Revoke/delete Wireguard peer?

I’m currently evaluating if I’m going to use linuxserver/wireguard Docker image to replace a OpenVPN server setup. I read the documentation on Docker hub, but that documentation isn’t clear about how to revoke or delete a peer in server mode.

What should I do in case of an existing client or peer needs to be revoked without the need to regenerate new keys for other clients? I’m thinking scenarios such as stolen device and if a person should no longer have VPN access (eg. quite the project/job).

Every time you change the PEERS var, confs will be regenerated. It will use existing keys for the peers.

Which means:

  1. If you used a list of names in the PEERS var, simply delete the name from the list and recreate the container.
  2. If you used a number for the PEERS var, delete the folder for the peer you’d like removed, change the number for the PEERS var to force regeneration and recreate the container. It will generate a new conf with new keys for that peer so the old keys will no longer be valid

Thank you for your reply. Ok, makes sense.

I have have finally managed to install a supported kernel so that I could actually test it my self.

At the first glance it was a bit confusing the fact that the deleted peer’s folder still existed, and also the fact that the credentials in the Wireguard client seemed to the working (marked the connection as active). But the peer no longer existed in the wg0.conf file, and I was unable to use the tunnel connection in any shape or form other than I was still able to connect to the server.

Anyhow, thank you for clearing things up!

Yeah, wireguard is weird like that. You can set up your client with a bogus key and a bogus server address, it will still attempt to send the packets just the same. They’ll just go into the ether. And the server doesn’t even respond unless the key is recognized/accepted.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.