🔒 Setup WireGuard Easy — VPN with Web UI
Deploy WireGuard VPN on Ubuntu with a clean web interface for managing clients, generating QR codes, and monitoring connections — fully automated.
📦 Resources & Setup Scripts
Grab the automated bash script from GitHub to follow along.
Quick Install:
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/vpn/wireguard-easy/wireguard-easy-ubuntu.sh
chmod +x wireguard-easy-ubuntu.sh
sudo bash wireguard-easy-ubuntu.shTutorial Steps
1 Download & Run the Script
The script installs Docker, prompts for your server's public IP or domain, generates a random admin password, and starts WireGuard Easy.
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/vpn/wireguard-easy/wireguard-easy-ubuntu.sh
chmod +x wireguard-easy-ubuntu.sh
sudo bash wireguard-easy-ubuntu.sh2 Access the Admin Panel
Open your browser and navigate to the WireGuard Easy web panel:
http://YOUR-SERVER-IP:518213 Add VPN Clients
Click '+ New Client', enter a name for the client, and click Create. A QR code and downloadable config file will be generated automatically.
4 Connect Your Devices
Install the WireGuard app on your phone, laptop, or router. Scan the QR code or import the .conf file to establish your VPN connection.
Ports Used
| Port | Protocol | Purpose |
|---|---|---|
| 51821 | TCP | Web UI (Admin Panel) |
| 51820 | UDP | WireGuard VPN Tunnel |
Files Location
/root/docker/wireguard-easy/docker-compose.ymlOverview
WireGuard Easy (wg-easy) is a simple, web-based GUI for managing WireGuard VPN. WireGuard is a modern, high-performance VPN protocol built directly into the Linux kernel. wg-easy adds a visual interface for creating and revoking client configurations, scanning QR codes, and monitoring connected peers — without needing to touch config files.
Why Use It
WireGuard Easy gives you the speed and simplicity of WireGuard — one of the fastest, most modern VPN protocols available — wrapped in a clean web interface that removes the complexity of manual configuration. Instead of managing keys, config files, and routing rules by hand, you get a dashboard where you can create clients, generate QR codes, and monitor connections in seconds. For businesses that need a private, secure network without the overhead of enterprise VPN appliances, it is one of the most cost-effective and practical solutions available.
When You Need It
Who Should Use It
Real Use Cases
Main Features
How to Use After Installation
Security Best Practices
Ports and Firewall Notes
WireGuard Easy uses two ports with opposite firewall strategies. Port 51821 TCP hosts the web admin panel — restrict it through your firewall to trusted IP addresses only; never leave it openly accessible. Port 51820 UDP carries the VPN tunnel traffic — this must remain publicly accessible for clients to establish WireGuard connections. Allow UDP 51820 from all sources while limiting TCP 51821 to specific IPs or localhost when using a reverse proxy.
Backup and Maintenance
Common Mistakes
Troubleshooting
Alternatives
Tailscale offers a zero-config mesh VPN built on WireGuard with SSO integration and automatic NAT traversal — ideal for teams wanting the fastest path without managing infrastructure. Headscale is the self-hosted equivalent of Tailscale's control server. OpenVPN Access Server provides enterprise-grade VPN with LDAP integration and granular access control — suitable for compliance requirements. ZeroTier creates virtual Layer-2 networks spanning multiple locations without opening ports. Choose WireGuard Easy for simplicity and control, Tailscale/Headscale for zero-config team deployments, OpenVPN AS for enterprise features, and ZeroTier for advanced layer-2 networking across NAT.
When Not to Use It
WireGuard Easy may not be the best fit when you need enterprise-grade access control with LDAP or Active Directory integration, compliance-specific audit logging, or built-in SSO and MFA — in these cases OpenVPN Access Server or a commercial VPN appliance is more appropriate. If you require mesh topology where every node connects to every other node without a central server, Tailscale or ZeroTier handle this automatically. If your team cannot manage a self-hosted server including updates and backups, a managed VPN service will reduce operational burden.
PrismaTechWork Professional Help
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
Frequently Asked Questions
Is WireGuard Easy free to use?
Yes. WireGuard Easy is open-source under the MIT license. There are no licensing fees, user limits, or feature restrictions. You only pay for the server infrastructure you run it on.
How many clients can WireGuard Easy support simultaneously?
WireGuard is extremely lightweight and can handle hundreds of concurrent connections on modest hardware. A basic VPS with 1 vCPU and 1 GB RAM comfortably supports 20-50 active clients for typical business use.
Can I use WireGuard Easy behind NAT or on a home network?
Yes, but you need proper port forwarding. Forward UDP 51820 to the server internal IP. For the admin panel, also forward TCP 51821 or access it locally. Dynamic DNS services help if your public IP changes periodically.
Does WireGuard Easy work on mobile devices?
Yes. It generates standard WireGuard configuration files and QR codes that work with the official WireGuard apps on both iOS and Android. Scan the QR code and the profile is ready to connect.
What happens if the server restarts — do clients reconnect automatically?
If you set the container to restart automatically (--restart unless-stopped), WireGuard Easy comes back online when the server boots. Clients reconnect within seconds since WireGuard uses stateless UDP.
Can I route all internet traffic through WireGuard Easy (full tunnel)?
Yes. Set the client AllowedIPs to 0.0.0.0/0, ::/0 to route all traffic through the VPN. Make sure the server has NAT/masquerading configured so client traffic can reach the internet.
How do I update WireGuard Easy to the latest version?
Pull the latest image (docker pull ghcr.io/wg-easy/wg-easy), stop and remove the current container, and recreate it with the same Docker run command. Data is preserved as long as the volume mapping stays the same. Always back up before updating.
Is WireGuard Easy suitable for production business use?
Suitable for small to medium business use where simplicity and performance are priorities. For strict compliance requirements or enterprise access control, consider additional security layers or OpenVPN Access Server.