A self-hosted WireGuard mesh with a browser admin portal, all in one container.
The overlay-VPN space is crowded — Tailscale, Headscale, NetBird, wg-easy. They all stop at "your devices can reach each other." Wantastic keeps going.
1. You actually work on the devices from the browser. No other self-hosted overlay ships:
- Winbox proxy with credential re-encryption — manage MikroTik routers in your browser. The real device password never leaves the server (ECSRP-5 bridge in the middle), so handing out access doesn't mean handing out the keys.
- WebSSH over the overlay — terminal in a tab, traffic routed through the WireGuard tunnel. No SSH client to install per laptop.
- WebProxy to any peer's HTTP/HTTPS — open a printer's admin page, a NAS dashboard, or a router LAN-only UI from the portal, without port-forwards or split DNS.
2. One container, zero glue work. Postgres, Redis, nginx, certbot,
iptables, and the app all run together under s6-overlay. Tailscale
needs their SaaS; Headscale needs you to wire up the UI, certs, and
database yourself. docker run here, you're done.
3. A web wizard that finishes the deploy. Other tools give you a binary. Wantastic gives you a form: domain, admin, Let's Encrypt email, submit. It issues the cert, writes the nginx config, applies the firewall, and prints the DNS records. First-run takes about a minute.
4. An in-portal AI assistant that can act. Copilot (Claude-backed, your API key) has scoped tool calls — "create a tenant", "ping the office router", "show me last hour's traffic" — gated by role. It's not a chatbot bolted on; it touches the same in-process services the UI does.
Multi-tenant subnet isolation, TOTP/WhatsApp 2FA, OAuth2 device flow, admin-managed accounts (no public sign-up) round it out.
docker run -d --name wantastic \
--cap-add NET_ADMIN --restart unless-stopped \
-p 80:80 -p 443:443 -p 8291:8291 -p 51820:51820/udp \
-v wantastic-data:/var/lib/wantastic \
ghcr.io/wantastic-app/wantastic:latestThen open https://<host>/ — the setup wizard takes you through domain,
admin account, and optional Let's Encrypt in about a minute.
Add a peer with the native WireGuard client
https://github.com/WantasticApp/WantasticCore/raw/main/docs/guide/add-with-native-wg-client.mp4
WUSP in action — live device push, port scan, browser SSH
https://github.com/WantasticApp/WantasticCore/raw/main/docs/guide/wusp.mp4
make build && ./bin/wantastic-coreDocs in docker/README.md for container internals,
docs/ for protocol notes.
Issues and PRs welcome. For anything bigger than a typo, open an issue first so we can talk through the approach.
MIT — see LICENSE.
If Wantastic solves a problem for you, leave a star ⭐ — it's how we decide what to build next.