Skip to Content
DocsApplicationsUtilitiesWireGuard VPN
WireGuard

WireGuard VPN

Kernel-fast VPN tunnels with QuickBox CLI + dashboard control

WireGuard® on QuickBox Pro provides a lightweight VPN tunnel for routing server or application traffic through trusted endpoints. The QuickBox integration covers CLI automation, dashboard uploads, automatic MTU tuning, NAT rules, and stored keys for visual status. It includes app-scoped routing for isolating specific application traffic (Dispatcharr, Emby, Jellyfin, Plex, and qBittorrent) through WireGuard tunnels using Linux network namespaces. It also includes a server gateway that lets your box act as a multi-user WireGuard server — administrators enroll individual users, who connect their own devices into the box and (optionally) route all of their traffic through it. Plan firewall and routing rules accordingly for any additional traffic policies.

Kernel-speed tunnels

WireGuard modules with minimal overhead for low-latency VPN links

Dashboard control

System → VPN Control lets you upload client .conf files, view keys, and toggle active peers

Auto MTU tuning

qb manage wireguard calc --mtu probes the endpoint to set a safe MTU before activation

Server or client

Generate server configs (NAT + IPv4/IPv6 forwarding) or ingest provider client profiles

NordVPN helper

nvpn_conf_gen builds ready-to-use NordLynx WireGuard profiles into the QuickBox stash

Config stash

All configs live under /etc/v4-dashboard/wg with location cache and dashboard previews

Cron sync

Install adds a 30-minute cron to sync active profile names and keys to the dashboard

Key visibility

Private/public keys are surfaced in VPN Control for quick copy-and-paste when needed

App-scoped routing

Route only Dispatcharr, Emby, Jellyfin, Plex, or qBittorrent traffic through a WireGuard tunnel while other server traffic stays on the default route

Kill switch protection

Optionally stop a routed app's service when the VPN tunnel drops, with configurable auto-recovery

Server gateway

Turn your box into a multi-user WireGuard server — admins enroll users, each gets a private /32 from the gateway pool

Per-user self-service

Enrolled users download their own config and view their own connection metrics from their dashboard, gated by their ACL group

Installation

Prerequisites

Prerequisites

  • QuickBox Pro v3 already installed
  • Root/sudo shell access to run qb commands
  • UDP 51820 reachable from peers (or your chosen listen port)
  • Outbound HTTPS allowed for ipinfo.io and NordVPN API (for location + generator)

What you get

  • WireGuard kernel module with linux-headers installed automatically
  • Systemd-managed tunnels via wg-quick@<profile>.service
  • IPv4/IPv6 forwarding and NAT rules configured by installer
  • Config stash at /etc/v4-dashboard/wg with dashboard integration
  • NordVPN profile generator (nvpn_conf_gen) ready to use

Install via qb (CLI)

Services stay stopped after install

WireGuard install/reinstall writes configs but does not auto-start wg-quick. Activate a profile with qb manage wireguard check -cn <config> or via VPN Control when you are ready.

# Server setup with one client profile and NAT rules
qb install wireguard -u username -o server -lp 51820 -noc 1 -dns 1.1.1.1 \
  -cidr 10.5.0.2/16 -cai "0.0.0.0/0,::/0" -ep vpn.example.com \
  -pur "iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" \
  -pdr "iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE"
 
# Client-mode installer (paste config when prompted)
qb install wireguard -u username -o client
 
# Reinstall in place (keeps stash under /etc/v4-dashboard/wg)
qb reinstall wireguard -u username -o server
 
# Remove WireGuard entirely
qb remove wireguard -u username

Install from the dashboard (VPN Control)

  1. Open System → VPN Control (admin only).
  2. Click Install WireGuard → choose Client (upload .conf) or Server (enter listen port, client count, CIDR, allowed address, endpoint, DNS, PostUp/PostDown).
  3. Submit. Uploaded configs are written to /etc/v4-dashboard/wg/, server builds land in /etc/wireguard/ and are synced back to the stash.
  4. Use the peer table to toggle Active (starts/stops wg-quick@<name>), view ping/location, and delete peers.
Firewall and downtime
  • Allow UDP on your chosen listen port (default 51820) before activating.
  • Switching default routes through a VPN can interrupt SSH/dashboard sessions—schedule a maintenance window.
Firewall rules are created automatically

When WireGuard activates, the PostUp rules create firewall entries for both IPv4 (iptables) and IPv6 (ip6tables): a FORWARD accept on the wg0 interface and a NAT MASQUERADE on the server’s default network interface. If app-scoped routing is enabled, additional rules appear for veth network namespaces (10.200.x.y subnets). You can verify all of these rules in the dashboard under Settings > Security > Firewall Rules tab — filter by the WireGuard origin to isolate VPN-related entries.

