A curated list of WireGuard tools, projects, and resources.

WireGuard® - fast, modern, secure VPN tunnel.

You can see the updates on Twitter (coming soon)

Please, help organize these resources so that they are easy to find and understand for newcomers. See how to Contribute for tips!

If you see a link here that is not (any longer) a good fit, you can fix it by submitting a pull request to improve this file. Thank you!

Status Badges

We use emoji to determine repository status.

🟢 active repos (last commit date is less than 3 months)

🟡 stale repos (last commit date is more than 6 months)

🔴 inactive repos (last commit date is more than 1 year)

⚫ repos that were superseded

🟦 repos that were code completed

❔ repos that weren't found (broken link)

Contents

What is WireGuard

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

Source: Official WireGuard project website

Official Resources

• Next Generation Kernel Network Tunnel [PDF] - Whitepaper.
• WireGuard Docs - Unofficial WireGuard documentation.

Where to Start

• Quick Start - Official quick start.

Projects

Tools

Mesh Network

Deployment

• WireHole - A combination of WireGuard, Pi-hole, and Unbound in a docker-compose project with the intent of enabling users to quickly and easily create a personally managed full or split-tunnel WireGuard VPN with ad blocking capabilities thanks to Pi-hole, and DNS caching, additional privacy options, and upstream providers via Unbound. 🔴
• Autowire - Automatically configure Wireguard interfaces in distributed system. It supports Consul as backend. 🔴
• Cloudblock - Deploys WireGuard VPN, Pi-Hole DNS Ad-blocking, and DNS over HTTPS in a cloud provider - or locally - using Terraform and Ansible. 🟢
• ansible-role-wireguard - Ansible role for installing WireGuard VPN. Supports Ubuntu, Debian, Archlinx, Fedora and CentOS. 🟢
• terraform-aws-wireguard - Terraform module to deploy WireGuard on AWS. 🔴
• Firezone - An open-source WireGuard-based VPN server alternative to OpenVPN Access Server. You can self-host this. 🟢
• Algo VPN - Set up a DIY/personal VPN in the cloud. It is a set of Ansible scripts that simplify the setup of a personal WireGuard and IPsec VPN, open-sourced by Trail of Bits. 🟢
• freifunkMUC/wg-access-server - An all-in-one WireGuard VPN solution with a Web UI for connecting devices. This project aims to deliver a simple VPN solution for developers, homelab enthusiasts and anyone else feeling adventurous. 🟢
• WirtBot - Think of it as a component that will allow you to extend your LAN over the Internet. WirtBot simplifies the process of creating your own private network into 3 steps. No registration, no accounts - Just a network that belongs to you. And it will always be completely free (except for the server/VPS you run it on). 🔴
• seashell/drago - A self-hosted and flexible configuration manager designed to make it simple to configure secure network overlays spanning heterogeneous nodes via a Web UI. 🔴

Container

Monitoring

• MindFlavor/prometheus_wireguard_exporter - A Prometheus exporter for WireGuard, very light on your server resources. 🔴

Security

Protocol

Encryption

Runtime

User Interface

Terminal / CLI

Web

Desktop

Dashboards

• Wireguard Dashboard - A simple and easy to use WireGuard dashboard written in Python and Flask. 🟢

Development

Development Environment

Testing

Boilerplate

Homeserver

Services based on WireGuard

Cloud Service

• Warp - A free WireGuard VPN from Cloudflare that's trying to fix mobile Internet performance and security.
• wgcf - Cross-platform, unofficial CLI for Cloudflare Warp. 🟢

VPN

Extensions / Plugins

• wgsd - A CoreDNS plugin that serves WireGuard peer information via DNS-SD (RFC6763) semantics. This enables use cases such as mesh networking, NAT-to-NAT connectivity, and dynamic discovery of WireGuard endpoint. 🟡

Optimization

• nr-wg-mtu-finder - A Python project to help you find the optimal MTU values for WG server and WG peer that maximizes the upload or download speeds between a peer and server. 🟡

Language Bindings

Alternative Implementations

Beside Jason Donenfeld's implementation of the WireGuard protocol, written in C and Go, other implementations include:

