WG-Easy: Self-Hosted WireGuard VPN with Web UI for Easy Client Management

Why WG-Easy?

Setting up WireGuard manually means editing config files, generating key pairs, and managing peer lists by hand. WG-Easy wraps it all in a clean web UI:

One-click client creation — No SSH needed.
QR codes — Scan with your phone to connect instantly.
Enable/disable clients — Toggle access without deleting configs.
Traffic stats — See data transferred per client.
Docker deployment — One container, done.

Prerequisites

A server with a public IP (VPS, cloud, or home with port forwarding).
Docker installed.
UDP port 51820 open on your firewall/router.

Step 1: Deploy with Docker

docker run -d \
  --name wg-easy \
  --restart=always \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  -e WG_HOST=vpn.example.com \
  -e PASSWORD=your-admin-password \
  -e WG_DEFAULT_DNS=1.1.1.1,8.8.8.8 \
  -v ~/.wg-easy:/etc/wireguard \
  -p 51820:51820/udp \
  -p 51821:51821/tcp \
  ghcr.io/wg-easy/wg-easy

Admin panel: http://your-server:51821

Step 2: Key Environment Variables

Variable	Purpose
`WG_HOST`	Your server’s public IP or domain
`PASSWORD`	Admin panel password
`WG_DEFAULT_DNS`	DNS servers for VPN clients
`WG_ALLOWED_IPS`	Networks clients can access (default: `0.0.0.0/0` = all traffic)
`WG_DEFAULT_ADDRESS`	VPN subnet (default: `10.8.0.x`)
`WG_PERSISTENT_KEEPALIVE`	Keep-alive interval for NAT traversal (default: 25s)

Step 3: Create Clients

Open http://your-server:51821.
Click “New Client”.
Name it (e.g., “iPhone”, “Laptop”, “Office”).
Download the .conf file or scan the QR code.
Import into the WireGuard app on your device.

WireGuard vs OpenVPN vs Tailscale

Feature	WireGuard (WG-Easy)	OpenVPN	Tailscale
Speed	Very Fast (kernel-level)	Fast (user-space)	Fast (WireGuard-based)
Setup	Simple (Docker + UI)	Complex (PKI, configs)	Easiest (zero-config)
Self-hosted	Yes	Yes	Partial (coordination server)
Protocol	UDP only	UDP + TCP	WireGuard
Codebase	4,000 lines	100,000+ lines	Proprietary
Cost	Free	Free	Free tier / paid
Best for	Full control	Legacy/strict firewalls	Zero-config mesh

Troubleshooting

Problem	Solution
Client connects but no internet	Set `WG_ALLOWED_IPS=0.0.0.0/0`; verify server has IP forwarding: `sysctl net.ipv4.ip_forward=1`
Connection timeout	Verify UDP 51820 is forwarded; check `WG_HOST` matches your public IP
Can’t access LAN devices	Add your LAN subnet to `WG_ALLOWED_IPS` (e.g., `192.168.1.0/24,0.0.0.0/0`)
Admin panel not loading	Verify TCP port 51821 is accessible; check container logs
QR code not scanning	Ensure your phone camera can focus; try downloading the .conf file instead

Summary

WireGuard VPN with a web UI — no config files needed.
One-click clients with QR codes for mobile.
Docker container — deploys in 2 minutes.
Enable/disable clients and view traffic stats from the browser.

Frequently Asked Questions

What is WG-Easy and why use it?

WG-Easy is a Docker container that bundles WireGuard VPN with a beautiful web interface. WireGuard itself is a fast, modern VPN protocol built into the Linux kernel, but its configuration is manual (editing text files, generating keys). WG-Easy adds a web UI where you create clients with one click, download QR codes for mobile, and enable/disable tunnels without SSH.

How does WireGuard compare to OpenVPN?

WireGuard is significantly faster (uses kernel-level networking), has a smaller codebase (4,000 lines vs 100,000+), establishes connections in milliseconds, uses modern cryptography (ChaCha20, Curve25519), and is easier to audit. OpenVPN is more mature and supports TCP (useful behind restrictive firewalls).

Can I access my home network remotely with WG-Easy?

Yes. Configure WG-Easy on your home server, forward the WireGuard UDP port (default 51820) on your router, and connect from anywhere. You can access all devices on your home LAN as if you were physically there.

How many clients can I connect?

WireGuard has no built-in limit. WG-Easy manages clients via the web UI. Practically, a small VPS can handle 50+ concurrent clients. Performance depends on server bandwidth and CPU.