WireGuard VPN

Kernel-fast VPN tunnels with QuickBox CLI + dashboard control

WireGuard® on QuickBox Pro provides a lightweight VPN tunnel for routing server or application traffic through trusted endpoints. The QuickBox integration covers CLI automation, dashboard uploads, automatic MTU tuning, NAT rules, and stored keys for visual status. It does not ship a policy-based firewall or per-app split tunneling—plan firewall and routing rules accordingly.

⚡ Kernel-speed tunnels

WireGuard modules with minimal overhead for low-latency VPN links

🖥️ Dashboard control

System → VPN Control lets you upload client .conf files, view keys, and toggle active peers

🧭 Auto MTU tuning

`qb manage wireguard calc --mtu` probes the endpoint to set a safe MTU before activation

🌐 Server or client

Generate server configs (NAT + IPv4/IPv6 forwarding) or ingest provider client profiles

🛰️ NordVPN helper

`nvpn_conf_gen` builds ready-to-use NordLynx WireGuard profiles into the QuickBox stash

📂 Config stash

All configs live under /srv/quickbox/db/wireguard with location cache and dashboard previews

⏱️ Cron sync

Install adds a 30-minute cron to sync active profile names and keys to the dashboard

🛡️ Key visibility

Private/public keys are surfaced in VPN Control for quick copy-and-paste when needed

Installation

Prerequisites

QuickBox Pro v3 already installed
Root/sudo shell access to run qb commands
UDP 51820 reachable from peers (or your chosen listen port)
Outbound HTTPS allowed for ipinfo.io and NordVPN API (for location + generator)

What you get

WireGuard kernel module with linux-headers installed automatically
Systemd-managed tunnels via wg-quick@<profile>.service
IPv4/IPv6 forwarding and NAT rules configured by installer
Config stash at /srv/quickbox/db/wireguard with dashboard integration
NordVPN profile generator (nvpn_conf_gen) ready to use

Install via qb (CLI)

Services stay stopped after install

WireGuard install/reinstall writes configs but does not auto-start wg-quick. Activate a profile with qb manage wireguard check -cn <config> or via VPN Control when you are ready.


# Server setup with one client profile and NAT rules
qb install wireguard -u username -o server -lp 51820 -noc 1 -dns 1.1.1.1 \
  -cidr 10.5.0.2/16 -cai "0.0.0.0/0,::/0" -ep vpn.example.com \
  -pur "iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" \
  -pdr "iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE"
 
# Client-mode installer (paste config when prompted)
qb install wireguard -u username -o client
 
# Reinstall in place (keeps stash under /srv/quickbox/db/wireguard)
qb reinstall wireguard -u username -o server
 
# Remove WireGuard entirely
qb remove wireguard -u username

Install from the dashboard (VPN Control)

Open System → VPN Control (admin only).
Click Install WireGuard → choose Client (upload .conf) or Server (enter listen port, client count, CIDR, allowed address, endpoint, DNS, PostUp/PostDown).
Submit. Uploaded configs are written to /srv/quickbox/db/wireguard/, server builds land in /etc/wireguard/ and are synced back to the stash.
Use the peer table to toggle Active (starts/stops wg-quick@<name>), view ping/location, and delete peers.

Firewall and downtime

Allow UDP on your chosen listen port (default 51820) before activating.
Switching default routes through a VPN can interrupt SSH/dashboard sessions—schedule a maintenance window.

Basic Usage

Activate or swap a profile


# Sync a stored config to /etc/wireguard and start the service
qb manage wireguard check -cn nvpn_us1234
 
# Stop and remove the active client config
qb manage wireguard check --deactivate -cn nvpn_us1234
 
# Remove a stored profile and its service unit
qb manage wireguard remove -cn nvpn_us1234

Dashboard: toggle the Active checkbox for a peer in VPN Control to start/stop wg-quick@<peer>. Location, ping, and redacted config preview come from /srv/quickbox/db/wireguard/<peer>.conf and the cached IP lookup.
CLI: qb manage wireguard check rewrites /etc/wireguard/<peer>.conf, enables wg-quick@<peer>, and updates user_software.software_alt_port so the dashboard stays in sync.

Add client or server configs (CLI)


# Add a client profile (paste config when prompted)
qb manage wireguard add --client -cn wg-client
 
# Add a server profile with custom CIDR, allowed IPs, and port
qb manage wireguard add --server -lp 51820 -cidr 10.5.0.2/16 \
  -cai "0.0.0.0/0,::/0" -noc 3 -pur "iptables -A FORWARD -i %i -j ACCEPT" \
  -pdr "iptables -D FORWARD -i %i -j ACCEPT"

NordVPN config generator (built-in helper)


# Generate up to 5 NordVPN WireGuard profiles (stores as nvpn_<host>.conf)
nvpn_conf_gen -t "<nordvpn_token>" -c "United States" -L 5 -dns 103.86.96.100
 
# List available countries
nvpn_conf_gen -l
 
# MTU tuning is automatic per endpoint (calls qb manage wireguard calc --mtu internally)

Configuration locations

WireGuard files on QuickBox

srv/quickbox/db/wireguard/

├── *.conf# Stored client/server profiles used by dashboard

└── location_cache/

│ └── <hash>.json# Cached ipinfo.io lookups

etc/wireguard/

├── wg0.conf# Server config when -o server is used

└── <peer>.conf# Active client pushed by qb manage wireguard check

etc/cron.d/quickbox# Cron entry runs qb manage wireguard cron every 30 minutes after install

CLI options

-o, --operation

Set mode: server or client (install/reinstall)

-lp, --listen-port

WireGuard listen port (default 51820)

-lp 51820

-cidr, --cidr

Interface address/CIDR for server

-cidr 10.5.0.2/16

-cai, --client-allowed-ip

AllowedIPs for peers

-cai '0.0.0.0/0,::/0'

-dns, --dns

Client DNS resolver (default 1.1.1.1)

-dns 1.1.1.1

-cn, --client-name

Name multiple client configs (wg0-client, wg1-client, etc.)

-cn wg0-client

-mtu, --mtu

Override MTU (auto-calculated if omitted)

-mtu 1420

-ep, --endpoint

Endpoint hostname/IP for peers

-ep vpn.example.com

-pur, --postup-rule

PostUp iptables/ip6tables rules

-pur 'iptables -A FORWARD -i %i -j ACCEPT'

-pdr, --postdown-rule

PostDown rules to clean NAT/forwarding

-pdr 'iptables -D FORWARD -i %i -j ACCEPT'

-noc, --number-of-clients

Generate multiple client configs for a server

-noc 3

qb manage wireguard add

Add client (--client) or server (--server) profiles

qb manage wireguard add --client -cn provider

qb manage wireguard check

Activate profile, enable wg-quick@<name>

qb manage wireguard check -cn wg0-client

qb manage wireguard check --deactivate

Stop service and remove active config

qb manage wireguard check --deactivate -cn wg0-client

qb manage wireguard calc

Calculate MTU or CIDR helper

qb manage wireguard calc --mtu --endpoint host --protocol ipv4

nvpn_conf_gen

Generate NordVPN WireGuard profiles

nvpn_conf_gen -t <token> -c 'Canada' -L 5

Common workflows

Install + generate server peers: qb install wireguard -u username -o server -noc 3 ... writes wg0.conf and wg{n}-client.conf into the stash; use VPN Control to download or activate a specific peer.
Import a provider profile: Upload .conf in VPN Control or qb manage wireguard add --client -cn provider and paste; MTU is injected if missing and permissions are normalized.
Activate/rotate endpoints: Use peer table toggle or qb manage wireguard check -cn <peer> to bring up a tunnel; use --deactivate to tear down before switching regions.
Generate NordVPN sets: nvpn_conf_gen -t <token> -c "United States" -L 5 outputs nvpn_<hostname>.conf files ready for activation.
Reinstall safely: qb reinstall wireguard -u username -o server refreshes binaries and configs while keeping the stash in /srv/quickbox/db/wireguard.

Best practices

Do

Open UDP 51820 (or your chosen port) before activation; double-check upstream router NAT.
Keep /srv/quickbox/db/wireguard backed up—this holds all client/server profiles.
Use qb manage wireguard calc --mtu whenever endpoints change to avoid fragmentation.
If tunneling all traffic, ensure SSH/HTTPS fallback access (out-of-band console or LAN path).
Review PostUp/PostDown rules to align with your firewall policy and interfaces.

Don't

Do not share private keys; dashboard masks keys but files remain sensitive on disk.
Do not store unencrypted tokens in version control or shared directories.

Troubleshooting

Tunnel up but no traffic

Confirm PostUp/PostDown MASQUERADE rules match your outbound interface (ip route list default).
Verify AllowedIPs is set (0.0.0.0/0,::/0 for full tunnel or specific subnets for split tunnel).

MTU or handshake issues

Run qb manage wireguard calc --mtu --endpoint <host> --protocol ipv4 and update the profile.
Check for ISP ICMP filtering; fall back to a conservative MTU like 1380 if probes fail.

Dashboard not showing peers

Ensure the cron entry in /etc/cron.d/quickbox exists and that /srv/quickbox/db/wireguard is owned by www-data.
Toggle a peer via qb manage wireguard check -cn <peer> to refresh software_alt_port and dashboard state.

Port blocked or double NAT

Test reachability: nc -u -v <public_ip> 51820 from outside; open/forward UDP if closed.
Consider provider configs (e.g., NordVPN) if residential IP lacks consistent port forwarding.

Additional resources

WireGuard Official

Protocol overview and design

WireGuard Quick Start

Reference syntax for interface and peers

NordVPN Manual WireGuard

Generate NordLynx token required for nvpn_conf_gen

Join the Community

Media server operators sharing configs, getting support, and shaping the future of QuickBox Pro.

Dedicated Support

Feature Previews

Community Configs

Active Discussions

Join Discord Server