Self-hosted VPN management
and Zero Trust access control.
WireGuard instances, peer management, firewall, DNS, and secure app publishing β all running on your infrastructure.
Free and open source. Nothing leaves your server.
More than a VPN panel.
A complete network management stack β from WireGuard peer control to Zero Trust application gateway.
Manage
- Multiple WireGuard instances
- Peer management with traffic graphs
- Firewall rules & port forwarding
- DNS resolver with blacklists
- VPN invite links with QR code
Protect
- Zero Trust application gateway
- TOTP two-factor authentication
- Altcha proof-of-work anti-brute-force
- IP ACL per application
- OIDC coming soon
Automate
- Scheduled peer enable/disable
- Routing templates
- Invite links with expiry
- API v2 for automation
- Multi-user with role permissions
Publish internal apps securely β without opening them to the world.
The built-in application gateway lets you expose services like Grafana, Proxmox, or any internal web app with proper authentication in front, without punching holes in your firewall or relying on a third-party tunnel.
Every request passes through the gatekeeper: TOTP, local credentials, IP ACL, and browser validation with proof-of-work (Altcha) to stop automated attacks.
Learn more β
Full visibility into every peer.
Each peer gets a dedicated detail view: real-time connection status, cumulative traffic, time-series bandwidth graphs, last handshake, and the QR code for instant re-provisioning.
Traffic history is stored per peer so you can audit usage over time β not just since the last restart.
Time-based peer access control.
Define schedules for each VPN peer. Access is automatically enabled and disabled based on the time window you configure β no manual intervention needed.
Useful for contractors, temporary access, shift-based policies, or anything where access should be bounded in time without relying on humans to remember to revoke it.
Built for how sysadmins actually work.
Every feature is a screen away. No buried menus, no wizard flows.
Per-instance iptables rules, port forwarding, and outbound ACLs β managed from the UI.
Built-in resolver with category-based blacklists: ads, malware, tracking, adult content.
Generate a shareable link with QR code and config file. The user scans or imports it directly into their WireGuard client.
Define allowed IPs and routing policies once, reuse across dozens of peers.
Everything you need. Nothing you don't.
Multi-arch
Native images for amd64 and arm64
Dark mode
Full dark/light interface toggle
Multi-user
Role-based permissions per user
Traffic history
Per-peer bandwidth graphs over time
DNS blacklist
Block categories: ads, malware, tracking
Routing templates
Reusable routing configs across peers
API v2
REST API for external automation
Debug console
Built-in diagnostic and debug tools
Invite links
QR code invites with optional expiry
Firewall
Per-instance firewall rule management
Port forwarding
Forward ports through VPN peers
TOTP / 2FA
Two-factor auth for admin and app gateway
What's coming.
OIDC Authentication
Sign in with your existing identity provider β Keycloak, Authentik, Google Workspace, or any OIDC-compatible IdP.
App Gateway / Gatekeeper v2
A more capable application gateway with granular per-route policies, session management, and improved audit logging.
Peer groups & bulk actions
Group peers by team, project, or access level. Apply firewall rules, routing templates, and schedules to whole groups at once.