Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: cdavis on January 22, 2024, 01:52:54 PM

Title: What is correct way to shutdown wireguard via cli?
Post by: cdavis on January 22, 2024, 01:52:54 PM
I am trying to get wireguard to honor the CARP status of my interfaces. See https://forum.opnsense.org/index.php?topic=38103.0 for a description of my issues.

I am now trying to use a custom script in syshook.d/carp but pluginctl isn't working as I would expect. Wireguard is not stopping even though it is being requested. What is the proper way to shutdown wireguard from the cli?

Below is an example of what I am experiencing where I submit the command to shutdown wireguard but its status remains "running".

Code Select
root@OPNsenseMaster:/usr/local/etc/rc.syshook.d/carp # /usr/local/sbin/pluginctl -s wireguard status
wireguard[846d1fe6-cb46-4f32-8ca8-dcc31f9ff267] is running.

root@OPNsenseMaster:/usr/local/etc/rc.syshook.d/carp # /usr/local/sbin/pluginctl -s wireguard stop
Service `wireguard[846d1fe6-cb46-4f32-8ca8-dcc31f9ff267]' has been stopped.

root@OPNsenseMaster:/usr/local/etc/rc.syshook.d/carp # /usr/local/sbin/pluginctl -s wireguard status
wireguard[846d1fe6-cb46-4f32-8ca8-dcc31f9ff267] is running.
Title: Re: What is correct way to shutdown wireguard via cli?
Post by: Monviech (Cedrik) on January 22, 2024, 03:39:44 PM
Maybe you can use the actions:
https://github.com/opnsense/core/blob/master/src/opnsense/service/conf/actions.d/actions_wireguard.conf

They can be called with configctl, e.g.:

configctl wireguard stop

The configctl Actions call this script:
https://github.com/opnsense/core/blob/98878a9eb90c1150b232bfbc7e9a012a3e3462a0/src/opnsense/scripts/Wireguard/wg-service-control.php
Title: Re: What is correct way to shutdown wireguard via cli?
Post by: cdavis on January 22, 2024, 04:35:47 PM
Thanks for the suggestion. I am not sure if I am doing something wrong or have a major misconfiguration. Even with the wg-service-control.php script wg remains running:

Code Select
root@OPNsenseMaster:/usr/local/etc/rc.syshook.d/carp # /usr/local/opnsense/scripts/Wireguard/wg-service-control.php -a stop
root@OPNsenseMaster:/usr/local/etc/rc.syshook.d/carp # /usr/local/sbin/pluginctl -s wireguard status
wireguard[846d1fe6-cb46-4f32-8ca8-dcc31f9ff267] is running.
Title: Re: What is correct way to shutdown wireguard via cli?
Post by: Monviech (Cedrik) on January 22, 2024, 05:38:15 PM
Well it expects an input parameter as you see with "%s" in the actions.

So you have to pass it the UUID after the stop, its the number you see next to your wireguard instance.

Also its better if you use configctl directly and not call the script manually.
Title: Re: What is correct way to shutdown wireguard via cli?
Post by: cdavis on January 22, 2024, 05:58:08 PM
Thanks, I will make a call to configctl in my script. wg-service-control.php allows for -a for all instances.

The wg-sevice-control.php script downs the wg interface, which I believe means that the following is not indicative of a specific instance being available for wg peers.
Code Select
/usr/local/sbin/pluginctl -s wireguard status


Using the below code to see if wg is listening on the configured UDP port indicates my script is now working as expected.
Code Select
sockstat -l -4

Thanks for your help!
Title: Re: What is correct way to shutdown wireguard via cli?
Post by: ashlevoyed on January 23, 2024, 10:16:54 PM
Quote from: Monviech on January 22, 2024, 03:39:44 PM
Maybe you can use the actions:
https://github.com/opnsense/core/blob/master/src/opnsense/service/conf/actions.d/actions_wireguard.conf

They can be called with configctl, e.g.:

configctl wireguard stop

The configctl Actions call this script:
https://github.com/opnsense/core/blob/98878a9eb90c1150b232bfbc7e9a012a3e3462a0/src/opnsense/scripts/Wireguard/wg-service-control.php
This is exactly what you need. Thank you
Text only | Text with Images