Skip to main content

Wireguard

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography

Initial Setup

First, you must connect to your slot via ssh. If you need help connecting to the server, please read the help article here.

Installing WireGuard is easy. Simply issue the following command:

box install wireguard

New Interactive Installer

The installer will guide you through a brief setup process:

  1. Client Count: First, you'll be asked how many client connections you want to generate (1-5). You can just press Enter to accept the default of 1.
  2. Port Forwarding: Next, for each client connection, the script will ask: Assign a random forwarded TCP port for client [number]? (y/n).
    • This is highly recommended if you plan to run any services that need to be accessed from the internet, such as a game server, a media server (like Plex or Jellyfin), or a web UI (like qBittorrent).
    • If you answer y (yes), the script will automatically assign a unique, random TCP port between 40000-42000 and configure it to forward to that specific client.
    • If you answer n (no), that client will just have a standard VPN connection with no port forwarding.

Once finished, the installer will not output the config to the screen. Instead, it will create your new configuration files in the ~/.wireguard/ directory.

The files will be named using your username and the client number, like this:

  • myuser_1.conf
  • myuser_2.conf
  • ...and so on.

A summary of your port assignments is saved in ~/.wireguard/port_forwarding_info.txt.

Understanding Port Forwarding

This feature makes your services running on your client device (e.g., your home PC) accessible to the internet through your server's IP.

How It Works

When you enable port forwarding, the script assigns you a random external port (e.g., 40123). It then creates a rule on the server to forward all traffic from [Your_Server_IP]:40123 to your WireGuard client's internal IP.

Crucially, the external and internal ports are the same.

  • External Port (Public): 40123
  • Internal Port (Client): 40123

This means the application on your device (qBittorrent, Plex, etc.) must be configured to listen on that exact port (e.g., 40123) for the forwarding to work.

How to Find Your Assigned Ports

If you forget which ports were assigned, you can find them at any time. SSH into your server and run this command:

cat ~/.wireguard/port_forwarding_info.txt

You will see an output similar to this:

--- WireGuard Port Forwarding ---
This file lists the ports assigned to your clients.

Client 1 (myuser_1.conf) -> 40123 (tcp)
Client 2 (myuser_2.conf) -> 41567 (tcp)
Client 3 (myuser_3.conf) -> No port forwarded

How to Access

Client Install

In order to use the WireGuard tunnel, you'll need to install the client on your local computer or mobile phone. In order to get started, please check the WireGuard site for help on installing WireGuard on the operating system of your choice.

note

If you prefer, an alternate client called TunSafe exists and is already a bit more mature than the official WireGuard client for Windows. While the client itself is open-source and developed by a community member with prior credibility, it bears mentioning that using this client is 100% at your own risk as it is not developed or maintained by the Wireguard team. You have been warned.

Client Setup

WireGuard is available on many platforms. Setting it up should be fairly straight-forward.

Linux / OS X

  1. First, you need to get the contents of your client configuration file. For your first client, run:

    cat ~/.wireguard/$(whoami)_1.conf

  2. Copy the output, and then create a new config file on your local machine. You can name it anything, but wg-client-1.conf is a good choice.

    sudo nano /etc/wireguard/wg-client-1.conf

  3. Paste the configuration into the file, save, and exit.

  4. Set the correct permissions and bring the tunnel up:

    sudo chmod 600 /etc/wireguard/wg-client-1.conf
    sudo wg-quick up wg-client-1

  5. WireGuard should now be up and tunnelling all your traffic.

  6. Check your IP Address. It should now reflect your shared or dedicated IP for your slot.

  7. On Linux systems, you can configure a systemd service to automatically run this on boot:

    sudo systemctl enable wg-quick@wg-client-1

Windows

  1. First, connect via SSH and get the contents of your client configuration file. For your first client, run:

    cat ~/.wireguard/$(whoami)_1.conf

  2. Copy-paste the output from your terminal into a new file on your local desktop, (e.g., client_1.conf).

  3. Open the WireGuard (or TunSafe) client, and click "Import tunnel(s) from file". Select the client_1.conf file you just created.

  4. Activate the tunnel.

  5. Check your IP Address. It should now reflect your shared or dedicated IP for your slot.

Android & iOS (QR Code)

Configuration is easiest using the QR Code option.

  1. Connect to your server from a computer and issue the following command to generate a QR code for client 1:

    u=$(whoami)
    qrencode -t ansiutf8 < ~/.wireguard/${u}_1.conf
    tip

    To generate a code for your second client, just change _1.conf to _2.conf.

  2. In your client app on your phone, add a new tunnel and choose the "Create from QR code" option.

  3. Scan the QR code that was generated in your terminal.

  4. Give the tunnel a name and enable it by tapping the switch.

  5. Check your IP Address.

Service Management

Like all box configured applications, you can manage Wireguard via SSH with box with start, stop, restart, enable and disable commands.

box start wireguard