Configuration ¶
You can configure wg-access-server using environment variables, cli flags or a config file taking precedence over one another in that order.
The default configuration should work out of the box if you're just looking to try it out.
The only required configuration is a wireguard private key. You can generate a wireguard private key by following the official docs.
TLDR:
wg genkey
The config file format is yaml
and an example is provided below.
The format for specifying multiple values for options that allow it is:
* as commandline flags:
* repeat the flag (e.g. --dns-upstream 2001:db8::1 --dns-upstream 192.0.2.1
)
* separate the values with a comma (e.g. --dns-upstream 2001:db8::1,192.0.2.1
)
* as environment variables:
* separate with a comma (e.g. WG_DNS_UPSTREAM="2001:db8::1,192.0.2.1"
)
* separate with a new line char (e.g. WG_DNS_UPSTREAM=$'2001:db8::1\n192.0.2.1'
)
* in the config file as YAML list.
Here's what you can configure:
Environment Variable | CLI Flag | Config File Path | Required | Default (docker) | Description |
---|---|---|---|---|---|
WG_CONFIG |
--config |
The path to a wg-access-server config.yaml file | |||
WG_LOG_LEVEL |
--log-level |
loglevel |
info |
The global log level | |
WG_ADMIN_USERNAME |
--admin-username |
adminUsername |
admin |
The admin account username | |
WG_ADMIN_PASSWORD |
--admin-password |
adminPassword |
Yes | The admin account password | |
WG_PORT |
--port |
port |
8000 |
The port the web ui will listen on (http) | |
WG_EXTERNAL_HOST |
--external-host |
externalHost |
The external domain for the server (e.g. www.mydomain.com) | ||
WG_STORAGE |
--storage |
storage |
sqlite3:///data/db.sqlite3 |
A storage backend connection string. See storage docs | |
WG_DISABLE_METADATA |
--disable-metadata |
disableMetadata |
false |
Turn off collection of device metadata logging. Includes last handshake time and RX/TX bytes only. | |
WG_ENABLE_INACTIVE_DEVICE_DELETION |
--enable-inactive-device-deletion |
enableInactiveDeviceDeletion |
false |
Enable/Disable the automatic deletion of inactive devices. | |
WG_INACTIVE_DEVICE_GRACE_PERIOD |
--inactive-device-grace-period |
inactiveDeviceGracePeriod |
8760h (1 Year) |
The duration after which inactive devices are automatically deleted, if automatic deletion is enabled. A device is inactive if it has not been connected to the server for longer than the inactive device grace period. The duration format is the go duration string format | |
WG_FILENAME |
--filename |
filename |
WireGuard |
Change the name of the configuration file the user can download (Do not include the '.conf' extension ) | |
WG_WIREGUARD_ENABLED |
--[no-]wireguard-enabled |
wireguard.enabled |
true |
Enable/disable the wireguard server. Useful for development on non-linux machines. | |
WG_WIREGUARD_INTERFACE |
--wireguard-interface |
wireguard.interface |
wg0 |
The wireguard network interface name | |
WG_WIREGUARD_PRIVATE_KEY |
--wireguard-private-key |
wireguard.privateKey |
Yes | The wireguard private key. This value is required and must be stable. If this value changes all devices must re-register. | |
WG_WIREGUARD_PORT |
--wireguard-port |
wireguard.port |
51820 |
The wireguard server port (udp) | |
WG_WIREGUARD_MTU |
--wireguard-mtu |
wireguard.mtu |
1420 |
The maximum transmission unit (MTU) to be used on the server-side interface. | |
WG_VPN_CIDR |
--vpn-cidr |
vpn.cidr |
10.44.0.0/24 |
The VPN IPv4 network range. VPN clients will be assigned IP addresses in this range. Set to 0 to disable IPv4. |
|
WG_IPV4_NAT_ENABLED |
--vpn-nat44-enabled |
vpn.nat44 |
true |
Disables NAT for IPv4 | |
WG_IPV6_NAT_ENABLED |
--vpn-nat66-enabled |
vpn.nat66 |
true |
Disables NAT for IPv6 | |
WG_VPN_CLIENT_ISOLATION |
--vpn-client-isolation |
vpn.clientIsolation |
false |
BLock or allow traffic between client devices (client isolation) | |
WG_VPN_CIDRV6 |
--vpn-cidrv6 |
vpn.cidrv6 |
fd48:4c4:7aa9::/64 |
The VPN IPv6 network range. VPN clients will be assigned IP addresses in this range. Set to 0 to disable IPv6. |
|
WG_VPN_GATEWAY_INTERFACE |
--vpn-gateway-interface |
vpn.gatewayInterface |
default gateway interface (e.g. eth0) | The VPN gateway interface. VPN client traffic will be forwarded to this interface. | |
WG_VPN_ALLOWED_IPS |
--vpn-allowed-ips |
vpn.allowedIPs |
0.0.0.0/0, ::/0 |
Allowed IPs that clients may route through this VPN. This will be set in the client's WireGuard connection file and routing is also enforced by the server using iptables. | |
WG_DNS_ENABLED |
--[no-]dns-enabled |
dns.enabled |
true |
Enable/disable the embedded DNS proxy server. This is enabled by default and allows VPN clients to avoid DNS leaks by sending all DNS requests to wg-access-server itself. | |
WG_DNS_UPSTREAM |
--dns-upstream |
dns.upstream |
resolvconf autodetection or Cloudflare DNS | The upstream DNS servers to proxy DNS requests to. By default the host machine's resolveconf configuration is used to find its upstream DNS server, with a fallback to Cloudflare. | |
WG_DNS_DOMAIN |
--dns-domain |
dns.domain |
A domain to serve configured devices authoritatively. Queries for names in the format |
||
WG_CLIENTCONFIG_DNS_SERVERS |
--clientconfig-dns-servers |
clientConfig.dnsServers |
DNS servers (one or more IP addresses) to write into the client configuration file. Are used instead of the servers DNS settings, if set. | ||
WG_CLIENTCONFIG_DNS_SEARCH_DOMAIN |
--clientconfig-dns-search-domain |
clientConfig.dnsSearchDomain |
DNS search domain to write into the client configuration file. | ||
WG_CLIENTCONFIG_MTU |
--clientconfig-mtu |
clientConfig.mtu |
The maximum transmission unit (MTU) to write into the client configuration file. If left empty, a sensible default is used. |
The Config File (config.yaml) ¶
Here's an example config file to get started with.
loglevel: info
storage: sqlite3:///data/db.sqlite3
wireguard:
privateKey: "<some-key>"
dns:
upstream:
- "2001:4860:4860::8888"
- "8.8.8.8"