Basic Usage

Activate or swap a profile

# Sync a stored config to /etc/wireguard and start the service
qb manage wireguard check -cn nvpn_us1234
 
# Stop and remove the active client config
qb manage wireguard check --deactivate -cn nvpn_us1234
 
# Remove a stored profile and its service unit
qb manage wireguard remove -cn nvpn_us1234
  • Dashboard: toggle the Active checkbox for a peer in VPN Control to start/stop wg-quick@<peer>. Location, ping, and redacted config preview come from /etc/v4-dashboard/wg/<peer>.conf and the cached IP lookup.
  • CLI: qb manage wireguard check rewrites /etc/wireguard/<peer>.conf, enables wg-quick@<peer>, and updates user_software.software_alt_port so the dashboard stays in sync.

Add client or server configs (CLI)

# Add a client profile (paste config when prompted)
qb manage wireguard add --client -cn wg-client
 
# Add a server profile with custom CIDR, allowed IPs, and port
qb manage wireguard add --server -lp 51820 -cidr 10.5.0.2/16 \
  -cai "0.0.0.0/0,::/0" -noc 3 -pur "iptables -A FORWARD -i %i -j ACCEPT" \
  -pdr "iptables -D FORWARD -i %i -j ACCEPT"

NordVPN config generator (built-in helper)

# Generate up to 5 NordVPN WireGuard profiles (stores as nvpn_<host>.conf)
nvpn_conf_gen -t "<nordvpn_token>" -c "United States" -L 5 -dns 103.86.96.100
 
# List available countries
nvpn_conf_gen -l
 
# MTU tuning is automatic per endpoint (calls qb manage wireguard calc --mtu internally)

Configuration locations

WireGuard files on QuickBox
/
etc/v4-dashboard/wg/
├── *.conf# Stored client/server profiles used by dashboard
└── location_cache/
│ └── <hash>.json# Cached ipinfo.io lookups
etc/wireguard/
├── wg0.conf# Server config when -o server is used
└── <peer>.conf# Active client pushed by qb manage wireguard check
etc/cron.d/quickbox# Cron entry runs qb manage wireguard cron every 30 minutes after install

CLI options

-o, --operation

Set mode: server or client (install/reinstall)

-lp, --listen-port

WireGuard listen port (default 51820)

-lp 51820
-cidr, --cidr

Interface address/CIDR for server

-cidr 10.5.0.2/16
-cai, --client-allowed-ip

AllowedIPs for peers

-cai '0.0.0.0/0,::/0'
-dns, --dns

Client DNS resolver (default 1.1.1.1)

-dns 1.1.1.1
-cn, --client-name

Name multiple client configs (wg0-client, wg1-client, etc.)

-cn wg0-client
-mtu, --mtu

Override MTU (auto-calculated if omitted)

