ssh establish and ssh issue actually don’t interact with WireGuard at all — they’re API-only commands. establish is a one-time command that sets up an SSH certificate for your organization — we should get rid of it and just manage that for you, but when SSH was introduced we thought it might be opt-in. issue just creates time-limited SSH user certificates to log in with.
Using establish and issue, you can use standard OpenSSH to log in directly to instances when you have a WireGuard tunnel established with your OS.
ssh console does something much more ambitious: it sets up a WireGuard tunnel on its own, using an agent process in flyctl. That tunnel is entirely in userland — your OS doesn’t know anything about it. Under the hood, it’s relying on the same certificates that establish and issue set up.