Found an amazing tool for exporting WireGuard peers! (No more struggling)
-
@Bob.Dig said in Found an amazing tool for exporting WireGuard peers! (No more struggling):
Must be very recently, your forum account is as old as this repo, a few days. It looks more like you are the creator.
I really appreciate the compliment! Just to be clear up front though: I didn't make this! I recently had to rebuild my pfSense setup and happened to stumble on this absolute gem. After years of struggling with manual WireGuard configurations and wasting time troubleshooting peers, this tool is exactly what I’d been looking for. I actually made an account just to post it here. All credit goes to the original dev—I'm just passing along a massive time-saver!
-
@pfSense_fireball said in Found an amazing tool for exporting WireGuard peers! (No more struggling):
I actually made an account just to post it here.
There is no doubt about that.
-
Thanks for coming across my pfSense-wireguard-peer-export package and taking the time to post about it on here!
I’m jumping in to let you and the rest of the community know that based on some recent feedback, I have vastly simplified the installation process and hardened the feature set. The days of dealing with hacky shell scripts and Windows/Unix line-break errors are gone.
The tool is now distributed as a native FreeBSD .pkg. You can install it securely with a single command, and it can be cleanly uninstalled just like any standard package.
What the Package Does
For those who haven't seen it, this package bridges the gap between pfSense's powerful WireGuard backend and the ease-of-use you'd expect from a commercial VPN appliance. It gives you a dedicated dashboard to instantly provision peers and export their configurations.Key Features:
Deep UI Integration: It seamlessly injects a "Peer Export" tab directly into the native pfSense WireGuard menus.
Auto-IP Discovery: No more checking which IPs are taken. The tool scans your tunnel's subnet and automatically calculates the next available IP address.
Client-Side Key Generation: Generates secure X25519 keypairs and Pre-Shared Keys (PSKs) instantly inside your browser using the WebCrypto API.
Multiple Export Options: Outputs configurations as a scannable QR code for mobile devices, a downloadable .conf file for desktops, or bulk ZIP downloads if you need to export an entire office's worth of peers at once.
PHP 8.x Ready: Fully patched for modern pfSense releases to prevent strict type/offset fatal errors.
Air-Gapped Security: The QR code generation library is bundled directly inside the package, meaning your firewall does not need active outbound internet access to render them.
How Simple it is to Use
The entire workflow is designed to take just a few seconds per device:Navigate to VPN > WireGuard > Peer Export.
Click Add New Peer. The tool instantly auto-generates the crypto keys and fills in the next available IP address.
Give the peer a description (e.g., "John's iPhone").
Open the WireGuard app on your phone and scan the QR code right off your monitor.
Click Provision & Save to pfSense. The tool securely pushes the peer into the pfSense XML config and syncs the WireGuard service.
You're done! The peer is online.
You can grab the latest pre-compiled release and view the one-line install command over on the GitHub repo: https://github.com/3um3le3ee/pfSense-wireguard-peer-export
Thanks again to pfSense_fireball and everyone else providing feedback. Let me know if you run into any issues or have feature requests!
-
@3um3le3ee
Thanks for the detailed post.
Since you are at it, a big missing feature is confguration replication in active standby nodes in ha carp setup.
Wireguard has its (by design) issues on ha, however keeping the config in sync is a big pain.pfsense is excluding wg from config replication (and for good reasons) however a more granular replication, at the app level would be beneficial.
pfblockerng (which also has many "knobs to push", also has its own replication settings, just to get some ideas too.
-
@3um3le3ee Really cool, now we just need it included in the official packaging system, so one does not have to side install it. Any chance you will apply for that?
Love the no fuss of using the official appliances :-)
-
Thanks for the great suggestion!
Adding granular HA configuration replication (similar to how pfBlockerNG handles it) is a fantastic idea. It makes perfect sense to handle it at the app level, and it is definitely something I will be implementing within the next few updates.
I really appreciate the input! Keep an eye on my GitHub repo and this forum thread.
Thanks again!
-
Getting this into the official pfSense package repository is definitely the ultimate goal.
However, I'm still in the very early stages of building this tool and have a lot of features I'm looking to add before I'd apply for official inclusion.
Right now, the biggest thing that will speed up that process is testing and input from the community. Having users like you run it through its paces, report bugs, and suggest features will really help me iron out the edge cases. Once the feature set is complete and I feel 100% comfortable with the stability of the code, I'll definitely be putting in the request to make it an official package.
Thanks again for the support!
-
@3um3le3ee wrong architecture: FreeBSD:14:amd64 instead of FreeBSD:15:amd64
Are you gonna make this available for 2.8.x?
-
Thanks for the interest in my project! I'm working on a huge update ATM which is adding multiple new features alongside the ability to be installed on the latest version of pfSense/FreeBSD. Keep an eye on my GitHub repo and this forum thread.
-
This post is deleted! -
I've just released v1.0.6 on GitHub. It is fully optimized and verified for pfSense CE 2.8.1 and FreeBSD 15.
What it does:
Instead of bouncing between 5 different screens, this package integrates directly into your native pfSense WireGuard UI and automates the heavy lifting.Major Features in this Release:
1-Click Peer Provisioning: Enter a name, click save, and it instantly registers the peer in pfSense while handing you a ready-to-use .conf file and a 100% offline QR code.
Simplified Auto-Tunnel Wizard: Deploy entirely new tunnels in seconds. It automatically generates the required inbound/outbound firewall rules and dynamically injects Outbound NAT mappings.