-mtu 1420
-ep, --endpoint

Endpoint hostname/IP for peers

-ep vpn.example.com
-pur, --postup-rule

PostUp iptables/ip6tables rules

-pur 'iptables -A FORWARD -i %i -j ACCEPT'
-pdr, --postdown-rule

PostDown rules to clean NAT/forwarding

-pdr 'iptables -D FORWARD -i %i -j ACCEPT'
-noc, --number-of-clients

Generate multiple client configs for a server

-noc 3
qb manage wireguard add

Add client (--client) or server (--server) profiles

qb manage wireguard add --client -cn provider
qb manage wireguard check

Activate profile, enable wg-quick@<name>

qb manage wireguard check -cn wg0-client
qb manage wireguard check --deactivate

Stop service and remove active config

qb manage wireguard check --deactivate -cn wg0-client
qb manage wireguard calc

Calculate MTU or CIDR helper

qb manage wireguard calc --mtu --endpoint host --protocol ipv4
nvpn_conf_gen

Generate NordVPN WireGuard profiles

nvpn_conf_gen -t <token> -c 'Canada' -L 5

Common workflows

  • Install + generate server peers: qb install wireguard -u username -o server -noc 3 ... writes wg0.conf and wg{n}-client.conf into the stash; use VPN Control to download or activate a specific peer.
  • Import a provider profile: Upload .conf in VPN Control or qb manage wireguard add --client -cn provider and paste; MTU is injected if missing and permissions are normalized.
  • Activate/rotate endpoints: Use peer table toggle or qb manage wireguard check -cn <peer> to bring up a tunnel; use --deactivate to tear down before switching regions.
  • Generate NordVPN sets: nvpn_conf_gen -t <token> -c "United States" -L 5 outputs nvpn_<hostname>.conf files ready for activation.
  • Reinstall safely: qb reinstall wireguard -u username -o server refreshes binaries and configs while keeping the stash in /etc/v4-dashboard/wg.

App-scoped routing

WireGuard client configurations you upload to VPN Control are the underlay for app-scoped routing. The routing setup itself — selecting which app to route, enabling the tunnel, and configuring the kill switch — is managed from System → VPN Control. This section explains what app-scoped routing does; for the full workflow including staging routing before installing Plex, see the VPN Control documentation.

Two routing modes

WireGuard on QuickBox Pro operates in two distinct modes. Understanding the difference is important before configuring either one.

Main VPN (peer activation) — Activating a peer in the VPN Control peer table (toggling the Active switch) starts a wg-quick@<peer> tunnel that routes all server traffic through that peer. Every connection from your server — the dashboard, SSH, running applications — exits through the VPN. This is a full-tunnel, server-wide configuration.

App-scoped routing — A separate feature that routes only one application’s traffic through a WireGuard tunnel using a private network namespace. The rest of the server keeps its default route. Dispatcharr, Emby, Jellyfin, Plex, and qBittorrent are supported. Each routed app runs inside its own isolated namespace with a dedicated WireGuard interface, so there is complete traffic separation with no interference between apps or the host.

Both modes can be active at the same time — but they must use different WireGuard peer configs.

The app runs on the server — you are not dialing a tunnel from your device

App-scoped routing runs the application server-side inside a network namespace on your QuickBox box; the namespace’s egress exits through the VPN. You do not install a tunnel client on your own phone or laptop for this. The “exit location” you see in the dashboard is where the app’s outbound traffic appears to originate (the VPN provider’s exit), not your own device’s location.

Each routing slot needs its own peer config

A WireGuard peer config represents a single authenticated session with the VPN provider — one keypair, one handshake, one tunnel. This has two important implications:

  • Main VPN vs app routing: If you activate a peer as your main VPN and then select that same peer config for app-scoped routing, the app routing handshake will fail (no connection, Bad Gateway). Use a separate .conf file for app routing.
  • Multiple routed apps: If you route Emby and qBittorrent simultaneously, each app needs its own peer config. Two apps cannot share one .conf — the second app’s namespace will fail to establish a handshake. Upload one .conf per routed app from your VPN provider.

Your main VPN and each app routing slot can point to the same VPN provider or server — they just need separate, independent config files with their own keys.

App-scoped routing lets you send only a specific application’s network traffic through a WireGuard tunnel while all other server traffic uses the default route. Each routed app runs inside its own Linux network namespace with a dedicated WireGuard interface, so there is complete traffic isolation with no interference between apps or the host.

qBittorrent is also a supported routable app alongside the media servers. Routing qBittorrent through WireGuard keeps BitTorrent traffic private, prevents ISP traffic shaping on torrent transfers, and isolates that traffic completely from the rest of your server. qBittorrent requires an additional step: you must supply the Peer Listen Port that matches what qBittorrent itself is configured to use, so that the dashboard can set up the correct port forwarding through the tunnel. See qBittorrent — VPN routing for the full how-to.

