Found an amazing tool for exporting WireGuard peers! (No more struggling)

pfSense_fireball

Hey everyone,

I wanted to share a fantastic resource I recently came across that has completely streamlined my setup. If you run WireGuard on pfSense, you probably know the headache that can come with trying to export peer configurations.

I stumbled onto this GitHub repo: https://github.com/3um3le3ee/pfSense-wireguard-peer-export

The WireGuard export feature it provides is absolutely amazing. It completely removes the struggle of exporting peers manually. When getting it set up.

It's been a massive time-saver for me, so I thought I'd drop the link here for anyone else who might be tired of doing it the hard way. Let me know if any of you have tried it out!

Cheers

keyser

@pfSense_fireball This is a really NICE addon that has been missing in pfSense for a long time.

@netgate Any chance you could ask the creator if the package could be included as part of either the package system itself or even as part of the initial install (like the IPsec and OpenVPN export utils are)?

Bob.Dig

@pfSense_fireball said in Found an amazing tool for exporting WireGuard peers! (No more struggling):

I recently came across

Must be very recently, your forum account is as old as this repo, a few days. It looks more like you are the creator.

pfSense_fireball

@Bob.Dig

@Bob.Dig said in Found an amazing tool for exporting WireGuard peers! (No more struggling):

Must be very recently, your forum account is as old as this repo, a few days. It looks more like you are the creator.

I really appreciate the compliment! Just to be clear up front though: I didn't make this! I recently had to rebuild my pfSense setup and happened to stumble on this absolute gem. After years of struggling with manual WireGuard configurations and wasting time troubleshooting peers, this tool is exactly what I’d been looking for. I actually made an account just to post it here. All credit goes to the original dev—I'm just passing along a massive time-saver!

Bob.Dig

@pfSense_fireball said in Found an amazing tool for exporting WireGuard peers! (No more struggling):

I actually made an account just to post it here.

There is no doubt about that.

3um3le3ee

Hi @pfSense_fireball,

Thanks for coming across my pfSense-wireguard-peer-export package and taking the time to post about it on here!

I’m jumping in to let you and the rest of the community know that based on some recent feedback, I have vastly simplified the installation process and hardened the feature set. The days of dealing with hacky shell scripts and Windows/Unix line-break errors are gone.

The tool is now distributed as a native FreeBSD .pkg. You can install it securely with a single command, and it can be cleanly uninstalled just like any standard package.

What the Package Does
For those who haven't seen it, this package bridges the gap between pfSense's powerful WireGuard backend and the ease-of-use you'd expect from a commercial VPN appliance. It gives you a dedicated dashboard to instantly provision peers and export their configurations.

Key Features:

Deep UI Integration: It seamlessly injects a "Peer Export" tab directly into the native pfSense WireGuard menus.

Auto-IP Discovery: No more checking which IPs are taken. The tool scans your tunnel's subnet and automatically calculates the next available IP address.

Client-Side Key Generation: Generates secure X25519 keypairs and Pre-Shared Keys (PSKs) instantly inside your browser using the WebCrypto API.

Multiple Export Options: Outputs configurations as a scannable QR code for mobile devices, a downloadable .conf file for desktops, or bulk ZIP downloads if you need to export an entire office's worth of peers at once.

PHP 8.x Ready: Fully patched for modern pfSense releases to prevent strict type/offset fatal errors.

Air-Gapped Security: The QR code generation library is bundled directly inside the package, meaning your firewall does not need active outbound internet access to render them.

How Simple it is to Use
The entire workflow is designed to take just a few seconds per device:

Navigate to VPN > WireGuard > Peer Export.

Click Add New Peer. The tool instantly auto-generates the crypto keys and fills in the next available IP address.

Give the peer a description (e.g., "John's iPhone").

Open the WireGuard app on your phone and scan the QR code right off your monitor.

Click Provision & Save to pfSense. The tool securely pushes the peer into the pfSense XML config and syncs the WireGuard service.

You're done! The peer is online.

You can grab the latest pre-compiled release and view the one-line install command over on the GitHub repo: https://github.com/3um3le3ee/pfSense-wireguard-peer-export

Thanks again to pfSense_fireball and everyone else providing feedback. Let me know if you run into any issues or have feature requests!

netblues

@3um3le3ee
Thanks for the detailed post.
Since you are at it, a big missing feature is confguration replication in active standby nodes in ha carp setup.
Wireguard has its (by design) issues on ha, however keeping the config in sync is a big pain.

pfsense is excluding wg from config replication (and for good reasons) however a more granular replication, at the app level would be beneficial.

pfblockerng (which also has many "knobs to push", also has its own replication settings, just to get some ideas too.

keyser

@3um3le3ee Really cool, now we just need it included in the official packaging system, so one does not have to side install it. Any chance you will apply for that?

3um3le3ee

@netblues

Thanks for the great suggestion!

Adding granular HA configuration replication (similar to how pfBlockerNG handles it) is a fantastic idea. It makes perfect sense to handle it at the app level, and it is definitely something I will be implementing within the next few updates.

