• Added cluster mode support. It is now possible to run multiple instances with a shared database. Synchronization is handled by the fanout module, which can be configured in the core fanout section

core:
 ...
 manage_dns: false
 ignore_main_default_route: true
 delete_expired_peers: true
 default_user_ttl: 2 # days

  fanout:
    enabled: true
    self_url: "{{ external_url }}"
    peers:
      - ...
      - ...
    auth_header: "Authorization"
    auth_value: "Basic ..."
    timeout: 2s
    debounce: 300ms
    origin: ""
    kick_on_start: true
    topics: ["peers.updated", "peer.save", "peer.delete", "interface.save", "interface.updated"]

Tested with MySQL.

• Added the manage_dns option. When set to true, this option disables the management of resolv.conf on the host and within the WireGuard container.

• Added the ignore_main_default_route option. This option disables the management of the main route table.

• Added the delete_expired_peers option. This enables the automatic deletion of peers once their status changes to expired.

• Added the default_user_ttl option. This sets a default Time-To-Live (TTL) in days for peers that are provisioned via the v1 API.

WireGuard Portal is a simple, web-based configuration portal for WireGuard server management. The portal uses the WireGuard wgctrl library to manage existing VPN interfaces. This allows for the seamless activation or deactivation of new users without disturbing existing VPN connections.

The configuration portal supports using a database (SQLite, MySQL, MsSQL, or Postgres), OAuth or LDAP (Active Directory or OpenLDAP) as a user source for authentication and profile data.

• Self-hosted - the whole application is a single binary
• Responsive multi-language web UI written in Vue.js
• Automatically selects IP from the network pool assigned to the client
• QR-Code for convenient mobile client configuration
• Sends email to the client with QR-code and client config
• Enable / Disable clients seamlessly
• Generation of wg-quick configuration file (wgX.conf) if required
• User authentication (database, OAuth, or LDAP), Passkey support
• IPv6 ready
• Docker ready
• Can be used with existing WireGuard setups
• Support for multiple WireGuard interfaces
• Supports multiple WireGuard backends (wgctrl or MikroTik [BETA])
• Peer Expiry Feature
• Handles route and DNS settings like wg-quick does
• Exposes Prometheus metrics for monitoring and alerting
• REST API for management and client deployment
• Webhook for custom actions on peer, interface, or user updates

For the complete documentation visit wgportal.org.

• Automatic generation or application of any iptables or nftables rules.
• Support for operating systems other than linux.
• Automatic import of private keys of an existing WireGuard setup.

• wgctrl-go and netlink for interface handling
• Bootstrap, for the HTML templates
• Vue.js, for the frontend

• MIT License. MIT or https://opensource.org/licenses/MIT