WireGuard Management¶
WireBuddy provides a comprehensive web interface for managing WireGuard VPN servers and clients.
Interface Management¶
Creating Interfaces¶
WireGuard interfaces represent individual VPN servers running on your host.
Navigate to: Settings β Interfaces β Add Interface
| Setting | Description | Example |
|---|---|---|
| Name | Unique interface identifier (alphanumeric, hyphens, underscores) | wg0, wg-vpn, wg_office |
| Listen Port | UDP port for incoming connections | 51820 (default) |
| Address | VPN server IP address in CIDR notation | 10.8.0.1/24 |
| IPv6 Address | Optional IPv6 address | fd42::1/64 |
| DNS Servers | DNS servers for clients | 1.1.1.1, 1.0.0.1 |
Advanced Interface Settings¶
Advanced Options
MTU (Maximum Transmission Unit)
- Default:
1420(recommended for most networks) - Lower values may be needed for constrained networks
- Formula:
Interface MTU - 80 bytes(for WireGuard overhead)
Table
- Routing table number (default:
auto) - Set to
offto disable automatic route management
Pre/Post Up/Down Commands
- Execute custom commands during interface lifecycle
- Examples:
SaveConfig
- Save runtime configuration to config file on shutdown
- Useful for dynamic peer additions
Starting/Stopping Interfaces¶
Interfaces can be managed from the Dashboard or Settings β Interfaces:
- π’ Start: Activate the interface
- π΄ Stop: Deactivate the interface
- π Restart: Stop then start
- βοΈ Reload: Reload configuration without disrupting connections
Interface Status¶
The Dashboard shows real-time interface status:
- β Active: Interface is running
- βΈοΈ Inactive: Interface is stopped
- β οΈ Error: Configuration issue (check logs)
Peer Management¶
Adding Peers¶
Peers represent individual clients (laptops, phones, etc.) connecting to your VPN.
Navigate to: Peers β Add Peer
| Setting | Required | Description |
|---|---|---|
| Name | Yes | Descriptive name for the peer |
| Interface | Yes | Which WireGuard interface to use |
| IP Address | Yes | Static IP within interface subnet |
| IPv6 Address | No | Optional IPv6 address |
| Public Key | No | Auto-generated if not provided |
| Preshared Key | No | Additional encryption layer |
| Persistent Keepalive | No | Seconds between keepalive packets (25 recommended for NAT) |
| Use WireBuddy DNS | No | Route DNS through WireBuddy's resolver for ad-blocking. When disabled, uses Cloudflare (1.1.1.1) and Quad9 (9.9.9.9) |
| Client Isolation | No | Prevent peer from communicating with other VPN peers |
Routing Modes¶
WireBuddy offers three routing presets:
Routes all traffic through VPN
- Allowed IPs:
0.0.0.0/0, ::/0 - DNS: Required (set to VPN server or public DNS)
- Use case: Maximum privacy, bypass geo-restrictions
Only VPN internal traffic
- Allowed IPs: VPN subnet only (e.g.,
10.8.0.0/24) - DNS: Optional
- Use case: Simple peer-to-peer VPN access
Client Configuration¶
After creating a peer, WireBuddy provides multiple options:
QR Code¶
Click Show QR Code and scan with the WireGuard mobile app.
Best for: iOS, Android devices
Download Config¶
Click Download Config to get a .conf file.
Best for: Windows, macOS, Linux desktop
Example Client Config
Copy Config¶
Click Copy Config to copy configuration text to clipboard.
