Installation Guide¶
Comprehensive installation instructions for WireBuddy on various platforms.
Installation Methods¶
WireBuddy can be installed in several ways:
| Method | Difficulty | Best For |
|---|---|---|
| Docker Compose | ⭐ Easy | Production, most users |
| Docker Run | ⭐⭐ Moderate | Custom setups |
| Local Development | ⭐⭐⭐ Advanced | Development, testing |
Docker Compose (Recommended)¶
The easiest and most reliable way to run WireBuddy.
1. Install Docker¶
2. System Configuration¶
Enable IP forwarding (required for WireGuard):
Make it persistent:
cat <<EOF | sudo tee /etc/sysctl.d/99-wireguard.conf
net.ipv4.conf.all.forwarding = 1
net.ipv6.conf.all.forwarding = 1
EOF
Enable conntrack accounting for traffic analytics:
sudo sysctl -w net.netfilter.nf_conntrack_acct=1
echo "net.netfilter.nf_conntrack_acct = 1" | sudo tee -a /etc/sysctl.d/99-wireguard.conf
3. Download WireBuddy¶
4. Configure Environment¶
Generate a secure secret key:
Edit settings.env and set:
5. Review Docker Compose Configuration¶
The included docker-compose.yml:
services:
wirebuddy:
image: giiibates/wirebuddy:latest
container_name: wirebuddy
restart: unless-stopped
network_mode: host # Required for WireGuard
cap_add:
- NET_ADMIN # Required for network configuration
env_file:
- settings.env
volumes:
- ./data:/app/data
security_opt:
- no-new-privileges:true
Network Mode Host
WireBuddy requires network_mode: host to manage WireGuard interfaces and access conntrack statistics. This is a Linux-specific feature.
6. Start WireBuddy¶
View logs:
7. Access Web Interface¶
Open your browser to:
Default credentials: - Username: admin - Password: admin
Change Default Password
Immediately change the default password after first login via Settings → Users!
Docker Run¶
For manual Docker container management:
docker run -d \
--name wirebuddy \
--network host \
--cap-add NET_ADMIN \
--security-opt no-new-privileges:true \
-e WIREBUDDY_SECRET_KEY="your_secret_key_here" \
-e LOG_LEVEL=INFO \
-v $(pwd)/data:/app/data \
--restart unless-stopped \
giiibates/wirebuddy:latest
Local Development¶
For development or non-Docker deployments.
Prerequisites¶
- Python 3.13+ (recommended) or 3.11+
- pip and venv
- System dependencies:
- WireGuard tools (
wg,wg-quick) - Unbound DNS resolver
- conntrack-tools (optional, for traffic analytics)
1. Install System Dependencies¶
2. Clone Repository¶
3. Create Virtual Environment¶
4. Install Python Dependencies¶
5. Configure Environment¶
Edit .env and set your WIREBUDDY_SECRET_KEY:
6. System Configuration¶
Apply the same sysctl settings as in Docker installation:
sudo sysctl -w net.ipv4.conf.all.forwarding=1
sudo sysctl -w net.ipv6.conf.all.forwarding=1
sudo sysctl -w net.netfilter.nf_conntrack_acct=1
7. Run WireBuddy¶
Or use uvicorn directly:
For production with multiple workers:
Post-Installation¶
After installation, proceed with:
- First Steps - Initial configuration
- Security Best Practices - Harden your installation
- Configuration - Advanced settings
Updating WireBuddy¶
To update to the latest version:
Data Persistence
Your configuration and data are stored in the data/ directory and persist across updates.
Reverse Proxy¶
For production use, place WireBuddy behind a reverse proxy with HTTPS.
server {
listen 443 ssl http2;
server_name wirebuddy.example.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
location / {
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Firewall Configuration¶
If you're running a firewall, you need to allow:
- Port 8000/tcp - Web interface (or your custom port)
- Port 51820/udp - WireGuard (default, adjust per interface)
- Port 53/udp - DNS (if using WireBuddy as DNS server)