Overview
This runbook outlines the steps for immediate revocation of VPN access upon an employee’s or contractor’s departure, with the goal of achieving complete termination within 15 minutes of the offboarding trigger.
It assumes a standard WireGuard or Defguard deployment—adjust timing expectations based on your specific environment. For Defguard-specific procedures (such as disabling user accounts, revoking devices/sessions, or managing group/location access), refer to the official documentation at docs.defguard.net.
Trigger Events
Lists common scenarios that start the offboarding process, with expected response timing and who initiates:
| Event | Response Time | Initiated By |
|---|---|---|
| Voluntary resignation | Same day (before EOD) | HR + IT |
| Involuntary termination | Immediate (before employee notified) | HR + IT |
| Contractor end date | Scheduled (midnight before last day) | IT |
| Security incident | Immediate | Security team |
| Device loss/theft | Immediate | User report + IT |
Pre-Offboarding Checklist
Quick preparation steps before revoking access:
- Confirm identity: Verify correct user account(s) to disable
- Identify all devices: List all registered VPN devices for this user
- Notify stakeholders: Inform manager of access removal timing
- Document reason: Record offboarding type for audit trail
Standalone WireGuard Revocation
For environments without centralized management like Defguard:
Step 1: Identify the peer’s public key(s)
Search config file:
# List all peers (match by comment or AllowedIPs)
grep -A5 "# username" /etc/wireguard/wg0.conf
# Or check live config
wg show wg0 | grep -A2 "peer:"
Step 2: Remove Peer(s) from Server
# Remove peer immediately (takes effect instantly)
wg set wg0 peer <PUBLIC_KEY> remove
# Verify removal
wg show wg0 peers | grep <PUBLIC_KEY> # Should return nothing
Step 3: Update the persistent configuration file
# Remove from config file to prevent restoration on restart
wg-quick strip wg0 > /etc/wireguard/wg0.conf.new
mv /etc/wireguard/wg0.conf.new /etc/wireguard/wg0.conf
Step 4: Verify Disconnection
# Confirm no active handshake
wg show wg0 latest-handshakes | grep <PUBLIC_KEY> # Should be empty
Check listening socket (check unexpected connections):
# Check for any residual connections
ss -tunap | grep 51820
Timing: Revocation is instant for new connections. Existing tunnels expire naturally within ~2–3 minutes due to WireGuard’s rekey timers (REKEY-AFTER-TIME = 2 min, REJECT-AFTER-TIME = 3 min).
Defguard-Managed Revocation
Step 1: Disable User Account
- Navigate to Users in Defguard admin panel
- Find user by name or email
- Click Disable User (not delete, preserves audit trail)
Effect: All devices for this user immediately lose VPN access. No handshakes will succeed.
Step 2: Revoke Individual Devices (Optional)
If only revoking specific devices while keeping user active:
- Navigate to Users → [User] → Devices
- Click Revoke on target device(s)
- Confirm revocation
Step 3: Verify in Audit Log
- Navigate to Settings → Audit Logs
- Filter by user or action type
- Confirm “User Disabled” or “Device Revoked” entry
Verify in docs.defguard.net: Exact timing of access revocation after user disable
Revocation Timing Benchmarks
| Method | Time to Effect | Verification Method |
|---|---|---|
WireGuard wg set peer remove | Instant | wg show (no peer listed) |
| Defguard user disable | < 30 seconds | Audit log + device status |
| Config file edit + restart | 1-5 seconds (during restart) | Service status |
Important: WireGuard has no traditional “session” concept. Removing a peer prevents future handshakes but does not terminate an existing tunnel immediately. However, WireGuard sessions expire and require rekeying after 2 minutes (REKEY-AFTER-TIME), with a hard rejection after 3 minutes (REJECT-AFTER-TIME), so maximum effective delay is approximately 3 minutes.
Post-Revocation Verification
- Peer removed from all gateways: Check each WireGuard server
- No active handshakes: Verify with
wg show - Audit log entry: Confirm revocation is logged with timestamp
- User notified (if appropriate): Confirm access has been removed
- Manager notified: Confirm IT has completed revocation
Multi-Gateway Environments
If user had access to multiple VPN locations:
# Script to remove peer from all gateways
for gateway in gateway1 gateway2 gateway3; do
ssh admin@$gateway "wg set wg0 peer <PUBLIC_KEY> remove"
echo "Removed from $gateway"
done
Defguard advantage: Single user disable revokes access across all locations automatically.
Rollback Procedure
If revocation was made in error:
Standalone WireGuard
# Re-add peer with original configuration
wg set wg0 peer <PUBLIC_KEY> allowed-ips <IP>/32 endpoint <ENDPOINT>
# Update persistent config
wg-quick save wg0
Defguard
- Navigate to Users → [User]
- Click Enable User
- User’s devices will reconnect automatically
Escalation Matrix
| Issue | Escalate To |
|---|---|
| Cannot access gateway | Infrastructure team |
| Defguard admin access issue | Identity team |
| User claims still has access | Security team |
| Compliance/legal question | Legal/HR |
Audit Requirements
For compliance, record:
- Timestamp of revocation request
- Timestamp of revocation completion
- User/device identifier(s)
- Operator who performed revocation
- Reason (offboarding type)
- Verification method used
- Any anomalies or delays
Common Issues
| Problem | Cause | Resolution |
|---|---|---|
| User still shows “connected” in monitoring | Stale data, session will expire | Wait 2-3 min, refresh |
| Cannot find user’s public key | Multiple devices, different naming | Check all device entries |
| Revocation didn’t persist after restart | Config file not updated | Run wg-quick save |
| User re-added themselves | Compromised admin credentials | Investigate, rotate admin creds |
Security Considerations
- Least privilege: Offboarding operators should only have revoke permissions, not create
- Separation of duties: HR triggers, IT executes, Security verifies
- Audit trail: All revocations must be logged with timestamp and operator
- No exceptions: VPN access is revoked regardless of “special circumstances”
Core takeaway
This runbook emphasizes speed, verification, and auditability. In Defguard environments, disabling a single user account is usually the fastest and safest method (often 30 seconds across all devices/locations). For raw WireGuard, manual peer removal + config update is effective but requires careful verification to avoid persistence or multi-gateway oversights. Always document and verify every step for compliance and security.
