Found an amazing tool for exporting WireGuard peers! (No more struggling)
-
@3um3le3ee
Thanks for the detailed post.
Since you are at it, a big missing feature is confguration replication in active standby nodes in ha carp setup.
Wireguard has its (by design) issues on ha, however keeping the config in sync is a big pain.pfsense is excluding wg from config replication (and for good reasons) however a more granular replication, at the app level would be beneficial.
pfblockerng (which also has many "knobs to push", also has its own replication settings, just to get some ideas too.
-
@3um3le3ee Really cool, now we just need it included in the official packaging system, so one does not have to side install it. Any chance you will apply for that?
Love the no fuss of using the official appliances :-)
-
Thanks for the great suggestion!
Adding granular HA configuration replication (similar to how pfBlockerNG handles it) is a fantastic idea. It makes perfect sense to handle it at the app level, and it is definitely something I will be implementing within the next few updates.
I really appreciate the input! Keep an eye on my GitHub repo and this forum thread.
Thanks again!
-
Getting this into the official pfSense package repository is definitely the ultimate goal.
However, I'm still in the very early stages of building this tool and have a lot of features I'm looking to add before I'd apply for official inclusion.
Right now, the biggest thing that will speed up that process is testing and input from the community. Having users like you run it through its paces, report bugs, and suggest features will really help me iron out the edge cases. Once the feature set is complete and I feel 100% comfortable with the stability of the code, I'll definitely be putting in the request to make it an official package.
Thanks again for the support!
-
@3um3le3ee wrong architecture: FreeBSD:14:amd64 instead of FreeBSD:15:amd64
Are you gonna make this available for 2.8.x?
-
Thanks for the interest in my project! I'm working on a huge update ATM which is adding multiple new features alongside the ability to be installed on the latest version of pfSense/FreeBSD. Keep an eye on my GitHub repo and this forum thread.
-
This post is deleted! -
I've just released v1.0.6 on GitHub. It is fully optimized and verified for pfSense CE 2.8.1 and FreeBSD 15.
What it does:
Instead of bouncing between 5 different screens, this package integrates directly into your native pfSense WireGuard UI and automates the heavy lifting.Major Features in this Release:
1-Click Peer Provisioning: Enter a name, click save, and it instantly registers the peer in pfSense while handing you a ready-to-use .conf file and a 100% offline QR code.
Simplified Auto-Tunnel Wizard: Deploy entirely new tunnels in seconds. It automatically generates the required inbound/outbound firewall rules and dynamically injects Outbound NAT mappings.
HA Sync Wizard: Running a primary/backup cluster? The new wizard automatically punches the necessary firewall holes and pushes newly provisioned peers to your secondary node over XMLRPC.
Smart Endpoint Auto-Discovery: It automatically detects if your pfSense router is behind a Double NAT and fetches your true public IP, so cellular/5G clients don't drop.
Advanced Routing Control: Easy dropdowns for Full Tunnel vs. Split Tunnel (LAN-only) routing and custom DNS per peer.
-
@3um3le3ee This is really interesting work you are doing here :-)
REALLY hoping this get's vetted and included as an official package
-
@keyser said in Found an amazing tool for exporting WireGuard peers! (No more struggling):
@3um3le3ee This is really interesting work you are doing here :-)
REALLY hoping this get's vetted and included as an official package
Thanks so much for your continued support, and encouragement! It really means a lot to hear that the community is finding value in the project.
-
@3um3le3ee are you going to release the source code for it, too?
-
@patient0 said in Found an amazing tool for exporting WireGuard peers! (No more struggling):
@3um3le3ee are you going to release the source code for it, too?
Yes, absolutely! All code will be available on my GitHub as soon as possible. Since this is being deployed on a firewall, I agree that people should be able to see exactly what they are installing. In the meantime, you can simply extract the .pkg file and have a look at the scripts yourself!
-
I just saw the latest update and was actually about to post about it myself, but you beat me to it. This really is a game changer. You’ve made WireGuard on pfSense a total joy to use, the automated firewall and NAT creation has made this a complete tool in my book. I’m definitely up for testing, reporting bugs, and hopefully throwing some ideas your way for future versions. Thank you for all the hard work and for making this accessible to everyone.
-
What's New in v1.0.7
This release further expands the tool into a comprehensive WireGuard management suite, introducing identity synchronization, live telemetry, and advanced peer management features.
Expiration & Identity Sync Daemon: A dedicated background daemon automatically disables peers when they reach a configured expiration date and syncs with LDAP/Local User accounts to revoke VPN access if the system account is disabled or missing.
Live Telemetry & Monitoring: The main dashboard now displays live Receive (Rx) and Transmit (Tx) data usage metrics in megabytes for each connected peer.
Advanced Peer Management: Easily perform a "Key Rotation" to instantly revoke access and generate fresh keys, "Kill Connection" to drop a peer from the kernel, or "Delete Peer" to permanently erase them.
Configuration Delivery: Directly email .conf configuration files to end-users utilizing the native pfSense SMTP engine.
Bulk CSV Import: Rapidly mass-provision peers by pasting a list of names and IP addresses into the new Bulk CSV modal.