Supported applications

ApplicationService TypeService UnitNotes
Dispatcharr
Per-user (4-service stack)
dispatcharr-gunicorn@{username} plus daphne, celery-worker, celery-beat
All four application services routed together in one namespace; PostgreSQL and Redis stay on the host
Emby
Per-user (template)
emby-server@{username}
One routing profile per user instance
Jellyfin
Per-user (template)
jellyfin@{username}
One routing profile per user instance
Plex
System-wide
plexmediaserver
Single shared service — only one routing profile at a time
qBittorrent
Per-user (template)
qbittorrent@{username}
Peer listen port required — must match qBittorrent's setting

How to enable from the dashboard

  1. Navigate to System > VPN Control (admin only).
  2. Upload WireGuard client .conf files — one per routing slot you plan to use. If you have a main VPN peer already active, you need an additional .conf for each app you want to route. Two apps cannot share one .conf; each needs its own independent config file with its own keypair.
  3. Scroll to the App-Scoped Routing card.
  4. Select the application you want to route. Dispatcharr, Emby, Jellyfin, and qBittorrent must be installed and their service running before they appear here. Plex appears in the list even before it is installed, so routing can be staged ahead of time.
  5. If the app has multiple service instances (e.g., Emby installed for several users), select the instance.
  6. Choose a WireGuard peer config from the dropdown. Select a config that is not already in use — by the main VPN or by another routed app. Each active routing slot (main VPN + each routed app) must use a distinct .conf file.
  7. Click Enable Routing.

The dashboard shows a live health indicator once routing is active, confirming that the namespace, WireGuard interface, and routing rules are all in place.

Plex and remote access

Plex authenticates through plex.tv and reports its public IP for remote access detection. When Plex traffic is routed through WireGuard, plex.tv will see the VPN exit IP instead of the server’s real IP. This is expected behavior and does not affect local access through the QuickBox dashboard or reverse proxy. If you rely on Plex remote access, be aware that the reported external address will change to match the VPN endpoint.

HTTPS certificate window: During the first few minutes after enabling VPN routing for Plex, the Plex web app may fail over HTTPS with an “unable to connect securely” message. This is temporary — Plex is requesting its TLS certificate through the VPN and the request can be briefly delayed. While it is pending, use http://<your-server-IP>:32400/web/ for initial setup. See Plex — Accessing Plex during initial setup for the full explanation.

Plex is system-wide

Because Plex runs as a single system-wide service (plexmediaserver), only one user can enable app-scoped routing for Plex at a time. Emby and Jellyfin use per-user template services, so multiple users can each have independent routing profiles.

Pre-install staging is Plex-specific

Plex is the only application that supports staging VPN routing before it is installed. This allows Plex’s first-run account registration to happen through the VPN tunnel. Emby, Jellyfin, and qBittorrent do not support pre-install staging — enable routing for those apps after they are installed and running.

Kill switch protection

The kill switch is an optional safety net that fully stops the routed application’s service if the VPN tunnel degrades. This prevents any traffic from leaking outside the VPN.

  • Trigger threshold: Configurable between 60 seconds and 24 hours (default 600 seconds / 10 minutes for Emby, Jellyfin, and Plex; 1,800 seconds / 30 minutes for qBittorrent). The kill switch fires when the WireGuard handshake age exceeds this threshold.
  • Auto-recovery: When enabled, the system attempts to restore VPN routing automatically after a kill switch event using exponential backoff (2 minutes, 4 minutes, 8 minutes, 16 minutes, 30 minutes) up to 5 attempts.
  • Manual re-enable: If auto-recovery is disabled or all 5 attempts are exhausted, an admin must manually re-enable routing from VPN Control.

Configure the kill switch from the Kill Switch Protection panel that appears after routing is enabled for an app.

Reaching a routed service

App-scoped routing moves a media server’s outbound traffic through the VPN tunnel, but it does not remove your inbound access paths. Once routing is enabled you can still reach Emby or Jellyfin in two ways.

Local network (LAN). Any device on the same local network as your server can connect directly using the server’s LAN IP address and the app’s normal port — for example http://192.168.1.10:8096 for Emby. The network namespace is on the server; LAN-adjacent devices connect as usual.

QuickBox reverse proxy. The dashboard’s reverse proxy bridges into the namespace through an internal veth link. The app remains available at https://<your-server-or-domain>/<username>/<app>/ on port 443, same as when routing is off. This is the recommended path for browser access whether you are on LAN or remote.

Remote / WAN access. For access from outside your network, use the reverse proxy URL or your own domain pointed at the server. The app’s raw port (e.g., 8096 for Emby, 8920 for Jellyfin HTTPS) is not automatically exposed on your server’s public IP when the app is inside a namespace — remote clients should go through the proxy or a port-forward you explicitly configure.

VPN carries outbound traffic only — inbound is unchanged

App-scoped routing tunnels the app’s outbound connections (metadata fetches, library scans, API calls) through the VPN for privacy. Inbound connections from you or your clients still reach the app through the same LAN address or reverse proxy URL they always used. There is no leak: the app cannot make outbound calls except through the tunnel, and inbound traffic arrives through the veth bridge, not the public interface.

How it works (overview)

  1. A dedicated Linux network namespace is created for the app (e.g., qb_emby, qb_plex, qb_dispatcharr).
  2. A WireGuard interface is configured inside the namespace using the selected peer config.
  3. A veth pair bridges the namespace to the host so the reverse proxy can still reach the app.
  4. The app’s systemd service is restarted inside the namespace.
  5. All traffic originating from the app exits through the VPN tunnel. Incoming requests from the dashboard’s reverse proxy reach the app through the veth bridge.
  6. When routing is disabled, the namespace is torn down and the service restarts on the normal host network.

A background health monitor polls every 30 seconds to verify the namespace, WireGuard interface, and routing rules are intact. If the kill switch is enabled and the tunnel handshake goes stale, the monitor takes protective action.

Routed apps come back automatically after a reboot

App-scoped routing survives a server reboot without manual intervention. When the box comes back up, QuickBox Pro rebuilds every routing namespace and tunnel and restarts the routed services for you.

  • Apps wait for their namespace. Routed services are held until their network namespace exists, so they no longer race ahead of the tunnel and flap at boot. A routed app that started before its namespace was ready would otherwise fail with a “network namespace path” error — that ordering gate prevents it.
  • Services start in parallel, without blocking the boot. Restarting the routed apps is fire-and-forget, so one slow app cannot stall the recovery of the others.
  • Self-healing if a boot run stalls. The reconcile step has a generous timeout (up to 10 minutes for a multi-namespace rebuild) and retries on failure. A periodic safety-net timer re-checks routing shortly after boot and again on an interval, so a boot that was interrupted self-heals — worst case within about 15 minutes — with no action from you.
No re-enabling needed after a reboot

You do not have to re-enable app-scoped routing after rebooting the server. Routing profiles you have already enabled are restored automatically. If a routed app appears momentarily disconnected right after boot, give it a few minutes for the safety-net recovery to converge before intervening.

Server gateway (multi-user inbound server)

The server gateway is a separate capability from the two outbound modes above. Instead of your box dialing out through a provider, the gateway makes your box a WireGuard server that other devices connect into. An administrator enrolls individual users; each enrolled user gets a private address from the gateway pool and a personal config they install on their phone, laptop, or router to tunnel into the box.

Three distinct WireGuard modes — do not confuse them
  • Main VPN (peer activation) — your box connects out through a provider; all server traffic exits the tunnel.
  • App-scoped routing — only one app’s outbound traffic exits a tunnel; the rest of the server is unaffected.
  • Server gateway — your box is the inbound server; remote users connect into it. This is the only mode that enrolls per-user peers and hands out per-user configs.

The server gateway is independent of app-scoped routing — enabling one does not affect the other. The gateway uses its own dedicated address pool (10.13.13.0/24) that does not collide with app-routing namespaces.

Who can do what

The gateway has two clearly separated roles:

RoleWhat they can do
Administrator (admin.system.vpn)
Enable the gateway, enroll and revoke individual users, and choose the server-wide tunnel mode (split or full). Available from the dashboard's VPN Control page or from the qb CLI.
Enrolled user (granted the WireGuard app through their ACL group)
Download their own config and view their own connection metrics from their dashboard. Display only — they cannot enroll, revoke, or change the mode.
Both a dashboard and a CLI path exist

Gateway provisioning is an administrator operation, gated by the admin.system.vpn permission. An authorized admin can perform every gateway action either from the dashboard’s VPN Control page or from the qb CLI — the gate is who is authorized, not where the action runs.

