A web user interface to manage your WireGuard setup.

⚠️The default username and password are
admin. Please change it to secure your setup.
Download the binary file from the release page and run it directly on the host machine
./wireguard-ui
The examples/docker-compose folder contains example docker-compose files. Choose the example which fits you the most, adjust the configuration for your needs, then run it like below:
docker-compose up
| Variable | Description | Default |
|---|---|---|
BASE_PATH |
Set this variable if you run wireguard-ui under a subpath of your reverse proxy virtual host (e.g. /wireguard) | N/A |
BIND_ADDRESS |
The addresses that can access to the web interface and the port, use unix:///abspath/to/file.socket for unix domain socket. | 0.0.0.0:80 |
SESSION_SECRET |
The secret key used to encrypt the session cookies. Set this to a random value | N/A |
SESSION_SECRET_FILE |
Optional filepath for the secret key used to encrypt the session cookies. Leave SESSION_SECRET blank to take effect |
N/A |
SESSION_MAX_DURATION |
Max time in days a remembered session is refreshed and valid. Non-refreshed session is valid for 7 days max, regardless of this setting. | 90 |
SUBNET_RANGES |
The list of address subdivision ranges. Format: SR Name:10.0.1.0/24; SR2:10.0.2.0/24,10.0.3.0/24 Each CIDR must be inside one of the server interfaces. |
N/A |
WGUI_USERNAME |
The username for the login page. Used for db initialization only | admin |
WGUI_PASSWORD |
The password for the user on the login page. Will be hashed automatically. Used for db initialization only | admin |
WGUI_PASSWORD_FILE |
Optional filepath for the user login password. Will be hashed automatically. Used for db initialization only. Leave WGUI_PASSWORD blank to take effect |
N/A |
WGUI_PASSWORD_HASH |
The password hash for the user on the login page. (alternative to WGUI_PASSWORD). Used for db initialization only |
N/A |
WGUI_PASSWORD_HASH_FILE |
Optional filepath for the user login password hash. (alternative to WGUI_PASSWORD_FILE). Used for db initialization only. Leave WGUI_PASSWORD_HASH blank to take effect |
N/A |
WGUI_ENDPOINT_ADDRESS |
The default endpoint address used in global settings where clients should connect to. The endpoint can contain a port as well, useful when you are listening internally on the WGUI_SERVER_LISTEN_PORT port, but you forward on another port (ex 9000). Ex: myvpn.dyndns.com:9000 |
Resolved to your public ip address |
WGUI_FAVICON_FILE_PATH |
The file path used as website favicon | Embedded WireGuard logo |
WGUI_DNS |
The default DNS servers (comma-separated-list) used in the global settings | 1.1.1.1 |
WGUI_MTU |
The default MTU used in global settings | 1450 |
WGUI_PERSISTENT_KEEPALIVE |
The default persistent keepalive for WireGuard in global settings | 15 |
WGUI_FIREWALL_MARK |
The default WireGuard firewall mark | 0xca6c (51820) |
WGUI_TABLE |
The default WireGuard table value settings | auto |
WGUI_CONFIG_FILE_PATH |
The default WireGuard config file path used in global settings | /etc/wireguard/wg0.conf |
WGUI_LOG_LEVEL |
The default log level. Possible values: DEBUG, INFO, WARN, ERROR, OFF |
INFO |
WG_CONF_TEMPLATE |
The custom wg.conf config file template. Please refer to our default template |
N/A |
EMAIL_FROM_ADDRESS |
The sender email address | N/A |
EMAIL_FROM_NAME |
The sender name | WireGuard UI |
SENDGRID_API_KEY |
The SendGrid api key | N/A |
SENDGRID_API_KEY_FILE |
Optional filepath for the SendGrid api key. Leave SENDGRID_API_KEY blank to take effect |
N/A |
SMTP_HOSTNAME |
The SMTP IP address or hostname | 127.0.0.1 |
SMTP_PORT |
The SMTP port | 25 |
SMTP_USERNAME |
The SMTP username | N/A |
SMTP_PASSWORD |
The SMTP user password | N/A |
SMTP_PASSWORD_FILE |
Optional filepath for the SMTP user password. Leave SMTP_PASSWORD blank to take effect |
N/A |
SMTP_AUTH_TYPE |
The SMTP authentication type. Possible values: PLAIN, LOGIN, NONE |
NONE |
SMTP_ENCRYPTION |
The encryption method. Possible values: NONE, SSL, SSLTLS, TLS, STARTTLS |
STARTTLS |
SMTP_HELO |
Hostname to use for the HELO message. smtp-relay.gmail.com needs this set to anything but localhost |
localhost |
TELEGRAM_TOKEN |
Telegram bot token for distributing configs to clients | N/A |
TELEGRAM_ALLOW_CONF_REQUEST |
Allow users to get configs from the bot by sending a message | false |
TELEGRAM_FLOOD_WAIT |
Time in minutes before the next conf request is process |
$ claude mcp add wireguard-ui \
-- python -m otcore.mcp_server <graph>