Home Blog WireGuard Dashboard
Networking · 9 min read

WireGuard Dashboard:
A Professional Web UI for Your VPN Server

Managing WireGuard by hand means editing config files, running wg commands, and manually generating QR codes for every new peer. WireGuard Dashboard changes that - it wraps your WireGuard server in a polished, feature-rich web interface that makes peer management, traffic monitoring, and client provisioning genuinely pleasant. Here's what it offers and how to get it running with Docker Compose.

The Problem with Raw WireGuard Management

WireGuard itself is intentionally minimal. The kernel module handles the cryptography and packet routing; everything else is up to you. Adding a new peer means manually editing /etc/wireguard/wg0.conf, generating a key pair, computing an AllowedIPs range, reloading the interface with wg syncconf, and then generating a client config file or QR code by hand. Revoking a peer is another round of manual edits.

On a personal server with two or three peers this is manageable. Once you're provisioning VPN access for a team, distributing configs to mobile devices, or running multiple WireGuard interfaces, the manual approach becomes painful and error-prone.

WireGuard Dashboard solves this without introducing complexity. It sits alongside your WireGuard installation, reads and writes the standard .conf files, and exposes everything through a clean browser-based UI. No proprietary formats, no lock-in.

What WireGuard Dashboard Offers

Multi-Interface Management

Manage multiple WireGuard interfaces from a single UI. Switch between wg0, wg1, and more without leaving the dashboard.

Peer Management

Add, edit, delete, and disable peers through a form-based interface. No config file editing required.

Traffic Statistics

Per-peer bandwidth graphs - sent, received, and latest handshake time - updated in real time.

QR Code Provisioning

Generate a scannable QR code for any peer with one click, ready to import into the WireGuard mobile app.

Config File Download

Download the .conf file for any peer directly from the dashboard - no need to SSH into the server.

AmneziaWG Support

Supports AmneziaWG alongside standard WireGuard - useful for bypassing deep packet inspection in restrictive networks.

Prerequisites

You need a Linux server with:

  • Docker and Docker Compose installed
  • The WireGuard kernel module available - on modern Linux kernels (5.6+) it's built in. On older systems: apt install wireguard-dkms
  • UDP ports open in your firewall for the WireGuard interfaces (default: 51820)
  • Root or sudo access (required for NET_ADMIN capability)
ℹ️
Kernel module check. Verify WireGuard is available before starting: modinfo wireguard. If it returns module info, you're good. If not, install wireguard-dkms for your distribution.

Installation with Docker Compose

Step 1 - Create the Directory Structure

Create a working directory for the stack and the three volume directories WireGuard Dashboard expects:

mkdir -p /opt/wgdashboard/{conf,aconf,data}
cd /opt/wgdashboard
  • conf/ - standard WireGuard interface configs (wg0.conf, etc.)
  • aconf/ - AmneziaWG interface configs (leave empty if you don't use AmneziaWG)
  • data/ - WireGuard Dashboard application data (SQLite database, settings)

Step 2 - docker-compose.yml

Create /opt/wgdashboard/docker-compose.yml:

services:
  wgdashboard:
    image: ghcr.io/wgdashboard/wgdashboard
    restart: unless-stopped
    container_name: wgdashboard
    ports:
      - 10086:10086/tcp      # Web dashboard
      - 51820-51830:51820-51830/udp  # WireGuard interfaces
    volumes:
      - ./aconf:/etc/amnezia/amneziawg  # AmneziaWG configs
      - ./conf:/etc/wireguard           # WireGuard configs
      - ./data:/data                    # Dashboard data
    cap_add:
      - NET_ADMIN

A few things worth noting about this configuration:

  • Port 10086 is the web dashboard. You can change the host-side port (left of the colon) to anything you like.
  • Ports 51820–51830 maps a range of UDP ports, allowing you to run up to eleven WireGuard interfaces simultaneously. If you only need one, you can narrow this to 51820:51820/udp.
  • NET_ADMIN is required so the container can create and configure WireGuard network interfaces inside its namespace.
  • The volumes map to standard WireGuard config paths inside the container, so existing .conf files are picked up automatically.

Step 3 - Start the Stack

sudo docker compose up -d

# Watch startup logs
sudo docker compose logs -f wgdashboard

The container typically starts in a few seconds. Once the logs show the dashboard is listening, navigate to http://your-server-ip:10086 in your browser.

Step 4 - First Login

On first launch, WireGuard Dashboard prompts you to set an admin password. Choose a strong one - the dashboard has direct control over your VPN server. After setting the password you're dropped into the main interface.

⚠️
Don't expose port 10086 publicly. The dashboard has no rate limiting or brute-force protection out of the box. Put it behind a firewall rule and access it via SSH tunnel, or proxy it through Nginx with authentication. See the security section below.

Creating Your First WireGuard Interface

If you don't have an existing wg0.conf, WireGuard Dashboard can create one for you. From the dashboard home screen, click New Interface and fill in:

  • Interface name - e.g. wg0
  • Listen port - 51820 (or any port in the mapped range)
  • IP address - the server's VPN IP in CIDR notation, e.g. 10.0.0.1/24
  • DNS - optional, pushed to clients (e.g. 1.1.1.1 or your internal resolver)

WireGuard Dashboard generates the server key pair, writes wg0.conf to the conf/ volume, and brings the interface up automatically.

Adding and Managing Peers

Select your interface from the sidebar, then click Add Peer. The form lets you set:

  • Peer name - a friendly label (stored in the dashboard, not the WireGuard config)
  • Allowed IPs - the VPN IP assigned to this peer, e.g. 10.0.0.2/32
  • Endpoint - optional, only needed for site-to-site configurations
  • DNS - optional override for this specific peer
  • Persistent keepalive - set to 25 for peers behind NAT

The dashboard generates the peer key pair server-side and immediately shows a QR code and a downloadable .conf file. On a mobile device, open the WireGuard app, tap the + button, and scan the QR code - the tunnel is configured in seconds.

# You can also inspect the generated config directly on the server
cat /opt/wgdashboard/conf/wg0.conf

All standard WireGuard [Peer] blocks are written to the interface config, so the setup is fully compatible with the wg CLI and any other WireGuard tooling.

Traffic Monitoring

The peer list shows live transfer statistics - bytes sent and received per peer - pulled directly from wg show output. The Latest Handshake column tells you at a glance whether a peer is actively connected: WireGuard initiates a new handshake every 3 minutes when traffic is flowing, so a recent timestamp means the peer is online.

You can also temporarily disable a peer without deleting it - useful for suspending access without losing the peer's configuration. Disabled peers are removed from the active WireGuard interface but kept in the dashboard database, ready to be re-enabled with one click.

AmneziaWG Support

The Docker image ships with support for AmneziaWG - a WireGuard fork developed to defeat deep packet inspection. Standard WireGuard has a recognisable handshake pattern that some censorship systems can fingerprint and block. AmneziaWG obscures this by randomising packet sizes and adding junk data to the handshake, making it indistinguishable from random encrypted traffic.

If you're operating in a restrictive network environment, the aconf/ volume stores AmneziaWG interface configs separately from standard WireGuard configs. The dashboard manages both from the same UI - select the interface type when creating a new interface.

ℹ️
AmneziaWG clients. Peers connecting to an AmneziaWG interface need the AmneziaWG client app, not the standard WireGuard app. The dashboard generates the appropriate QR codes and config files automatically.

Securing the Dashboard

Port 10086 should never be directly exposed to the internet. Two practical approaches:

Option A - SSH Port Forwarding

Access the dashboard exclusively over SSH. Add this to your ~/.ssh/config on your local machine:

Host myvpnserver
  HostName your-server-ip
  User youruser
  LocalForward 10086 127.0.0.1:10086

Connect with ssh myvpnserver, then open http://localhost:10086 in your browser. The dashboard is never reachable without an active SSH session.

Option B - Nginx Reverse Proxy with Basic Auth

If you want browser access without an SSH tunnel, proxy the dashboard through Nginx with HTTP Basic Authentication and restrict access by IP:

server {
    listen 443 ssl;
    server_name wgdash.example.com;

    # ... SSL config ...

    location / {
        allow 203.0.113.0/24;   # Your office/home IP range
        deny all;

        auth_basic "WireGuard Dashboard";
        auth_basic_user_file /etc/nginx/.htpasswd;

        proxy_pass http://127.0.0.1:10086;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Keeping the Dashboard Updated

WireGuard Dashboard is actively developed. To update to the latest image:

cd /opt/wgdashboard
sudo docker compose pull
sudo docker compose up -d

The conf/, aconf/, and data/ directories are persisted in volumes, so your interfaces, peers, and settings survive the update.

WireGuard Dashboard vs the Alternatives

Several other projects offer web UIs for WireGuard - Wg-Easy, Wireguard-UI, and Netbird are the most commonly mentioned. WireGuard Dashboard stands out for a few reasons:

  • Multi-interface support - most alternatives manage a single interface. WireGuard Dashboard handles up to eleven simultaneously.
  • AmneziaWG integration - unique to this project among the popular open-source options.
  • Standard config files - reads and writes plain .conf files, so you're never locked into the dashboard. Drop it and your WireGuard setup continues working normally.
  • Active development - the project has seen consistent maintenance and feature additions, unlike some alternatives that have gone quiet.
Pair it with Pangolin. If you need to expose services through WireGuard tunnels without opening inbound ports, WireGuard Dashboard manages the VPN server while Pangolin handles the tunnelling and reverse proxy layer. The two complement each other well in a self-hosted stack.

Summary

WireGuard Dashboard turns a powerful but administratively bare VPN protocol into something you can actually hand off to a team member or revisit six months later without re-reading the manpage. The Docker Compose setup is minimal, the volume layout is clean, and the interface is genuinely well-designed.

If you're running WireGuard in production and managing more than two or three peers, WireGuard Dashboard is the most practical upgrade you can make to your setup.

Related Articles

Networking

WireGuard VPN on Linux: Server and Client Setup from Scratch

Read article → Networking

Pangolin vs Cloudflare Tunnel: Self-Hosted Tunnelling on Your Own Terms

Read article → Security

Linux Server Hardening: A Practical 20-Step Checklist

Read article →
Services Technologies Process Blog Get in Touch