Admin: provisioning the gateway

An administrator drives the gateway lifecycle from System → VPN Control (or the equivalent qb commands):

  1. Enable the gateway. This provisions the wg0 server interface, generates the server keypair, enables IP forwarding, applies the NAT rules, and brings wg-quick@wg0 up. It is idempotent — running it again on an already-provisioned gateway changes nothing.
  2. Enroll a user. Enrolling allocates the user a private /32 from the gateway pool, generates a fresh keypair, records the peer, and writes a personal config that the user can download. Enroll is what makes a user appear in the peer list. Re-enrolling the same user reuses their existing address.
  3. Revoke a user. Revoking removes the user’s peer from the live interface and the saved server config, frees their address back into the pool, and deletes their config. It is idempotent — revoking a user who was never enrolled is a no-op.

The enrolled-peer list shows each user’s allocated address and public key. Private keys are never displayed — they live only in the user’s downloadable config.

# Enable / ensure the server gateway (idempotent)
qb install wireguard -o gateway-enable
 
# Enroll a user — allocates a /32 and writes their personal config
qb install wireguard -o gateway-enroll --wg-user username
 
# Revoke a user — frees their address and deletes their config
qb install wireguard -o gateway-revoke --wg-user username
 
# List enrolled peers (username, address, public key — never private keys)
qb install wireguard -o gateway-list

Split vs full tunnel

The gateway has a server-wide tunnel mode that controls how much of each enrolled user’s traffic routes through the box. Only an administrator can change it, and it applies to every enrolled user.

ModeWhat it does
Split tunnel
Enrolled users reach only the box and its gateway subnet through the tunnel; all other traffic stays on each user's own connection. Use this to give users private access to the box without changing where the rest of their traffic goes.
Full tunnel
An enrolled user's entire outbound traffic routes out through the box, so the user's public IP becomes the server's WAN IP. Use this to run the box as a privacy gateway for connected users.
# Switch the gateway-wide tunnel mode (full or split)
qb install wireguard -o gateway-mode --wg-tunnel full
qb install wireguard -o gateway-mode --wg-tunnel split
Flipping the tunnel mode rotates user keys

Changing the gateway’s tunnel mode regenerates every enrolled user’s config with a new keypair. After a mode change, each enrolled user must re-download their config from their dashboard — their previous config will no longer connect. Plan a mode change for a maintenance window and let users know to grab a fresh config afterward.

User self-service: download and metrics

Provisioning is always done by an administrator. Once an administrator has granted a user access to the WireGuard app through their ACL group, a compact self-service panel appears in that user’s own Applications page. What the user sees depends on what the admin has set up for them:

  • Download their own gateway config — once an admin has enrolled them on the server gateway, the WireGuard app row’s expansion panel shows a download button for their personal .conf. The download is scoped to the signed-in user only — no one can pull another user’s config, and there is no way to select a different user.
  • View their own connection metrics — the panel shows their peer’s last handshake age and bytes transferred when they are connected. This is a snapshot that refreshes on an interval; it is display-only.
  • See their routed apps and toggle their own routes — for any app an admin has routed for that user over WireGuard, the panel lists the app with its exit location, transfer totals, a health indicator, and a per-route Routed / Direct switch. That toggle is the one change a non-admin may make, and only on a route the admin already provisioned — a user can never provision a new route, change the backend, or touch another user’s route.

If an administrator has not yet enrolled the user or routed any app for them, the panel shows that nothing has been provisioned yet. Users never see the VPN Control page itself — that surface is admin-only. A user’s only WireGuard surface is the self-service panel in their own WireGuard app row, and only when their ACL group grants them the WireGuard app.

Security notes

  • Each enrolled user gets their own keypair and a unique /32 from the gateway pool — peers are isolated from one another.
  • Private keys are generated on the server and written only into each user’s downloadable config (640 permissions). They are never displayed in the peer list, never logged, and never emitted to the terminal. The peer list shows public keys and addresses only.
  • In full-tunnel mode an enrolled user’s default route is redirected through the box, so all of that user’s Internet traffic exits from the server’s IP. In split-tunnel mode only traffic destined for the gateway subnet uses the tunnel.
  • Enrolled peers persist in the server config, so they survive a reboot or a wg-quick restart. Revoking a user removes their peer both live and from the saved config.
  • The gateway pool (10.13.13.0/24) is dedicated and does not overlap the outbound provider range, the app-routing namespace range, or the OpenVPN client subnet.

