Skip to content

krant/wg-proxy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.github/workflows
.github/workflows
 
 
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

wg-proxy

wg-proxy is a WireGuard-based tool to securely execute local programs on server networks.

wg-proxy isolates program traffic inside a network namespace, routing it entirely through a WireGuard tunnel to a server. On program exit, the namespace and the underlying WireGuard connection are instantly destroyed.

Features

  • Proxies all L3 traffic of any program.
  • Supports all browsers - full HTTP/3 proxying, prevents WebRTC leaks.
  • Simple yet secure - a single secret is hashed to WireGuard 256-bit keys.
  • Ephemeral - on program exit the tunnel, keys, network namespace and interface - are instantly destroyed.
  • Correct DNS - client program uses the server's resolv.conf.
  • No dependencies - no need for wireguard-tools, iptables or nftables. Only a WireGuard-enabled kernel and wg-proxy binary.

Installation

wg-proxy needs to be installed on both hosts - client and server.

  curl -L https://github.com/krant/wg-proxy/releases/download/0.1.0/wg-proxy-0.1.0-x86_64-linux.tar.gz | tar xz
  ./wg-proxy --help

Usage

On server (SECRET could be anything including SECRET):

# Expose 51820 port to any client with the same secret
wg-proxy serve -s SECRET

On client (ADDRESS is the domain or IP of the server):

# Establish WireGuard tunnel to server and execute curl on its network
wg-proxy SECRET@ADDRESS -- curl httpbin.org/ip
{
  "origin": "IP.OF.THE.SERVER"
}
# Do the same with firefox or literally any other program
wg-proxy SECRET@ADDRESS -- firefox
# Advanced
TZ="Europe/Amsterdam" wg-proxy SECRET@ADDRESS -p 9222:9222 -- chromium --remote-debugging-port=9222

CLI Reference

Usage (client): wg-proxy <SECRET>@<SERVER>[:<PORT>] [OPTIONS] -- COMMAND...
  Arguments:
    <SECRET>                Secret
    <SERVER>                Server IP address or domain name
    <PORT>                  Server port to connect to [default: 51820]
    <COMMAND>...            Program and its arguments to execute

  Options:
    -m, --mtu MTU           Set MTU [default: 1420]

Usage (server): wg-proxy serve -s <SECRET> [OPTIONS]
  Options:
    -s, --secret <SECRET>   Secret
    -p, --port <PORT>       UDP port to accept clients to [default: 51820]
    -m, --mtu <MTU>         Set MTU [default: 1420]

TODO

  • port passthrough
  • Better error handling and diagnostics
  • IPv6
  • Server behind NAT
  • Multiple servers per host
  • Multiple clients per server
  • Non-Linux platforms?

About

Per-program WireGuard tunnel

Topics

vpn wireguard

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

0.1.0 Latest
Apr 24, 2026

Contributors

Languages