HA Sync Wizard: Running a primary/backup cluster? The new wizard automatically punches the necessary firewall holes and pushes newly provisioned peers to your secondary node over XMLRPC.
Smart Endpoint Auto-Discovery: It automatically detects if your pfSense router is behind a Double NAT and fetches your true public IP, so cellular/5G clients don't drop.
Advanced Routing Control: Easy dropdowns for Full Tunnel vs. Split Tunnel (LAN-only) routing and custom DNS per peer.
-
@3um3le3ee This is really interesting work you are doing here :-)
REALLY hoping this get's vetted and included as an official package
-
@keyser said in Found an amazing tool for exporting WireGuard peers! (No more struggling):
@3um3le3ee This is really interesting work you are doing here :-)
REALLY hoping this get's vetted and included as an official package
Thanks so much for your continued support, and encouragement! It really means a lot to hear that the community is finding value in the project.
-
@3um3le3ee are you going to release the source code for it, too?
-
@patient0 said in Found an amazing tool for exporting WireGuard peers! (No more struggling):
@3um3le3ee are you going to release the source code for it, too?
Yes, absolutely! All code will be available on my GitHub as soon as possible. Since this is being deployed on a firewall, I agree that people should be able to see exactly what they are installing. In the meantime, you can simply extract the .pkg file and have a look at the scripts yourself!
-
I just saw the latest update and was actually about to post about it myself, but you beat me to it. This really is a game changer. You’ve made WireGuard on pfSense a total joy to use, the automated firewall and NAT creation has made this a complete tool in my book. I’m definitely up for testing, reporting bugs, and hopefully throwing some ideas your way for future versions. Thank you for all the hard work and for making this accessible to everyone.
-
What's New in v1.0.7
This release further expands the tool into a comprehensive WireGuard management suite, introducing identity synchronization, live telemetry, and advanced peer management features.
Expiration & Identity Sync Daemon: A dedicated background daemon automatically disables peers when they reach a configured expiration date and syncs with LDAP/Local User accounts to revoke VPN access if the system account is disabled or missing.
Live Telemetry & Monitoring: The main dashboard now displays live Receive (Rx) and Transmit (Tx) data usage metrics in megabytes for each connected peer.
Advanced Peer Management: Easily perform a "Key Rotation" to instantly revoke access and generate fresh keys, "Kill Connection" to drop a peer from the kernel, or "Delete Peer" to permanently erase them.
Configuration Delivery: Directly email .conf configuration files to end-users utilizing the native pfSense SMTP engine.
Bulk CSV Import: Rapidly mass-provision peers by pasting a list of names and IP addresses into the new Bulk CSV modal.
Global Security Policies: Administrators can enforce mandatory Pre-Shared Keys (PSK) for all new peers and configure fallback subnets for split tunneling.
Resilient HA Sync Wizard: Securely push peers to a backup node over XMLRPC with a new Strict TLS validation toggle. Failed sync attempts are automatically queued and retried by the background daemon.
Setup Wizard & Widget Upgrades: The Auto-Tunnel setup wizard now features an interface dropdown for explicit Outbound NAT mapping, and the dashboard widget has been upgraded to display total tunnels/peers alongside quick-action links.
https://github.com/3um3le3ee/pfSense-wireguard-peer-export
-
New version 1.0.8 released.
Visual Telemetry & NOC Dashboard: A brand-new, dedicated Network Operations Center view.
Includes live bandwidth charts (Rx/Tx).
IP subnet exhaustion pie charts.
24-hour usage trend charts and a "top talkers" data table.
Dual-Stack IPv4/IPv6 Support: The Auto-Setup Wizard now handles IPv6-only or dual-stack tunnel configurations, including primary and secondary IP addressing.
Smart IP Allocation & Conflict Prevention: A new free-list allocator that intelligently fills IP gaps from deleted peers and proactively blocks provisioning if a conflict is detected.
Import .conf Files: Ability to upload existing WireGuard configuration files to automatically parse and pre-fill provisioning modals.
Auto-Update Checker: A configurable background service (Daily/Weekly/Never) that provides a "One-Click Download & Install" banner for new releases.
Self-Healing & Persistence:
Auto-Bootstrap: Ensures the tool survives pfSense firmware upgrades.
Pre-install Backups: Protects configurations during the update process.
UI Tab Healing: Aggressively maintains native menu integrity.
100% Offline Assets: Transitioned to locally hosted JavaScript libraries for QR codes and charts (no external CDN dependencies).
Enhancements to Existing Features
Identity Sync Daemon: While v1.0.7 introduced the daemon, v1.0.8 specifically adds the ad_sync: prefix logic for LDAP/Local User syncing and introduces bandwidth telemetry archiving.
HA Sync Wizard: Improvements to the background queue, moving from "automatically queued" to "automatically saved to a background queue" for more resilient retries.
Auto-Tunnel Setup Wizard: Explicitly labeled as a core new deployment feature in this version, expanding on the interface mapping introduced in the previous release to now include full key generation and firewall rule automation.
https://github.com/3um3le3ee/pfSense-wireguard-peer-export
-
Just upgraded on pfSense v2.8.1 without any issue (WG with 4 tunnels and 17 peers).
Very nice dashboard.
Thank you for your work. -
Thank you so much for using the tool and for the kind words! It really means a lot to me that you took the time out of your day to reach out and share your feedback. Hearing that your upgrade went smoothly is incredibly rewarding.
I'm thrilled to hear that you are liking the new dashboard, and I truly hope you continue to enjoy using the tool.
Cheers!
