable the tun_wg0 interface. In that way traffic fails over to WAN GW.

                    If I do the same in CLI using ifconfig tun_wg0 down, the interface goes down, but traffic never fails over to WAN GW. What is the CLI equivalence of disabling tun_wg0 in GUI?

                    1 Reply Last reply Reply Quote 1
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.