Welcome to Wag

Simplify, streamline and secure your Wireguard® deployment.

Add seamless route and port based MFA restrictions and enable always on management without exposing services to the untrusted web.

Wireguard® + MFA ❤️

Get Started!

Features #

Wag has a bunch of useful features that make it stand out amongst other wireguard management suites.

MFA #

TOTP (Time based code)
Webauthn (Security key)
OIDC (Single Sign On)

Access Control #

You decide whether routes require MFA, and what don’t. Restrict access to ports, protocols or just let users access anything on the host:

"Policies": {
    "group:developers": {
        "Mfa": [
            "internal.dev 443/tcp 22/any"
        ],
        "Allow": [
            "anything.on.this.host.dev",
            "1.1.1.1/32 53/udp"
        ]
    }
}

Enrollment #

Wireguard makes it difficult to automatically enrol devices. Wag makes it easy by providing a single registration endpoint, which will generate a wireguard configuration file for you.

Create a device enrollment token for your user (or use our CLI).

Then provide the generated token to the user, or do it all programmically with the CLI and API.

Then the end user can get their wireguard configuration however they like:

Command line.

$ curl http://10.0.0.3:8081/register_device\?key=0348bd3bd28d19e4b3d1fbf9564b522b0b3367cdb29432703f945a0d98c27629

[Interface]
PrivateKey = <OMITTED>
DNS = 8.8.8.8, 8.8.9.9
Address = 10.123.5.5

[Peer]
Endpoint =  10.0.0.3:53231
PresharedKey = a26yA6jRmzKWXmAOb+NPGlArBNUH2h2PLBS3wpyjoMA=
PublicKey = EkIRbMxogx8uc5TMgTYk80k1afxYHYE47N16a55efSc=
AllowedIPs = 10.123.5.1/32, 8.8.8.8/32, 8.8.9.9/32
PersistentKeepAlive = 10

Browing directly to the URL in a Web browser:

Or enabling mobile enrollment with type=mobile: