No-brainer, dumb simple HTTP(S) REST API for WireGuard.

• 0 (zero) external code dependencies
• requires wg tools and (unless ephemeral enable) wg-quick
• Focuses on linux
• Single binary
• TLS (optional) and access key (optional) protection

Note: currently it doesn't create a new WireGuard interface if it doesn't exist.

• Linux system with WireGuard support
• wg command-line tools installed
• wg-quick (unless running in ephemeral mode)
• Go 1.21+ (for building from source)

• Download the latest release from Releases
• Unpack the archive
• Move the binary to your $PATH

git clone <repository-url>
cd wg-hub
go build -o wg-hub main.go

Make sure your WireGuard interface is up and configured:

# Create and configure your WireGuard interface
sudo wg-quick up wg0

# Run wg-hub
sudo ./wg-hub -interface wg0

Note: Root privileges are typically required to modify WireGuard configurations.

Supports command flags and environment variables.

wg-hub [options]

• -bind - Binding address (default: :8080) [$WG_HUB_HTTP_BIND]
• -access-token - Protect HTTP requests with Authorization header [$WG_HUB_TTP_ACCESS_TOKEN]
• -interface - WireGuard interface name (default: wg0) [$WG_HUB_INTERFACE]
• -tls-enabled - Enable HTTPS (default: false) [$WG_HUB_TLS_ENABLED]
• -tls-cert - TLS certificate file path [$WG_HUB_TLS_CERT]
• -tls-key - TLS private key file path [$WG_HUB_TLS_KEY]
• -ephemeral - Do not save config on changes, eliminates wg-quick dependency (default: false) [$WG_HUB_EPHEMERAL]

# Basic usage
wg-hub

# With custom port and interface
wg-hub -bind :9090 -interface wg1

# With TLS enabled
wg-hub -tls-enabled -tls-cert /path/to/cert.pem -tls-key /path/to/key.pem

# With access token protection
wg-hub -access-token "your-secret-token"

# Ephemeral mode (no config persistence)
wg-hub -ephemeral

# Using environment variables
WG_HUB_HTTP_BIND=:9090 WG_HUB_INTERFACE=wg1 wg-hub

It's literally just few endpoints.

Get current WireGuard network information including all peers.

Response:

{
  "interface": "wg0",
  "listen_port": 51831,
  "public_key": "base64-encoded-public-key",
  "fw_mark": "off",
  "peers": [
    {
      "public_key": "base64-encoded-public-key",
      "endpoint": "ip:port",
      "allowed_ips": [
        "10.0.0.2/32"
      ],
      "latest_handshake": "2023-01-01T12:00:00Z",
      "transfer_rx": 1024,
      "transfer_tx": 2048
    }
  ]
}

Create a new WireGuard peer.

Request body:

{
  "allowed_ips": [
    "10.0.0.2/32"
  ],
  "endpoint": "192.168.1.100:51820",
  "keepalive": 25,
  "keys": {
    "private_key": "base64-encoded-private-key",
    "public_key": "base64-encoded-public-key"
  }
}

Required fields:

• allowed_ips - Array of CIDR blocks this peer is allowed to use

Optional fields:

• endpoint - Peer's endpoint address
• keepalive - Keep-alive interval in seconds
• keys - Key pair (if not provided, will be auto-generated)

Response: Returns the created peer configuration including generated keys (if any).

Update an existing peer configuration.

URL Parameters:

• peer - Base64-encoded public key of the peer

Request body:

{
  "allowed_ips": [
    "10.0.0.2/32"
  ],
  "endpoint": "192.168.1.100:51820",
  "keepalive": 25
}

Response: 204 No Content

Remove a peer from the WireGuard configuration.

URL Parameters:

• peer - Base64-encoded public key of the peer

Response: 204 No Content

If an access token is configured, include it in the Authorization header:

Authorization: your-access-token

# Get network info
curl http://localhost:8080/

# Create a new peer
curl -X POST http://localhost:8080/peers \
  -H "Content-Type: application/json" \
  -d '{"allowed_ips": ["10.0.0.2/32"]}'

# Update a peer
curl -X POST http://localhost:8080/peers/C8F+FKk3hgR0z0lWOjbPcJ9skNNmEqjukAOqekiHmkM= \
  -H "Content-Type: application/json" \
  -d '{"allowed_ips": ["10.0.0.2/32"], "endpoint": "192.168.1.100:51820"}'

# Delete a peer
curl -X DELETE http://localhost:8080/peers/C8F+FKk3hgR0z0lWOjbPcJ9skNNmEqjukAOqekiHmkM=