Skip to Content
DocsApplicationsUtilitiesWireGuard VPN
WireGuard

WireGuard VPN

Kernel-fast VPN tunnels with QuickBox CLI + dashboard control

WireGuard® on QuickBox Pro provides a lightweight VPN tunnel for routing server or application traffic through trusted endpoints. The QuickBox integration covers CLI automation, dashboard uploads, automatic MTU tuning, NAT rules, and stored keys for visual status. It includes app-scoped routing for isolating specific application traffic (Emby, Jellyfin, Plex) through WireGuard tunnels using Linux network namespaces. Plan firewall and routing rules accordingly for any additional traffic policies.

Kernel-speed tunnels

WireGuard modules with minimal overhead for low-latency VPN links

🖥️ Dashboard control

System → VPN Control lets you upload client .conf files, view keys, and toggle active peers

🧭 Auto MTU tuning

`qb manage wireguard calc --mtu` probes the endpoint to set a safe MTU before activation

🌐 Server or client

Generate server configs (NAT + IPv4/IPv6 forwarding) or ingest provider client profiles

🛰️ NordVPN helper

`nvpn_conf_gen` builds ready-to-use NordLynx WireGuard profiles into the QuickBox stash

📂 Config stash

All configs live under /etc/v4-dashboard/wg with location cache and dashboard previews

⏱️ Cron sync

Install adds a 30-minute cron to sync active profile names and keys to the dashboard

🛡️ Key visibility

Private/public keys are surfaced in VPN Control for quick copy-and-paste when needed

🔀 App-scoped routing

Route only Emby, Jellyfin, or Plex traffic through a WireGuard tunnel while other server traffic stays on the default route

🛑 Kill switch protection

Optionally stop a routed app's service when the VPN tunnel drops, with configurable auto-recovery

Installation

Prerequisites

Prerequisites

  • QuickBox Pro v3 already installed
  • Root/sudo shell access to run qb commands
  • UDP 51820 reachable from peers (or your chosen listen port)
  • Outbound HTTPS allowed for ipinfo.io and NordVPN API (for location + generator)

What you get

  • WireGuard kernel module with linux-headers installed automatically
  • Systemd-managed tunnels via wg-quick@<profile>.service
  • IPv4/IPv6 forwarding and NAT rules configured by installer
  • Config stash at /etc/v4-dashboard/wg with dashboard integration
  • NordVPN profile generator (nvpn_conf_gen) ready to use

Install via qb (CLI)

Services stay stopped after install

WireGuard install/reinstall writes configs but does not auto-start wg-quick. Activate a profile with qb manage wireguard check -cn <config> or via VPN Control when you are ready.

# Server setup with one client profile and NAT rules
qb install wireguard -u username -o server -lp 51820 -noc 1 -dns 1.1.1.1 \
  -cidr 10.5.0.2/16 -cai "0.0.0.0/0,::/0" -ep vpn.example.com \
  -pur "iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" \
  -pdr "iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE"
 
# Client-mode installer (paste config when prompted)
qb install wireguard -u username -o client
 
# Reinstall in place (keeps stash under /etc/v4-dashboard/wg)
qb reinstall wireguard -u username -o server
 
# Remove WireGuard entirely
qb remove wireguard -u username

Install from the dashboard (VPN Control)

  1. Open System → VPN Control (admin only).
  2. Click Install WireGuard → choose Client (upload .conf) or Server (enter listen port, client count, CIDR, allowed address, endpoint, DNS, PostUp/PostDown).
  3. Submit. Uploaded configs are written to /etc/v4-dashboard/wg/, server builds land in /etc/wireguard/ and are synced back to the stash.
  4. Use the peer table to toggle Active (starts/stops wg-quick@<name>), view ping/location, and delete peers.

Firewall and downtime

  • Allow UDP on your chosen listen port (default 51820) before activating.
  • Switching default routes through a VPN can interrupt SSH/dashboard sessions—schedule a maintenance window.

Firewall rules are created automatically

When WireGuard activates, the PostUp rules create firewall entries for both IPv4 (iptables) and IPv6 (ip6tables): a FORWARD accept on the wg0 interface and a NAT MASQUERADE on the server’s default network interface. If app-scoped routing is enabled, additional rules appear for veth network namespaces (10.200.x.y subnets). You can verify all of these rules in the dashboard under Settings > Security > Firewall Rules tab — filter by the WireGuard origin to isolate VPN-related entries.

