Skip to content

krant/wg-proxy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.github/workflows
.github/workflows
 
 
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

wg-proxy

wg-proxy is a WireGuard-based tool to securely execute local programs on server networks.

wg-proxy isolates program traffic inside a network namespace, routing it entirely through a WireGuard tunnel to a server. On program exit, the namespace and the underlying WireGuard connection are instantly destroyed.

Features

  • Proxies all L3 traffic of any program.
  • Supports any browser - full HTTP/3 proxying, prevents WebRTC leaks.
  • Simple yet secure - a single secret is hashed to ephemeral WireGuard 256-bit keys.
  • Correct DNS - local program uses the server's resolv.conf.
  • Requires only WireGuard-enabled kernel. Does not depend on wireguard-tools, iptables or nftables.

Installation

wg-proxy needs to be installed on both hosts - client and server.

  curl -L https://github.com/krant/wg-proxy/releases/download/0.1.0/wg-proxy-0.1.0-x86_64-linux.tar.gz | tar xz
  ./wg-proxy --help

Usage

To create a tunnel, you need to provide a secret. This can be any ASCII string, though 8-12 characters are recommended for public endpoints.

On server (SECRET could be anything):

# Expose 51820 port to any host with the same secret
wg-proxy serve -s SECRET

On client (ADDRESS is the domain or IP of the server):

# Establish WireGuard tunnel to server and execute curl on its network
wg-proxy SECRET@ADDRESS -- curl httpbin.org/ip
{
  "origin": "IP.OF.THE.SERVER"
}
# Proxy whole firefox
wg-proxy SECRET@ADDRESS -- firefox
# Proxy chromium with CDP port 9222 available on host
wg-proxy SECRET@ADDRESS -p 9222 -- chromium --remote-debugging-port=9222

CLI Reference

Client usage: wg-proxy <SECRET>@<SERVER>[:<PORT>] [OPTIONS] -- COMMAND...
  Arguments:
    <SECRET>                Secret
    <SERVER>                Server IP address or domain name
    <PORT>                  Server port to connect to [default: 51820]
    <COMMAND>...            Program and its arguments to execute

  Options:
    -m, --mtu <MTU>         Set MTU [default: 1420]
    -p, --publish <PORT>    Publish program's port to the host

Server usage: wg-proxy serve -s <SECRET> [OPTIONS]
  Options:
    -s, --secret <SECRET>   Secret
    -p, --port <PORT>       UDP port to accept clients to [default: 51820]
    -m, --mtu <MTU>         Set MTU [default: 1420]

TODO

  • NAT traversal
  • Better error handling and diagnostics
  • IPv6
  • Multiple instances on a single host
  • More than 1-to-1 topologies
  • Non-Linux platforms?

About

Per-program WireGuard tunnel

Topics

vpn wireguard

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

0.1.0 Latest
Apr 24, 2026

Contributors

Languages