diff --git a/actions/lib.sh b/actions/lib.sh
index 1f3f7c15fc5884a2b359ea2f4290174b4c606c43..12bd3c8e75c284fbdc5ef29eb821d2e7e2f7b610 100644
--- a/actions/lib.sh
+++ b/actions/lib.sh
@@ -75,12 +75,10 @@ function load_conf_vars() {
     fi
     wg_usage=${wg_usage:-"$(yq '. | if has("wg_enabled") then .wg_enabled else true end' "$group_vars_dir/gateways/wireguard.yaml")"}
 
-    if [ "${wg_usage:-true}" == "true" ]; then
-        wg_conf="${wg_conf:-$cluster_repository/${wg_conf_name}.conf}"
-        wg_interface="$(basename "$wg_conf" | cut -d'.' -f1)"
-        wg_endpoint="${wg_endpoint:-0}"
-        ansible_wg_template="$etc_directory/wireguard/wg${wg_endpoint}/wg${wg_endpoint}_${wg_user}.conf"
-    fi
+    wg_conf="${wg_conf:-$cluster_repository/${wg_conf_name}.conf}"
+    wg_interface="$(basename "$wg_conf" | cut -d'.' -f1)"
+    wg_endpoint="${wg_endpoint:-0}"
+    ansible_wg_template="$etc_directory/wireguard/wg${wg_endpoint}/wg${wg_endpoint}_${wg_user}.conf"
 }
 
 function check_conf_sanity() {
diff --git a/actions/wg-down.sh b/actions/wg-down.sh
new file mode 100755
index 0000000000000000000000000000000000000000..2d861c7aa8d49ca4a194e837851dfc1f8fe74e66
--- /dev/null
+++ b/actions/wg-down.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+actions_dir="$(dirname "$0")"
+# shellcheck source=actions/lib.sh
+. "$actions_dir/lib.sh"
+load_conf_vars
+
+validate_wireguard
+
+if ip link show "$wg_interface" 2>/dev/null >/dev/null; then
+    if [ "$(id -u)" = '0' ]; then
+        run ip link delete "$wg_interface" || true
+    else
+        run sudo ip link delete "$wg_interface" || true
+    fi
+else
+    hintf "Interface ${wg_interface} not found."
+fi
diff --git a/actions/wg-up.sh b/actions/wg-up.sh
index 13b231d453392d869bf8d534eeadfb3391053d4c..fb5d90dfb7f47654385460406386e29f977d0200 100755
--- a/actions/wg-up.sh
+++ b/actions/wg-up.sh
@@ -11,7 +11,7 @@ actions_dir="$(dirname "$0")"
 
 load_conf_vars
 
-if [ "${wg_usage:-true}" == "true" ]; then
+if [ -f "${ansible_wg_template}" ]; then
     validate_wireguard
 
     wg_subnet="$(jq -r .subnet_cidr "$terraform_state_dir/config.tfvars.json")"
@@ -35,7 +35,7 @@ if [ "${wg_usage:-true}" == "true" ]; then
     fi
 
     ipam_path="$cluster_repository/state/wireguard/ipam.toml"
-    if ! tomlq '(.wg_users[] | select(.ident=="'"${wg_user}"'")) // error("not-found")' "$ipam_path" &>/dev/null ; then
+    if [ "${tf_usage:-true}" == "true" ] && ! tomlq '(.wg_users[] | select(.ident=="'"${wg_user}"'")) // error("not-found")' "$ipam_path" &>/dev/null ; then
         warningf 'failed to find wireguard user %s in trampoline configuration' "$wg_user" >&2
     fi
 
@@ -45,6 +45,7 @@ if [ "${wg_usage:-true}" == "true" ]; then
     fi
     # Creating the conf file with a dummy key. The actual private key is going to be injected via `wg set`
     sed "s#REPLACEME#$(wg genkey | sed 's/^.\{10\}/dummy+key+/')#" "$ansible_wg_template" > "$wg_conf"
+    chmod 600 "$wg_conf"
     if ip link show "$wg_interface" 2>/dev/null >/dev/null; then
         if [ "$(id -u)" = '0' ]; then
             run ip link delete "$wg_interface" || true
diff --git a/docs/_releasenotes/1590.change.enable-wg-up-usage-for-bare-metal-deployments b/docs/_releasenotes/1590.change.enable-wg-up-usage-for-bare-metal-deployments
new file mode 100644
index 0000000000000000000000000000000000000000..71be14b25f409e03fe1ee5a3cef661f3d7e8ef02
--- /dev/null
+++ b/docs/_releasenotes/1590.change.enable-wg-up-usage-for-bare-metal-deployments
@@ -0,0 +1,11 @@
+Enable usage of the action script ``actions/wg-up.sh`` for bare metal
+deployments, i.e. if Terraform isn't used. The script does not longer
+depend on ``[terraform]/enabled = true`` in the cluster configuration.
+The script now checks if the WireGuard peer configuration template file
+``$etc_directory/wireguard/wg${wg_endpoint}/wg${wg_endpoint}_${wg_user}.conf``
+exists. Those files are auto generated if using Terraform and need to be
+generated by means of external tooling or manually otherwise.
+
+Also the new action script ``actions/wg-down.sh`` has been introduces
+which does the opposite of what ``actions/wg-up.sh`` does, i.e. it tears
+down the WireGuard VPN tunnel to the deployment.
diff --git a/templates/yaook-k8s-env.template.sh b/templates/yaook-k8s-env.template.sh
index af9ec8d2521916049808818e2a783d91cd9c6388..0a40abefa531a8ad6b706ebba2390fd434c0701c 100644
--- a/templates/yaook-k8s-env.template.sh
+++ b/templates/yaook-k8s-env.template.sh
@@ -13,10 +13,14 @@
 # Note that this can instead be set in ".envrc.local" for specific clusters.
 #export MINIMAL_ACCESS_VENV=true
 
-# Wireguard: Absolute path to your private wireguard key.
+# Wireguard: There are multiple ways to specify a wireguard private key,
+# that apply in the following order:
+# 1. Specify a command to retrieve the wireguard private key from a safe place
+#export wg_private_key_command="pass path/to/your/private/key"
+# 2. Set absolute path to a file containing the wireguard private key
 export wg_private_key_file="path/to/your/private/key"
-# Alternatively you can directly export your wireguard key
-#export wg_private_key="$(pass PASS_PATH_TO_YOUR_WIREGUARD_KEY)"
+# 3. Directly export your wireguard private key (**NOT** recommended)
+#export wg_private_key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 
 # Wireguard: Your username in the wg-user repository
 export wg_user='firstnamelastname'