Global Security Policies: Administrators can enforce mandatory Pre-Shared Keys (PSK) for all new peers and configure fallback subnets for split tunneling.
Resilient HA Sync Wizard: Securely push peers to a backup node over XMLRPC with a new Strict TLS validation toggle. Failed sync attempts are automatically queued and retried by the background daemon.
Setup Wizard & Widget Upgrades: The Auto-Tunnel setup wizard now features an interface dropdown for explicit Outbound NAT mapping, and the dashboard widget has been upgraded to display total tunnels/peers alongside quick-action links.
https://github.com/3um3le3ee/pfSense-wireguard-peer-export
-
New version 1.0.8 released.
Visual Telemetry & NOC Dashboard: A brand-new, dedicated Network Operations Center view.
Includes live bandwidth charts (Rx/Tx).
IP subnet exhaustion pie charts.
24-hour usage trend charts and a "top talkers" data table.
Dual-Stack IPv4/IPv6 Support: The Auto-Setup Wizard now handles IPv6-only or dual-stack tunnel configurations, including primary and secondary IP addressing.
Smart IP Allocation & Conflict Prevention: A new free-list allocator that intelligently fills IP gaps from deleted peers and proactively blocks provisioning if a conflict is detected.
Import .conf Files: Ability to upload existing WireGuard configuration files to automatically parse and pre-fill provisioning modals.
Auto-Update Checker: A configurable background service (Daily/Weekly/Never) that provides a "One-Click Download & Install" banner for new releases.
Self-Healing & Persistence:
Auto-Bootstrap: Ensures the tool survives pfSense firmware upgrades.
Pre-install Backups: Protects configurations during the update process.
UI Tab Healing: Aggressively maintains native menu integrity.
100% Offline Assets: Transitioned to locally hosted JavaScript libraries for QR codes and charts (no external CDN dependencies).
Enhancements to Existing Features
Identity Sync Daemon: While v1.0.7 introduced the daemon, v1.0.8 specifically adds the ad_sync: prefix logic for LDAP/Local User syncing and introduces bandwidth telemetry archiving.
HA Sync Wizard: Improvements to the background queue, moving from "automatically queued" to "automatically saved to a background queue" for more resilient retries.
Auto-Tunnel Setup Wizard: Explicitly labeled as a core new deployment feature in this version, expanding on the interface mapping introduced in the previous release to now include full key generation and firewall rule automation.
https://github.com/3um3le3ee/pfSense-wireguard-peer-export
-
Just upgraded on pfSense v2.8.1 without any issue (WG with 4 tunnels and 17 peers).
Very nice dashboard.
Thank you for your work. -
Thank you so much for using the tool and for the kind words! It really means a lot to me that you took the time out of your day to reach out and share your feedback. Hearing that your upgrade went smoothly is incredibly rewarding.
I'm thrilled to hear that you are liking the new dashboard, and I truly hope you continue to enjoy using the tool.
Cheers!
-
Hi, just to share some info, installing on pfSense+ 26.03-RELEASE clean:
- pkg add runs ok.
- "Export" tab crashes with "PHP Fatal error: Uncaught TypeError: Unsupported operand types: string / int in /usr/local/www/wg/vpn_wg_export.php:1375"
- pkg delete does not properly remove the package.
WG Suite v1.0.8 seems not compatible with pfSense+ v26.03.
-
What's New in Version 1.0.9
Namespace Isolation (Bulletproof Uninstalls): A massive under-the-hood architectural upgrade. All custom UI files and tools are now securely sandboxed in a dedicated /wgx/ directory rather than injecting directly into the native WireGuard folders. This ensures that uninstalling the tool is 100% safe and will never conflict with or break your native pfSense WireGuard GUI.
Zero-Touch Site-to-Site (S2S) Deployment: A powerful new wizard allows you to instantly deploy a mesh/bridge tunnel between two pfSense firewalls. Simply enter the remote firewall's credentials, and the suite handles key generation, interface mapping, firewall rules, and routing on both sides simultaneously via XMLRPC.
Automated Bandwidth Throttling (QoS Alias): The background telemetry daemon now actively monitors total data usage (Rx+Tx) per peer. If a peer exceeds your configured soft cap limit, they are automatically placed into a dynamic WGX_THROTTLED pfSense Alias, allowing you to easily apply pfSense traffic shapers or block rules.
Time-Based Access Scheduling: Restrict peer access based on dynamic time schedules during provisioning. You can now easily limit specific peers to "Business Hours" (Mon-Fri, 09:00-17:00) or "Weekends Only," which is actively enforced by the expiration daemon.
FRR OSPF Dynamic Routing Injection: Advanced users deploying new tunnels via the Setup Wizard can now check a box to automatically inject the new interface into the pfSense FRR OSPF package, broadcasting the new routes across your mesh network instantly.
Dedicated System Audit Trail: A brand-new Audit tab has been added to the top menu. This page filters your native pfSense system logs to provide a clean, searchable history of all WireGuard Suite actions, including peer creations, deletions, key rotations, and S2S deployments.
Hall of Fame / Credits Page: A dedicated, credits page accessed directly from the footer, recognizing the community testers and supporters who helped refine the suite.
-
@3um3le3ee What about pfsense+ v26.03?