Useful Resources

Blog Posts

• WireGuard: great protocol, but skip the Mac app
• WireGuard on Kubernetes with Adblocking
• SSH and User-mode IP WireGuard
• Setup and Adblocking VPN Using WireGuard and NextDNS
• WireGuard Endpoint Discovery and NAT Traversal using DNS-SD
• Taildrop was kind of easy, actually - Taildrop was the main new feature launched in Tailscale v1.8.
• Using Tailscale for Authentication of Internal Tools
• IPv6 WireGuard Peering at Fly.io
• Our User-Mode WireGuard Year
• Tunnel WireGuard via WebSockets - Setting up WireGuard to work in restricted networks that block UDP traffic.
• Tailscale's human-scale networks are still controlled by Google and Microsoft
• How to access a peer's local network - A simple solution. There is no need of any configurations to set split-tunneling. The example shows how Peer B can route to Peer A through a WG server. Peer B can reach a specific network (subnet) behind Peer A.
• Routing Specific Docker Containers Through WireGuard VPN with systemd-networkd - A simple solution for routing specific docker containers through a WireGuard VPN using only two simple systemd-networkd files, no cumbersome wg or ip calls.
• Decoding WireGuard with Wireshark - A simple guide on how to inspect WireGuard packets in Wireshark.

Articles

• In-kernel WireGuard is on its way to FreeBSD and the pfSense router
• It's Looking Like Android Could Be Embracing WireGuard - "A Sane VPN"
• Tailscale Raises $100 Million Series B to Fix the Internet with its Zero Trust VPN for Modern DevOps Teams
• Identity management for WireGuard

Demos and Examples

Good Tips

• WireGuard Gotchas with Multiple Tunnels - WG has a bit of a trap/gotcha when running multiple independent tunnels, one of which has a default route associated with it.

Tutorials

• How to easily configure WireGuard
• Getting Started with WireGuard
• What They Don’t Tell You About Setting Up A WireGuard VPN
• Building a simple VPN with WireGuard with a Raspberry Pi as Server
• Setting up a home VPN server with Wireguard (macOS)
• Creating a VPN Gateway with a Unikernel running WireGuard
• Directions for setting up a WireGuard bounce server

  I find plenty of tutorials online for setting up the most basic Wireguard apparatus. Like most peoples', my machines are stuck behind NATs. To connect between NATted hosts, you need control of a host that is not, to keep up on what external addresses the NATs are presenting. The docs for WireGuard mention bounce servers, but say nothing about how to set one up.

• WireGuard VPN Road Warrior Setup - The important feature of this setup is, split tunnelling.

  Either all traffic (default route) or only the traffic desired for the internal network can be routed through the VPN (split tunneling). This can be configured on the client.

• Routing Docker Host And Container Traffic Through WireGuard using WireGuard Docker image by linuxserver.io
• WireGuard setup with Ansible - A basic Ansible playbook for deploying a WireGuard server and (local) client.
• Fly-Tailscale-Exit - Run your own VPN with global exit nodes with Fly.io, Tailscale and Github.

Videos

• WireGuard: Next Generation Abuse-Resistant Kernel Network Tunnel- A good talk from the WireGuard developer and security researcher, Jason Donenfeld explaining what WireGuard can do and how it works. The talk examine both the cryptography and kernel implementation particulars of WireGuard and explore an offensive attack perspective on network tunnels.
• How To Build Your Own Wireguard VPN Server in The Cloud - A good tutorial from Lawerence Systems regarding WireGuard.

Books

Podcasts and Interviews

Presentations

• Presentations by Jason A. Donenfeld - A list of all Jason's presentations.

Newsletters

Uncategorized

• WebVM: Linux Virtualization in WebAssembly with Full Networking via Tailscale - Run WireGuard and Tailscale in the browser. wireguard-go code compiled to Wasm. WebVM is proprietary WebAssembly-powered x86 virtualization tech. I'm genuinely curious how it compares to v86/Fabrice Bellard's JSLinux (like WebVM but free and opened-source).

Communities and Meetups

English

• /r/WireGuard - Official Reddit WireGuard.
• #wireguard on Libera - Official IRC on Libera Chat.

Chinese

Contribute

Contributions welcome! If you would like to contribute, please read the contribution guidelines first. It contains a lot of tips and guidelines to help keep things organized.

Future: Implement GitHub Actions to monitor and verify all the links with a simple Node.js script

Copyright

"WireGuard" and the "WireGuard" logo are registered trademarks of Jason A. Donenfeld.

License