Best practices

Do

  • Open UDP 51820 (or your chosen port) before activation; double-check upstream router NAT.
  • Keep /etc/v4-dashboard/wg backed up — this holds all client/server profiles.
  • Use qb manage wireguard calc --mtu whenever endpoints change to avoid fragmentation.
  • If tunneling all traffic, ensure SSH/HTTPS fallback access (out-of-band console or LAN path).
  • Review PostUp/PostDown rules to align with your firewall policy and interfaces.
  • Enable the kill switch for app-scoped routing when VPN privacy is critical — it prevents traffic leaks if the tunnel drops.
  • Test app-scoped routing with a single app first before routing multiple applications.
  • When running the server gateway, change the tunnel mode during a maintenance window — a mode flip rotates every enrolled user's keypair, so they must re-download their config.
  • Revoke gateway access for users who no longer need it — it frees their address and invalidates their config immediately.

Don't

  • Do not share private keys; dashboard masks keys but files remain sensitive on disk.
  • Do not store unencrypted tokens in version control or shared directories.
  • Do not delete a WireGuard peer config that has active app-scoped routing — disable routing for the app first.
  • Do not assign the same .conf file to more than one routing slot (main VPN or any routed app) — each slot needs its own independent peer config with its own keys.
  • Do not share one gateway config between two devices — each enrolled user gets their own keypair and address; sharing a config breaks the second device's handshake.

Troubleshooting

Tunnel up but no traffic
  • Confirm PostUp/PostDown MASQUERADE rules match your outbound interface (ip route list default).
  • Verify AllowedIPs is set (0.0.0.0/0,::/0 for full tunnel or specific subnets for split tunnel).
MTU or handshake issues
  • Run qb manage wireguard calc --mtu --endpoint <host> --protocol ipv4 and update the profile.
  • Check for ISP ICMP filtering; fall back to a conservative MTU like 1380 if probes fail.
Dashboard not showing peers
  • Ensure the cron entry in /etc/cron.d/quickbox exists and that /etc/v4-dashboard/wg exists with correct permissions for the v4-dashboard service.
  • Toggle a peer via qb manage wireguard check -cn <peer> to refresh software_alt_port and dashboard state.
Port blocked or double NAT
  • Test reachability: nc -u -v <public_ip> 51820 from outside; open/forward UDP if closed.
  • Consider provider configs (e.g., NordVPN) if residential IP lacks consistent port forwarding.
Enrolled user cannot download their gateway config
  • The user must be granted the WireGuard app through their ACL group before the download surface appears in their dashboard — without it the WireGuard app row stays hidden.
  • The user must also be enrolled by an administrator. If the panel says no config has been generated yet, enroll them from VPN Control (or qb install wireguard -o gateway-enroll --wg-user <username>).
  • After an admin flips the gateway tunnel mode, every enrolled user’s config is regenerated — tell users to re-download, as their old config will no longer connect.
App-scoped routing shows Degraded health
  • The health monitor checks the namespace, WireGuard interface, iptables rules, ip rules, and ip routes every 30 seconds. A “Degraded” badge means one or more of these components is missing.
  • If the app service was manually restarted outside the dashboard, it may have started on the host network instead of inside the namespace. Disable and re-enable routing to restore it.
Kill switch fired — service stopped
  • Check the VPN Control card for the last error message. The kill switch fires when the WireGuard handshake age exceeds the configured threshold.
  • If auto-recovery is enabled, the system will attempt to restore routing automatically (up to 5 times with exponential backoff).
  • If recovery is exhausted or disabled, manually re-enable routing from the App-Scoped Routing card after verifying the VPN peer is reachable.

