github.com/ngoduykhanh/wireguard-ui
A web user interface to manage your WireGuard setup.
⚠️The default username and password are
admin. Please change it to secure your setup.
Download the binary file from the release page and run it directly on the host machine
./wireguard-ui
The examples/docker-compose folder contains example docker-compose files. Choose the example which fits you the most, adjust the configuration for your needs, then run it like below:
docker-compose up
| Variable | Description | Default |
|---|---|---|
BASE_PATH | Set this variable if you run wireguard-ui under a subpath of your reverse proxy virtual host (e.g. /wireguard) | N/A |
BIND_ADDRESS | The addresses that can access to the web interface and the port, use unix:///abspath/to/file.socket for unix domain socket. | 0.0.0.0:80 |
SESSION_SECRET | The secret key used to encrypt the session cookies. Set this to a random value | N/A |
SESSION_SECRET_FILE | Optional filepath for the secret key used to encrypt the session cookies. Leave SESSION_SECRET blank to take effect | N/A |
SESSION_MAX_DURATION | Max time in days a remembered session is refreshed and valid. Non-refreshed session is valid for 7 days max, regardless of this setting. | 90 |
SUBNET_RANGES | The list of address subdivision ranges. Format: SR Name:10.0.1.0/24; SR2:10.0.2.0/24,10.0.3.0/24 Each CIDR must be inside one of the server interfaces. | N/A |
WGUI_USERNAME | The username for the login page. Used for db initialization only | admin |
WGUI_PASSWORD | The password for the user on the login page. Will be hashed automatically. Used for db initialization only | admin |
WGUI_PASSWORD_FILE | Optional filepath for the user login password. Will be hashed automatically. Used for db initialization only. Leave WGUI_PASSWORD blank to take effect | N/A |
WGUI_PASSWORD_HASH | The password hash for the user on the login page. (alternative to WGUI_PASSWORD). Used for db initialization only | N/A |
WGUI_PASSWORD_HASH_FILE | Optional filepath for the user login password hash. (alternative to WGUI_PASSWORD_FILE). Used for db initialization only. Leave WGUI_PASSWORD_HASH blank to take effect | N/A |
WGUI_ENDPOINT_ADDRESS | The default endpoint address used in global settings where clients should connect to. The endpoint can contain a port as well, useful when you are listening internally on the WGUI_SERVER_LISTEN_PORT port, but you forward on another port (ex 9000). Ex: myvpn.dyndns.com:9000 | Resolved to your public ip address |
WGUI_FAVICON_FILE_PATH | The file path used as website favicon | Embedded WireGuard logo |
WGUI_DNS | The default DNS servers (comma-separated-list) used in the global settings | 1.1.1.1 |
WGUI_MTU | The default MTU used in global settings | 1450 |
WGUI_PERSISTENT_KEEPALIVE | The default persistent keepalive for WireGuard in global settings | 15 |
WGUI_FIREWALL_MARK | The default WireGuard firewall mark | 0xca6c (51820) |
WGUI_TABLE | The default WireGuard table value settings | auto |
WGUI_CONFIG_FILE_PATH | The default WireGuard config file path used in global settings | /etc/wireguard/wg0.conf |
WGUI_LOG_LEVEL | The default log level. Possible values: DEBUG, INFO, WARN, ERROR, OFF | INFO |
WG_CONF_TEMPLATE | The custom wg.conf config file template. Please refer to our default template | N/A |
EMAIL_FROM_ADDRESS | The sender email address | N/A |
EMAIL_FROM_NAME | The sender name | WireGuard UI |
SENDGRID_API_KEY | The SendGrid api key | N/A |
SENDGRID_API_KEY_FILE | Optional filepath for the SendGrid api key. Leave SENDGRID_API_KEY blank to take effect | N/A |
SMTP_HOSTNAME | The SMTP IP address or hostname | 127.0.0.1 |
SMTP_PORT | The SMTP port | 25 |
SMTP_USERNAME | The SMTP username | N/A |
SMTP_PASSWORD | The SMTP user password | N/A |
SMTP_PASSWORD_FILE | Optional filepath for the SMTP user password. Leave SMTP_PASSWORD blank to take effect | N/A |
SMTP_AUTH_TYPE | The SMTP authentication type. Possible values: PLAIN, LOGIN, NONE | NONE |
SMTP_ENCRYPTION | The encryption method. Possible values: NONE, SSL, SSLTLS, TLS, STARTTLS | STARTTLS |
SMTP_HELO | Hostname to use for the HELO message. smtp-relay.gmail.com needs this set to anything but localhost | localhost |
TELEGRAM_TOKEN | Telegram bot token for distributing configs to clients | N/A |
TELEGRAM_ALLOW_CONF_REQUEST | Allow users to get configs from the bot by sending a message | false |
TELEGRAM_FLOOD_WAIT | Time in minutes before the next conf request is processed | 60 |
These environment variables are used to control the default server settings used when initializing the database.
