What is correct way to shutdown wireguard via cli?

cdavis · January 22, 2024, 01:52:54 PM

I am trying to get wireguard to honor the CARP status of my interfaces. See https://forum.opnsense.org/index.php?topic=38103.0 for a description of my issues.

I am now trying to use a custom script in syshook.d/carp but pluginctl isn't working as I would expect. Wireguard is not stopping even though it is being requested. What is the proper way to shutdown wireguard from the cli?

Below is an example of what I am experiencing where I submit the command to shutdown wireguard but its status remains "running".

Code Select

root@OPNsenseMaster:/usr/local/etc/rc.syshook.d/carp # /usr/local/sbin/pluginctl -s wireguard status
wireguard[846d1fe6-cb46-4f32-8ca8-dcc31f9ff267] is running.

root@OPNsenseMaster:/usr/local/etc/rc.syshook.d/carp # /usr/local/sbin/pluginctl -s wireguard stop
Service `wireguard[846d1fe6-cb46-4f32-8ca8-dcc31f9ff267]' has been stopped.

root@OPNsenseMaster:/usr/local/etc/rc.syshook.d/carp # /usr/local/sbin/pluginctl -s wireguard status
wireguard[846d1fe6-cb46-4f32-8ca8-dcc31f9ff267] is running.

Monviech (Cedrik) · January 22, 2024, 03:39:44 PM

Maybe you can use the actions:
https://github.com/opnsense/core/blob/master/src/opnsense/service/conf/actions.d/actions_wireguard.conf

They can be called with configctl, e.g.:

configctl wireguard stop

The configctl Actions call this script:
https://github.com/opnsense/core/blob/98878a9eb90c1150b232bfbc7e9a012a3e3462a0/src/opnsense/scripts/Wireguard/wg-service-control.php

cdavis · January 22, 2024, 04:35:47 PM

Thanks for the suggestion. I am not sure if I am doing something wrong or have a major misconfiguration. Even with the wg-service-control.php script wg remains running:

Code Select

root@OPNsenseMaster:/usr/local/etc/rc.syshook.d/carp # /usr/local/opnsense/scripts/Wireguard/wg-service-control.php -a stop
root@OPNsenseMaster:/usr/local/etc/rc.syshook.d/carp # /usr/local/sbin/pluginctl -s wireguard status
wireguard[846d1fe6-cb46-4f32-8ca8-dcc31f9ff267] is running.

Monviech (Cedrik) · January 22, 2024, 05:38:15 PM

Well it expects an input parameter as you see with "%s" in the actions.

So you have to pass it the UUID after the stop, its the number you see next to your wireguard instance.

Also its better if you use configctl directly and not call the script manually.

cdavis · January 22, 2024, 05:58:08 PM

Thanks, I will make a call to configctl in my script. wg-service-control.php allows for -a for all instances.

The wg-sevice-control.php script downs the wg interface, which I believe means that the following is not indicative of a specific instance being available for wg peers.

Code Select

/usr/local/sbin/pluginctl -s wireguard status

Using the below code to see if wg is listening on the configured UDP port indicates my script is now working as expected.

Code Select

sockstat -l -4

Thanks for your help!

ashlevoyed · January 23, 2024, 10:16:54 PM

Quote from: Monviech on January 22, 2024, 03:39:44 PM
Maybe you can use the actions:
https://github.com/opnsense/core/blob/master/src/opnsense/service/conf/actions.d/actions_wireguard.conf

They can be called with configctl, e.g.:

configctl wireguard stop

The configctl Actions call this script:
https://github.com/opnsense/core/blob/98878a9eb90c1150b232bfbc7e9a012a3e3462a0/src/opnsense/scripts/Wireguard/wg-service-control.php

This is exactly what you need. Thank you

What is correct way to shutdown wireguard via cli?

cdavis

January 22, 2024, 01:52:54 PM Last Edit: January 22, 2024, 04:36:06 PM by cdavis

Monviech (Cedrik)

January 22, 2024, 03:39:44 PM #1

cdavis

January 22, 2024, 04:35:47 PM #2

Monviech (Cedrik)

January 22, 2024, 05:38:15 PM #3

cdavis

January 22, 2024, 05:58:08 PM #4

ashlevoyed

January 23, 2024, 10:16:54 PM #5