FAQ

Dispatcharr, Emby, Jellyfin, Plex, and qBittorrent. Dispatcharr, Emby, Jellyfin, and qBittorrent must be installed and running before they appear in the routing card. Plex also appears before install so routing can be staged in advance — see the VPN Control documentation. qBittorrent requires a Peer Listen Port setting — see the qBittorrent documentation.
Yes, but each routed app requires its own WireGuard peer config. A WireGuard config holds exactly one session with the VPN provider — one keypair, one handshake. Two apps cannot share one .conf file: the second app's namespace will fail to establish a handshake, resulting in no connectivity and a Bad Gateway error. Upload one .conf per app you want to route. All of them can point to the same VPN provider or server — they just need to be separate, independent files.
Plex reports its public-facing IP to plex.tv for remote access. When Plex traffic goes through a WireGuard tunnel, plex.tv sees the VPN exit IP instead of your server's real IP. This is expected and does not affect access through the QuickBox dashboard.
Without a kill switch, the app continues running inside its namespace but loses internet connectivity until the tunnel recovers. With the kill switch enabled, the app service is fully stopped to prevent any traffic from leaking outside the VPN. Enable auto-recovery to let the system attempt automatic restoration.
No. Plex runs as a single system-wide service (plexmediaserver), so only one routing profile can be active at a time. Emby and Jellyfin use per-user template services, so each user can have their own independent routing profile.
No additional configuration is needed on the peer. App-scoped routing uses the same WireGuard client configs you have already uploaded to VPN Control. The routing isolation happens entirely on the server side using network namespaces.
Activating a peer in the VPN Control peer table starts a full-tunnel VPN for the entire server — all traffic, including SSH and the dashboard, exits through that peer. App-scoped routing is separate: it routes only one application (Dispatcharr, Emby, Jellyfin, Plex, or qBittorrent) through a dedicated tunnel while everything else on the server keeps its normal route. Both modes can run at the same time, but they require separate peer config files.
No. Routing profiles you have already enabled are restored automatically when the server comes back up. QuickBox Pro rebuilds each routing namespace and tunnel and restarts the routed services for you, holding each app until its namespace is ready so it does not flap. If a routed app looks briefly disconnected right after boot, give it a few minutes — a periodic safety-net check re-runs the recovery and converges on its own (worst case within about 15 minutes).
On the server. App-scoped routing runs the application inside a network namespace on your QuickBox box, and that namespace's outbound traffic exits through the VPN. You do not run a VPN client on your own phone or laptop for app routing. The "exit location" shown in the dashboard is where the app's traffic appears to originate (the VPN provider's exit point), not your own device's location.
No. A WireGuard config file represents one authenticated session with the VPN provider. If your main VPN is already using a config, selecting that same config for app-scoped routing will fail — you will see no handshake and the app will return a Bad Gateway error. The same constraint applies when routing multiple apps at once: each routed app must also have its own distinct .conf file. You cannot share one config between two routed apps any more than you can share it between the main VPN and app routing. Upload one .conf per slot — main VPN plus one per routed app — from your VPN provider. All configs can point to the same VPN provider or server; they just need independent files with their own keys.
The server gateway turns your box into a multi-user WireGuard server that other devices connect into. The other two modes are outbound: the main VPN dials out through a provider for the whole server, and app-scoped routing sends a single app's outbound traffic out a tunnel. The server gateway is the only inbound mode — an administrator enrolls individual users, each gets a private address and a personal config, and they connect their own devices into the box. It uses its own dedicated address pool and is independent of app-scoped routing.
Gateway tunnel mode is a server-wide, admin-controlled setting. In split tunnel enrolled users reach only the box and its gateway subnet through the tunnel and keep their own connection for everything else. In full tunnel an enrolled user's entire outbound traffic routes through the box, so the user's public IP becomes the server's WAN IP — that turns the box into a privacy gateway for connected users. Flipping the mode regenerates every enrolled user's keypair, so each user must re-download their config afterward.
Yes, once an administrator has enrolled them as a gateway user and granted them access to the WireGuard app through their ACL group. Enrolling is always admin-only. After that, the user sees a download button for their own .conf — plus their own connection metrics — in the WireGuard row's expansion panel in their dashboard. The download is scoped to the signed-in user; no one can pull another user's config, and non-admins never see the VPN Control page.
Revoking removes the user's peer from the live WireGuard interface and from the saved server config, frees their address back into the gateway pool, and deletes their personal config. Their existing config stops connecting immediately. Revoke is idempotent — revoking a user who was never enrolled does nothing — and it never affects any other enrolled user.

Additional resources

WireGuard Official

Protocol overview and design

WireGuard Quick Start

Reference syntax for interface and peers

NordVPN Manual WireGuard

Generate NordLynx token required for nvpn_conf_gen

Join the Community

Media server operators sharing configs, getting support, and shaping the future of QuickBox Pro.

Dedicated Support
Feature Previews
Community Configs
Active Discussions
Join Discord Server
Last updated on
VPN (OpenVPN)CLI Reference