Nexapp - WireGuard VPN
WireGuard VPN
WireGuard is a modern VPN (Virtual Private Network) protocol built on state-of-the-art cryptography. It is designed to be faster, simpler, and more secure than older VPN stacks such as IPsec or OpenVPN. Its lean codebase also means a smaller attack surface and easier auditing.
NexappOS includes both WireGuard server and WireGuard client (peer tunnel) features, fully configurable from the web interface.
Key Features
- Multiple server instances supported at the same time
- Each server runs in its own isolated VPN zone
- Static IP per peer (client account)
- Peer configuration export as:
- text file
- QR code (ideal for mobile clients)
- Site-to-site (net2net) tunnels supported
- Optional pre-shared keys for extra security
- Ability to import standard WireGuard configs
Server Configuration
You can create multiple WireGuard servers. NexappOS will:
- create a
wgXinterface automatically - open the required firewall port(s)
- create a dedicated VPN zone for traffic control
Unlike OpenVPN, WireGuard servers are not tied to the user database.
Peers are created and managed entirely inside WireGuard.
Create a WireGuard Server
- Go to VPN → WireGuard
- Open the Server instances tab
- Click Add server
- Fill in the fields:
Fields
- Status: enable/disable this server instance
- Name: friendly name for the instance (interface will be named
wgX) - VPN network: CIDR for the WireGuard network
- Server automatically gets the first IP
- Must not overlap with existing networks
- UDP port: listening port for incoming connections
- Public endpoint: public IP or FQDN clients use to reach the server
Advanced settings (optional)
- MTU: manually set interface MTU
- DNS servers: push custom DNS to clients (helps prevent DNS leaks)
Click Save to create the server.
Peer (Client) Accounts
After creating the server, add peers directly from the same page.
Add a Peer
- Select your server instance
- Click Add peer
- Fill in:
- Status: enable/disable peer
- Name: peer label
- Reserved IP: static IP for the peer
- must be inside the VPN network
- auto-filled with the next available IP
- Pre-shared key: optional extra secret shared with this peer
- Route all traffic:
- if enabled, peer routes all traffic through VPN (full tunnel)
- Server networks: networks the peer may access
- LAN networks are added automatically
- Peer networks: networks behind the peer
- required for site-to-site (net2net) tunnels
Note
Leaving Peer networks empty creates a standard Road Warrior setup:
the peer can access server networks, but does not advertise its own.
After saving, use the peer menu to download:
- Text configuration file
- QR code
Apply Changes
Warning
Any change to the server or a peer requires updating the peer config.
After edits, re-download and re-import the peer configuration.
Peer Tunnels (Client Mode)
NexappOS can also act as a WireGuard peer to connect outward to another server.
- Go to VPN → WireGuard
- Open the Peer tunnels tab
- Either:
- click Add peer tunnel (manual), or
- click Import peer tunnel (standard WireGuard
.conf)
Manual Peer Tunnel Fields
- Status: enable/disable tunnel
- Name: tunnel name (interface auto-created as
wgX) - Reserved IP: local tunnel IP
- Server public key: WireGuard server public key
- Peer private key: local private key
- Pre-shared key: optional
- Route all traffic: full-tunnel routing via this peer
- Network routes: networks reachable through the tunnel
- Endpoint: server public IP or FQDN
- UDP port: server port
- DNS servers: DNS used when tunnel is active
Save to activate the tunnel.
Debug Logging
WireGuard is intentionally quiet: by default it logs nothing.
To enable logging to /var/log/messages:
echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
To disable logging:
echo module wireguard -p > /sys/kernel/debug/dynamic_debug/control