| Variable | Description | Default |
|---|---|---|
WGUI_SERVER_INTERFACE_ADDRESSES | The default interface addresses (comma-separated-list) for the WireGuard server configuration | 10.252.1.0/24 |
WGUI_SERVER_LISTEN_PORT | The default server listen port | 51820 |
WGUI_SERVER_POST_UP_SCRIPT | The default server post-up script | N/A |
WGUI_SERVER_POST_DOWN_SCRIPT | The default server post-down script | N/A |
These environment variables are used to set the defaults used in New Client dialog.
| Variable | Description | Default |
|---|---|---|
WGUI_DEFAULT_CLIENT_ALLOWED_IPS | Comma-separated-list of CIDRs for the Allowed IPs field. (default ) | 0.0.0.0/0 |
WGUI_DEFAULT_CLIENT_EXTRA_ALLOWED_IPS | Comma-separated-list of CIDRs for the Extra Allowed IPs field. (default empty) | N/A |
WGUI_DEFAULT_CLIENT_USE_SERVER_DNS | Boolean value [0, f, F, false, False, FALSE, 1, t, T, true, True, TRUE] | true |
WGUI_DEFAULT_CLIENT_ENABLE_AFTER_CREATION | Boolean value [0, f, F, false, False, FALSE, 1, t, T, true, True, TRUE] | true |
These environment variables only apply to the docker container.
| Variable | Description | Default |
|---|---|---|
WGUI_MANAGE_START | Start/stop WireGuard when the container is started/stopped | false |
WGUI_MANAGE_RESTART | Auto restart WireGuard when we Apply Config changes in the UI | false |
WireGuard-UI only takes care of configuration generation. You can use systemd to watch for the changes and restart the service. Following is an example:
Create /etc/systemd/system/wgui.service
cd /etc/systemd/system/
cat << EOF > wgui.service
[Unit]
Description=Restart WireGuard
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/bin/systemctl restart wg-quick@wg0.service
[Install]
RequiredBy=wgui.path
EOF
Create /etc/systemd/system/wgui.path
cd /etc/systemd/system/
cat << EOF > wgui.path
[Unit]
Description=Watch /etc/wireguard/wg0.conf for changes
[Path]
PathModified=/etc/wireguard/wg0.conf
[Install]
WantedBy=multi-user.target
EOF
Apply it
systemctl enable wgui.{path,service}
systemctl start wgui.{path,service}
Create /usr/local/bin/wgui file and make it executable
cd /usr/local/bin/
cat << EOF > wgui
#!/bin/sh
wg-quick down wg0
wg-quick up wg0
EOF
chmod +x wgui
Create /etc/init.d/wgui file and make it executable
cd /etc/init.d/
cat << EOF > wgui
#!/sbin/openrc-run
command=/sbin/inotifyd
command_args="/usr/local/bin/wgui /etc/wireguard/wg0.conf:w"
pidfile=/run/${RC_SVCNAME}.pid
command_background=yes
EOF
chmod +x wgui
Apply it
rc-service wgui start
rc-update add wgui default
Set WGUI_MANAGE_RESTART=true to manage Wireguard interface restarts.
Using WGUI_MANAGE_START=true can also replace the function of wg-quick@wg0 service, to start Wireguard at boot, by
running the container with restart: unless-stopped. These settings can also pick up changes to Wireguard Config File
Path, after restarting the container. Please make sure you have --cap-add=NET_ADMIN in your container config to make
this feature work.
Go to the project root directory and run the following command:
docker build --build-arg=GIT_COMMIT=$(git rev-parse --short HEAD) -t wireguard-ui .
or
docker compose build --build-arg=GIT_COMMIT=$(git rev-parse --short HEAD)
:information_source: A container image is available on Docker Hub which you can pull and use
docker pull ngoduykhanh/wireguard-ui
Prepare the assets directory
./prepare_assets.sh
Then build your executable
go build -o wireguard-ui
MIT. See LICENSE.
If you like the project and want to support it, you can buy me a coffee ☕
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
ECMAScript 2025 introduces Iterator Helpers, Set methods, JSON modules, and more in its latest spec update approved by Ecma in June 2025.
Security News
A new Node.js homepage button linking to paid support for EOL versions has sparked a heated discussion among contributors and the wider community.
Research
North Korean threat actors linked to the Contagious Interview campaign return with 35 new malicious npm packages using a stealthy multi-stage malware loader.