WireGuard Exporter Tool

Started by NEOSA, October 29, 2025, 02:25:14 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 29, 2025, 02:25:14 PM
Hi all@Community,

I'm quite newbie with Wireguard + OPNSense, but my first setups are working fine (for the moment, only in Roadwarrior Tunnel Mode). I can reach the Endpoint, use all devices allowed from the tunnel to the destination LAN, etc...

My question is about Peer Generator : I've been able to generate some peers, copy/paste the configuration at the Roadwarrior Side to use the VPN;

But OPNSense + Wireguard has not any Export Function, like we have with OpenVPN.

I dealt a little with a IA to have opinions, recommended solution is using API + shell script : my customers are relatively small companies, my intend is not to use API.

For sure, I can copy/paste each generated Peer configuration manually in some .conf files (not so much time consuming), but an Export function will be a nice feature ;-)

Any feedback will be appreciated.
October 29, 2025, 09:28:24 PM #1
I mean you could use OpenVPN instead, in the business edition its even integrated into a user portal and you can optionally use ldap authentication and 2FA.

https://docs.opnsense.org/vendor/deciso/userportal.html

Comparing to wireguard, openvpn just fits more for business oriented roadwarrior setups.
Hardware:
DEC740
December 11, 2025, 05:12:46 AM #2
I don't understand why there isn't an export button for the conf files. If you don't copy/paste during peer creation, you're out of luck.
You can't even build the conf file from the information in the peer details. No access to the Private Key
December 11, 2025, 09:35:59 AM #3
Quote from: JMini on December 11, 2025, 05:12:46 AMYou can't even build the conf file from the information in the peer details. No access to the Private Key

The private key should be created on the peer and never leave the peer. That's why it's called "private". The instance on OPNsense only needs the public key of every peer so that's what is saved in the configuration.

There are no clients and servers in WireGuard. It's all peers.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 11, 2025, 09:39:16 AM #4
Wireguard - the simple alternative to IPsec and OpenVPN, until it isn't TM
Hardware:
DEC740
December 11, 2025, 09:50:02 AM #5
Quote from: Monviech (Cedrik) on December 11, 2025, 09:39:16 AMWireguard - the simple alternative to IPsec and OpenVPN

Oh, it absolutely is for gateway to gateway setups. I love it.

Quote from: Monviech (Cedrik) on December 11, 2025, 09:39:16 AMuntil it isn't TM

It does not scale well for road warrior use. That's why we keep OpenVPN.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 11, 2025, 09:56:54 AM #6
Yeah the slab is at the usecase. If you just need a tunnel its awesome, if you need roadwarrior setup for even 10+ users that is also not a security risk when the WG profile is extracted, OpenVPN or IPsec are the way. It's also a management nightmare at anything than a few users.
Hardware:
DEC740
December 11, 2025, 07:25:32 PM #7
It's only a few (6 max) remote users.

The Private key appears in the conf file on peer creation, Once you leave that screen, it's found nowhere else. So it's not just on the server (instance)
December 11, 2025, 07:46:47 PM #8
You should create the private/public key pair on the "client" and the private key should never leave the client. That's how WireGuard is intended to be set up. I don't understand why OPNsense provides a "peer generator" at all.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions