You have found the easiest way to install & manage WireGuard on any Linux host!
- All-in-one: WireGuard + Web UI.
- Easy installation, simple to use.
- List, create, edit, delete, enable & disable clients.
- Show a client's QR code.
- Download a client's configuration file.
- Statistics for which clients are connected.
- Tx/Rx charts for each connected client.
- Gravatar support.
- Metrics in Prometheus format.
- A host with a kernel that supports WireGuard (all modern kernels).
- A host with Docker installed.
If you haven't installed Docker yet, install it by running:
$ curl -sSL https://get.docker.com | sh
$ sudo usermod -aG docker $(whoami)
$ exitAnd log in again.
To automatically install & run wg-easy, simply run:
$ docker run -d \ --name=wg-easy \ -e WG_HOST=🚨YOUR_SERVER_IP \ -e PASSWORD=🚨YOUR_ADMIN_PASSWORD \ -v ~/.wg-easy:/etc/wireguard \ -p 51820:51820/udp \ -p 51821:51821/tcp \ --cap-add=NET_ADMIN \ --cap-add=SYS_MODULE \ --sysctl="net.ipv4.conf.all.src_valid_mark=1" \ --sysctl="net.ipv4.ip_forward=1" \ --restart unless-stopped \ weejewel/wg-easy
💡 Replace
YOUR_SERVER_IPwith your WAN IP, or a Dynamic DNS hostname.💡 Replace
YOUR_ADMIN_PASSWORDwith a password to log in on the Web UI.
The Web UI will now be available on http://0.0.0.0:51821.
💡 Your configuration files will be saved in
~/.wg-easy
Are you enjoying this project? Buy me a beer! 🍻
These options can be configured by setting environment variables using -e KEY="VALUE" in the docker run command.
| Env | Default | Example | Description |
|---|---|---|---|
PASSWORD |
- | foobar123 |
When set, requires a password when logging in to the Web UI. |
WG_HOST |
- | vpn.myserver.com |
The public hostname of your VPN server. |
WG_PORT |
51820 |
12345 |
The public UDP port of your VPN server. WireGuard will always listen on 51820 inside the Docker container. |
WG_MTU |
null |
1420 |
The MTU the clients will use. Server uses default WG MTU. |
WG_PERSISTENT_KEEPALIVE |
0 |
25 |
Value in seconds to keep the "connection" open. If this value is 0, then connections won't be kept alive. |
WG_DEFAULT_ADDRESS |
10.8.0.x |
10.6.0.x |
Clients IP address range. |
WG_DEFAULT_ADDRESS6 |
fdcc:ad94:bacf:61a4::cafe:x |
fdcc:ad94:bacf:61a4::42:x |
Clients IPv6 address range. Has to be a valid IPv6 ULA address. |
WG_DEFAULT_DNS |
1.1.1.1 |
8.8.8.8, 8.8.4.4 |
DNS server clients will use. |
WG_DEFAULT_DNS6 |
2606:4700:4700::1111 |
2606:4700:4700::1001, 2606:4700:4700::1111 |
DNSv6 server clients will use. |
WG_ALLOWED_IPS |
0.0.0.0/0, ::/0 |
192.168.15.0/24, 10.0.1.0/24 |
Allowed IPs clients will use. |
WG_PRE_UP |
... |
- | See config.js for the default value. |
WG_POST_UP |
... |
iptables ... |
See config.js for the default value. |
WG_PRE_DOWN |
... |
- | See config.js for the default value. |
WG_POST_DOWN |
... |
iptables ... |
See config.js for the default value. |
METRICS_ENABLED |
false |
true |
When set, metrics in Prometheus format will be exposed. |
METRICS_USER |
- | prometheus |
When set, HTTP Basic authorization with this user will be required when accessing metrics. |
METRICS_PASSWORD |
- | password |
When set, HTTP Basic authorization will with this password be required when accessing metrics. |
If you change
WG_PORT, make sure to also change the exposed port.
To update to the latest version, simply run:
docker stop wg-easy
docker rm wg-easy
docker pull weejewel/wg-easyAnd then run the docker run -d \ ... command above again.
When metrics are enabled wg-easy will expose metrics in Prometheus format under /metrics path. HTTP Basic autorization is supported for metrics endpoint.
Node process metrics specific to wg-easy are exported with wg_easy_ prefix. WireGuard metrics are exported with wireguard_ prefix.
WireGuard metrics are inspired and compatible with metrics collected by prometheus_wireguard_exporter. Grafana dashboards created for prometheus_wireguard_exporter works with metrics exposed by wg-easy.
# HELP wireguard_sent_bytes_total Bytes sent to the peer
# TYPE wireguard_sent_bytes_total counter
wireguard_sent_bytes_total{interface="wg0",public_key="QpPNe62/SuCUSEkBTu3r2U0ihe2UrDspxUUgk195zmc=",allowed_ips="10.112.112.2/32",friendly_name="Test User 1",enabled="true"} 0
wireguard_sent_bytes_total{interface="wg0",public_key="2AyHc7bRYJUJdx9UG87QmZDolj8xh6CORgP0PA28JT4=",allowed_ips="10.112.112.3/32",friendly_name="Test User 2",enabled="true"} 95788240
# HELP wireguard_received_bytes_total Bytes received from the peer
# TYPE wireguard_received_bytes_total counter
wireguard_received_bytes_total{interface="wg0",public_key="QpPNe62/SuCUSEkBTu3r2U0ihe2UrDspxUUgk195zmc=",allowed_ips="10.112.112.2/32",friendly_name="Test User 1",enabled="true"} 0
wireguard_received_bytes_total{interface="wg0",public_key="2AyHc7bRYJUJdx9UG87QmZDolj8xh6CORgP0PA28JT4=",allowed_ips="10.112.112.3/32",friendly_name="Test User 2",enabled="true"} 54389700
# HELP wireguard_latest_handshake_seconds Seconds from the last handshake
# TYPE wireguard_latest_handshake_seconds gauge
wireguard_latest_handshake_seconds{interface="wg0",public_key="QpPNe62/SuCUSEkBTu3r2U0ihe2UrDspxUUgk195zmc=",allowed_ips="10.112.112.2/32",friendly_name="Test User 1",enabled="true"} 0
wireguard_latest_handshake_seconds{interface="wg0",public_key="2AyHc7bRYJUJdx9UG87QmZDolj8xh6CORgP0PA28JT4=",allowed_ips="10.112.112.3/32",friendly_name="Test User 2",enabled="true"} 1633967910
# HELP wireguard_persistent_keepalive_seconds Seconds between each persistent keepalive packet
# TYPE wireguard_persistent_keepalive_seconds gauge
wireguard_persistent_keepalive_seconds{interface="wg0",public_key="QpPNe62/SuCUSEkBTu3r2U0ihe2UrDspxUUgk195zmc=",allowed_ips="10.112.112.2/32",friendly_name="Test User 1",enabled="true"} 0
wireguard_persistent_keepalive_seconds{interface="wg0",public_key="2AyHc7bRYJUJdx9UG87QmZDolj8xh6CORgP0PA28JT4=",allowed_ips="10.112.112.3/32",friendly_name="Test User 2",enabled="true"} 0