I really appreciate the input! Keep an eye on my GitHub repo and this forum thread.

Thanks again!

3um3le3ee

@keyser

Getting this into the official pfSense package repository is definitely the ultimate goal.

However, I'm still in the very early stages of building this tool and have a lot of features I'm looking to add before I'd apply for official inclusion.

Right now, the biggest thing that will speed up that process is testing and input from the community. Having users like you run it through its paces, report bugs, and suggest features will really help me iron out the edge cases. Once the feature set is complete and I feel 100% comfortable with the stability of the code, I'll definitely be putting in the request to make it an official package.

Thanks again for the support!

Jarhead

@3um3le3ee wrong architecture: FreeBSD:14:amd64 instead of FreeBSD:15:amd64

Are you gonna make this available for 2.8.x?

3um3le3ee

@Jarhead

Thanks for the interest in my project! I'm working on a huge update ATM which is adding multiple new features alongside the ability to be installed on the latest version of pfSense/FreeBSD. Keep an eye on my GitHub repo and this forum thread.

3um3le3ee

This post is deleted!

3um3le3ee

I've just released v1.0.6 on GitHub. It is fully optimized and verified for pfSense CE 2.8.1 and FreeBSD 15.

What it does:
Instead of bouncing between 5 different screens, this package integrates directly into your native pfSense WireGuard UI and automates the heavy lifting.

Major Features in this Release:

1-Click Peer Provisioning: Enter a name, click save, and it instantly registers the peer in pfSense while handing you a ready-to-use .conf file and a 100% offline QR code.

Simplified Auto-Tunnel Wizard: Deploy entirely new tunnels in seconds. It automatically generates the required inbound/outbound firewall rules and dynamically injects Outbound NAT mappings.

HA Sync Wizard: Running a primary/backup cluster? The new wizard automatically punches the necessary firewall holes and pushes newly provisioned peers to your secondary node over XMLRPC.

Smart Endpoint Auto-Discovery: It automatically detects if your pfSense router is behind a Double NAT and fetches your true public IP, so cellular/5G clients don't drop.

Advanced Routing Control: Easy dropdowns for Full Tunnel vs. Split Tunnel (LAN-only) routing and custom DNS per peer.

keyser

@3um3le3ee This is really interesting work you are doing here :-)

REALLY hoping this get's vetted and included as an official package

3um3le3ee

@keyser said in Found an amazing tool for exporting WireGuard peers! (No more struggling):

@3um3le3ee This is really interesting work you are doing here :-)

REALLY hoping this get's vetted and included as an official package

Thanks so much for your continued support, and encouragement! It really means a lot to hear that the community is finding value in the project.

patient0

@3um3le3ee are you going to release the source code for it, too?

3um3le3ee

@patient0 said in Found an amazing tool for exporting WireGuard peers! (No more struggling):

@3um3le3ee are you going to release the source code for it, too?

Yes, absolutely! All code will be available on my GitHub as soon as possible. Since this is being deployed on a firewall, I agree that people should be able to see exactly what they are installing. In the meantime, you can simply extract the .pkg file and have a look at the scripts yourself!

pfSense_fireball

@3um3le3ee

I just saw the latest update and was actually about to post about it myself, but you beat me to it. This really is a game changer. You’ve made WireGuard on pfSense a total joy to use, the automated firewall and NAT creation has made this a complete tool in my book. I’m definitely up for testing, reporting bugs, and hopefully throwing some ideas your way for future versions. Thank you for all the hard work and for making this accessible to everyone.

3um3le3ee

What's New in v1.0.7

This release further expands the tool into a comprehensive WireGuard management suite, introducing identity synchronization, live telemetry, and advanced peer management features.

Expiration & Identity Sync Daemon: A dedicated background daemon automatically disables peers when they reach a configured expiration date and syncs with LDAP/Local User accounts to revoke VPN access if the system account is disabled or missing.

Live Telemetry & Monitoring: The main dashboard now displays live Receive (Rx) and Transmit (Tx) data usage metrics in megabytes for each connected peer.

Advanced Peer Management: Easily perform a "Key Rotation" to instantly revoke access and generate fresh keys, "Kill Connection" to drop a peer from the kernel, or "Delete Peer" to permanently erase them.

Configuration Delivery: Directly email .conf configuration files to end-users utilizing the native pfSense SMTP engine.

Bulk CSV Import: Rapidly mass-provision peers by pasting a list of names and IP addresses into the new Bulk CSV modal.

Global Security Policies: Administrators can enforce mandatory Pre-Shared Keys (PSK) for all new peers and configure fallback subnets for split tunneling.

Resilient HA Sync Wizard: Securely push peers to a backup node over XMLRPC with a new Strict TLS validation toggle. Failed sync attempts are automatically queued and retried by the background daemon.

Setup Wizard & Widget Upgrades: The Auto-Tunnel setup wizard now features an interface dropdown for explicit Outbound NAT mapping, and the dashboard widget has been upgraded to display total tunnels/peers alongside quick-action links.

https://github.com/3um3le3ee/pfSense-wireguard-peer-export