A powerful, client-side web application for generating WireGuard VPN configurations for multiple router/OS platforms. No server required - runs entirely in your browser with localStorage persistence.
- X25519 key generation using TweetNaCl.js
- Pre-Shared Key (PSK) support
- Client-side only - no data leaves your browser
- No external dependencies at runtime
Generate configurations for:
- WireGuard Standard (.conf) - Linux, Windows, macOS, Android, iOS
- MikroTik RouterOS (.rsc) - Complete CLI scripts with firewall
- VyOS - Configuration commands with NAT
- Fritz!Box (.conf) - AVM router support
- OPNsense - Step-by-step guide
- Ubiquiti EdgeRouter - EdgeOS commands
- GL.iNet - Travel router configs
- Teltonika RUT - Industrial router guide
- Auto-Subnet Calculation - Enter connection count, get optimal CIDR
- IP Pool Management - Automatic IP assignment with conflict detection
- Bulk Client Generation - Create multiple clients with naming patterns
- QR Code Generation - For easy mobile client setup
- Site-to-Site VPN - Configure tunnels between networks
- Profile Management - Save, load, import, export configurations
- Config Validation - Check for errors before export
- ZIP Export - Download all configs organized in folders
- Dark/Light theme support
- Responsive mobile design
- Auto-save to localStorage
- Multi-language ready (EN/DE)
- Keyboard shortcuts
cd lib/
bash DOWNLOAD.shOr manually download:
- TweetNaCl.js →
lib/tweetnacl.min.js - QRCode.js →
lib/qrcode.min.js - JSZip →
lib/jszip.min.js - FileSaver.js →
lib/FileSaver.min.js
open index.html
# or
firefox index.html
# or
chromium index.html- Server Tab: Generate server keys, configure network
- Clients Tab: Add clients (or bulk generate)
- Export Tab: Select platform and download
Server Configuration:
- Navigate to Server tab
- Click Generate Keys
- Configure:
- Base Network:
10.50.0.0 - Connections:
30(tool calculates/27subnet) - Endpoint: Your public IP or domain
- Enable DynDNS: Optional (IPv64.net support)
- Base Network:
Add Clients:
- Navigate to Clients tab
- Click Add Client or Bulk Generate
- For bulk: Enter count and pattern like
User-{n}
Export:
- Navigate to Export tab
- Select platform (e.g., MikroTik RouterOS)
- Choose export type:
- Server Only
- All Clients
- Complete Setup
- Download or Download as ZIP
- Navigate to Site-to-Site tab
- Configure Site A:
- Name: Main Office
- LAN Network:
192.168.1.0/24 - Tunnel IP:
10.99.0.1 - Endpoint:
office-a.example.com - Generate Keys
- Configure Site B:
- Name: Branch Office
- LAN Network:
192.168.2.0/24 - Tunnel IP:
10.99.0.2 - Endpoint:
office-b.example.com - Generate Keys
- Click Generate Configurations
- Download both configs
| Parameter | Default | Notes |
|---|---|---|
| Network | 10.50.0.0/24 | Auto-calculated based on client count |
| MTU | 1420 | Optimal for most networks |
| Listen Port | 51820 | Standard WireGuard port |
| Keepalive | 25 seconds | Good for NAT traversal |
| DNS | 1.1.1.1, 1.0.0.1 | Cloudflare DNS |
| PSK | Enabled | Enhanced security |
| NAT | Enabled | For internet access through VPN |
The tool automatically calculates optimal subnet based on connection count:
| Connections | Subnet | Usable IPs |
|---|---|---|
| 1-6 | /29 | 6 |
| 7-14 | /28 | 14 |
| 15-30 | /27 | 30 |
| 31-62 | /26 | 62 |
| 63-126 | /25 | 126 |
| 127-254 | /24 | 254 |
Server always gets .1 address.