Best for: Quick sharing via secure channels
Peer Status¶
Monitor peer status in the Peers page:
| Status | Indicator | Description |
|---|---|---|
| Connected | π’ Green | Recent handshake (< 3 minutes) |
| Idle | π‘ Yellow | No recent handshake but configured |
| Disabled | βͺ Gray | Peer manually disabled |
| Error | π΄ Red | Configuration issue |
Handshake Information:
- Last Seen: Time since last WireGuard handshake
- Transfer: Total sent/received bytes
- Endpoint: Client's public IP and port
Peer Actions¶
Available actions for each peer:
- Edit: Modify peer configuration
- Disable/Enable: Temporarily disable without deleting
- Show QR: Display QR code for mobile setup
- Download Config: Get configuration file
- Delete: Permanently remove peer
Bulk Operations¶
WireBuddy supports bulk peer management:
- Select multiple peers using checkboxes
- Choose action from dropdown:
- Enable selected
- Disable selected
- Delete selected
- Confirm action
Traffic Statistics¶
Real-Time Monitoring¶
The Dashboard shows real-time traffic for all peers:
- Total sent/received per peer
- Current transfer rate
- Last handshake time
- Connection uptime
Historical Data¶
Navigate to Traffic for historical analytics:
- Time Range: Select custom date range
- Per-Peer Charts: Individual traffic graphs
- Total Throughput: Combined traffic across all peers
- Export Data: Download CSV for external analysis
Advanced Features¶
Peer-to-Peer Communication¶
Enable peers to communicate with each other:
- Navigate to Settings β Interfaces
- Edit your interface
- Set Allowed IPs to include VPN subnet
- Configure firewall rules:
NAT and Port Forwarding¶
Configure NAT for full tunnel mode:
# Enable NAT for VPN traffic
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
# Allow forwarding
iptables -A FORWARD -i wg0 -j ACCEPT
iptables -A FORWARD -o wg0 -j ACCEPT
WireBuddy can auto-configure these rules via PostUp commands.
Endpoint Detection¶
WireBuddy automatically detects your public IP for peer endpoint configuration.
To override:
- Settings β General
- Set Public Endpoint
- This will be used in generated client configs
Preshared Keys¶
Add an additional layer of post-quantum cryptography:
- Edit peer
- Click Generate Preshared Key
- The key is automatically added to both client and server configs
When to Use PSK
Preshared keys provide defense-in-depth against theoretical quantum computer attacks on Curve25519. Recommended for highly sensitive deployments.
IPv6 Support¶
WireBuddy fully supports IPv6:
Interface Configuration¶
Peer Configuration¶
Dual-Stack (IPv4 + IPv6)¶
[Interface]
Address = 10.8.0.1/24, fd42::1/64
[Peer]
Address = 10.8.0.2/32, fd42::2/128
AllowedIPs = 0.0.0.0/0, ::/0
Command-Line Integration¶
WireBuddy provides a REST API for automation:
# List interfaces
curl -H "Authorization: Bearer <token>" \
https://vpn.example.com/api/wireguard/interfaces
# Create peer
curl -X POST \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{"name":"new-peer","interface":"wg0","ip":"10.8.0.10"}' \
https://vpn.example.com/api/wireguard/peers
See API Documentation for details.
Best Practices¶
IP Address Management¶
- Reserve
.1for the server - Assign static IPs to peers starting from
.2 - Document IP assignments (use peer names)
- Leave room for growth (use
/24or larger subnets)
Port Selection¶
- Use non-standard ports if under attack (not just
51820) - Ensure UDP port is open in firewall
- Consider using the same port for multiple interfaces with different IPs
Key Management¶
- Never share private keys
- Rotate keys annually for high-security deployments
- Back up configurations securely
- Use preshared keys for sensitive connections
Performance Tuning¶
# Increase UDP buffer sizes
sysctl -w net.core.rmem_max=2500000
sysctl -w net.core.wmem_max=2500000
# Optimize conntrack table size
sysctl -w net.netfilter.nf_conntrack_max=262144
Troubleshooting¶
Peer Can't Connect¶
- Verify interface is running
- Check firewall allows UDP on WireGuard port
- Verify endpoint domain/IP resolves correctly
- Check client config matches server
- Review WireBuddy logs for errors
No Internet Access (Full Tunnel)¶
- Verify IP forwarding is enabled:
- Check NAT is configured:
- Verify DNS is set correctly in client config
Slow Performance¶
- Check MTU settings (lower if needed)
- Verify CPU isn't maxed (WireGuard is efficient but not unlimited)
- Check network bandwidth at both ends
- Consider hardware acceleration (some CPUs have Curve25519 instructions)
Handshake Fails¶
- Check time sync (both client and server must have accurate clocks)
- Verify public keys match
- Check for firewall blocking UDP
- Review endpoint configuration
Next Steps¶
- DNS Ad-Blocking - Integrate DNS filtering
- Monitoring - Traffic analytics and GeoIP
- Configuration - Advanced settings