I’m looking to automate/script my pfsense wireguard tunnels so that each wireguard tunnel only goes up if there are one or more clients connected to the subnet associated with that tunnel and goes down once all clients have disconnected. I was wondering if there is already a plugin that accomplishes this or can be adapted, otherwise what is best practice for running scripts on the pfsense box?
My initial thought was to have a cronjob monitor the various DHCP servers for each subnet, then initiate a script to connect the associated wireguard tunnel if it detects any active DHCP leases on that subnet.
I have multiple subnets on this box, each with it’s own wireguard gateway. I like the idea of only making the VPN connection if there is a client calling for it.
That’s a really good point. Thank you.
ISC DHCP is still used though it may be phased out in a future update. I’m going to take your approach and see how it goes.
Also, if you’re using anything with a static IP, monitoring the DHCP obviously won’t work.
If you got any of those, I’d recommend doing a static DHCP reservation, where the host is still using DHCP, but always gets the same IP.
I’m not sure how these are handled in regards to the commits hook though.
Maybe monitoring the ARP table can be useful to you depending on your use case, but then that’s back to a “polling” scenario instead of being event based.
Actually you could have multiple triggers:
Anyway, calling it from the hook or cronjob kinda becomes an “or” condition for bringing it up: Any one host brings it up, regardless of how you detect them.
But then you likely still need an “and” condition when bringing it down: All conditions/hosts must be down for a period of time to bring it down.
Also consider future troubleshooting. Maybe having some sort of toggle to force it up (and disable the wgdown scripts) if only for confirming an hypothesis during a future problem.
Have fun