- Includes firewall rules
- DynDNS scheduler script
- NAT masquerade configuration
- Import via: Terminal → paste script
- Full configuration commands
- Firewall zone setup
- DynDNS service configuration
- Apply with:
configure→ paste →commit→save
- Standard .conf format
- DynDNS setup guide for WebUI
- Import via: Internet → Freigaben → WireGuard
- Step-by-step WebUI guide
- Firewall rule examples
- DynDNS ddclient configuration
- Manual configuration required (no import)
- WebUI navigation steps
- Industrial LTE router support
- Sign up at IPv64.net
- Create domain (e.g.,
myvpn.ipv64.net) - Get update key
- In tool:
- Server tab → Enable DynDNS
- Enter domain and API key
- Export includes platform-specific update scripts
Save Profile:
- Current config auto-saves to localStorage
- Create named profiles: Profiles → New Profile
Import Profile:
- Profiles → Import → Select
.jsonfile
Export Profile:
- Profiles → Click profile → Export button
Switch Profile:
- Profiles → Click profile card
Before exporting, validate your configuration:
- Navigate to Settings tab
- Click Validate Configuration
- Fix any reported errors
Checks for:
- Valid IP addresses and CIDR notation
- Port ranges (1-65535)
- WireGuard key formats
- Duplicate IPs or keys
- MTU range (1280-1500)
- DynDNS configuration
| Shortcut | Action |
|---|---|
Ctrl+S |
Save profile (browser save dialog) |
Ctrl+N |
Add new client |
Ctrl+E |
Switch to Export view |
Escape |
Close modals |
- Frontend: Vanilla JavaScript (no framework)
- Crypto: TweetNaCl.js (X25519, PSK generation)
- QR Codes: qrcode.js
- ZIP: JSZip
- Storage: localStorage
- Styling: Custom CSS with CSS Variables
No build step required!
- ✅ Chrome/Edge 90+
- ✅ Firefox 88+
- ✅ Safari 14+
- ✅ Mobile browsers (iOS Safari, Chrome Android)
├── index.html # Main UI
├── css/
│ ├── style.css # Core styles
│ └── modal.css # Modal dialogs
├── js/
│ ├── app.js # Main application
│ ├── crypto.js # Key generation
│ ├── ip-manager.js # IP pool & CIDR
│ ├── config-generator.js # WireGuard configs
│ ├── profile-manager.js # localStorage CRUD
│ ├── profile-ui.js # Profile UI
│ ├── qr-generator.js # QR code display
│ ├── site-to-site.js # S2S configuration
│ ├── validation.js # Config validation
│ ├── dyndns/
│ │ └── ipv64.js # DynDNS support
│ └── export/
│ ├── standard.js # Standard WireGuard
│ ├── mikrotik.js # MikroTik RouterOS
│ ├── vyos.js # VyOS
│ ├── fritzbox.js # Fritz!Box
│ ├── opnsense.js # OPNsense
│ ├── edgerouter.js # EdgeRouter
│ ├── glinet.js # GL.iNet
│ └── teltonika.js # Teltonika RUT
└── lib/ # External libraries
Server:
{
name: string,
privateKey: string,
publicKey: string,
listenPort: number,
addresses: string[],
dns: string[],
mtu: number,
endpoint: string,
enablePSK: boolean,
enableNAT: boolean
}Client:
{
id: string,
name: string,
privateKey: string,
publicKey: string,
preSharedKey: string,
address: string,
allowedIPs: string[],
dns: string[],
persistentKeepalive: number
}Profile (localStorage):
{
id: string,
name: string,
created: ISO timestamp,
modified: ISO timestamp,
version: string,
server: {},
clients: [],
ipPool: {},
dyndns: {},
settings: {}
}- All crypto operations client-side
- Private keys stored in localStorage (browser-encrypted)
- API keys stored in localStorage (warn user)
- No external network calls except library CDN
- Consider exporting profiles to encrypted storage
QR Codes not generating:
- Ensure
lib/qrcode.min.jsis downloaded - Check browser console for errors
ZIP export fails:
- Ensure
lib/jszip.min.jsandlib/FileSaver.min.jsare downloaded
Keys not generating:
- Ensure
lib/tweetnacl.min.jsis downloaded - Check for JavaScript errors in console
localStorage full:
- Browser limit typically 5-10MB
- Export and delete old profiles
- Clear browser cache
This is a standalone tool designed to run without a build process. To contribute:
- Fork repository
- Make changes to HTML/CSS/JS directly
- Test in browser (no build needed)
- Submit pull request
MIT License - See LICENSE file
- WireGuard® is a registered trademark of Jason A. Donenfeld
- Built with TweetNaCl.js, QRCode.js, JSZip, FileSaver.js
- IPv64.net integration for DynDNS support
- Documentation: See TODO.md for detailed features
- Issues: Report bugs via GitHub Issues
- No official support - community maintained
Made with Claude Code 🤖