Basic Usage

Activate or swap a profile

# Sync a stored config to /etc/wireguard and start the service
qb manage wireguard check -cn nvpn_us1234
 
# Stop and remove the active client config
qb manage wireguard check --deactivate -cn nvpn_us1234
 
# Remove a stored profile and its service unit
qb manage wireguard remove -cn nvpn_us1234
  • Dashboard: toggle the Active checkbox for a peer in VPN Control to start/stop wg-quick@<peer>. Location, ping, and redacted config preview come from /etc/v4-dashboard/wg/<peer>.conf and the cached IP lookup.
  • CLI: qb manage wireguard check rewrites /etc/wireguard/<peer>.conf, enables wg-quick@<peer>, and updates user_software.software_alt_port so the dashboard stays in sync.

Add client or server configs (CLI)

# Add a client profile (paste config when prompted)
qb manage wireguard add --client -cn wg-client
 
# Add a server profile with custom CIDR, allowed IPs, and port
qb manage wireguard add --server -lp 51820 -cidr 10.5.0.2/16 \
  -cai "0.0.0.0/0,::/0" -noc 3 -pur "iptables -A FORWARD -i %i -j ACCEPT" \
  -pdr "iptables -D FORWARD -i %i -j ACCEPT"

NordVPN config generator (built-in helper)

# Generate up to 5 NordVPN WireGuard profiles (stores as nvpn_<host>.conf)
nvpn_conf_gen -t "<nordvpn_token>" -c "United States" -L 5 -dns 103.86.96.100
 
# List available countries
nvpn_conf_gen -l
 
# MTU tuning is automatic per endpoint (calls qb manage wireguard calc --mtu internally)

Configuration locations

WireGuard files on QuickBox
/
etc/v4-dashboard/wg/
├── *.conf# Stored client/server profiles used by dashboard
└── location_cache/
│ └── <hash>.json# Cached ipinfo.io lookups
etc/wireguard/
├── wg0.conf# Server config when -o server is used
└── <peer>.conf# Active client pushed by qb manage wireguard check
etc/cron.d/quickbox# Cron entry runs qb manage wireguard cron every 30 minutes after install

CLI options

-o, --operation

Set mode: server or client (install/reinstall)

-lp, --listen-port

WireGuard listen port (default 51820)

-lp 51820
-cidr, --cidr

Interface address/CIDR for server

-cidr 10.5.0.2/16
-cai, --client-allowed-ip

AllowedIPs for peers

-cai '0.0.0.0/0,::/0'
-dns, --dns

Client DNS resolver (default 1.1.1.1)

-dns 1.1.1.1
-cn, --client-name

Name multiple client configs (wg0-client, wg1-client, etc.)

-cn wg0-client
-mtu, --mtu

Override MTU (auto-calculated if omitted)

-mtu 1420
-ep, --endpoint

Endpoint hostname/IP for peers

-ep vpn.example.com
-pur, --postup-rule

PostUp iptables/ip6tables rules

-pur 'iptables -A FORWARD -i %i -j ACCEPT'
-pdr, --postdown-rule

PostDown rules to clean NAT/forwarding

-pdr 'iptables -D FORWARD -i %i -j ACCEPT'
-noc, --number-of-clients

Generate multiple client configs for a server

-noc 3
qb manage wireguard add

Add client (--client) or server (--server) profiles

qb manage wireguard add --client -cn provider
qb manage wireguard check

Activate profile, enable wg-quick@<name>

qb manage wireguard check -cn wg0-client
qb manage wireguard check --deactivate

Stop service and remove active config

qb manage wireguard check --deactivate -cn wg0-client
qb manage wireguard calc

Calculate MTU or CIDR helper

qb manage wireguard calc --mtu --endpoint host --protocol ipv4
nvpn_conf_gen

Generate NordVPN WireGuard profiles

nvpn_conf_gen -t <token> -c 'Canada' -L 5

Common workflows

  • Install + generate server peers: qb install wireguard -u username -o server -noc 3 ... writes wg0.conf and wg{n}-client.conf into the stash; use VPN Control to download or activate a specific peer.
  • Import a provider profile: Upload .conf in VPN Control or qb manage wireguard add --client -cn provider and paste; MTU is injected if missing and permissions are normalized.
  • Activate/rotate endpoints: Use peer table toggle or qb manage wireguard check -cn <peer> to bring up a tunnel; use --deactivate to tear down before switching regions.
  • Generate NordVPN sets: nvpn_conf_gen -t <token> -c "United States" -L 5 outputs nvpn_<hostname>.conf files ready for activation.
  • Reinstall safely: qb reinstall wireguard -u username -o server refreshes binaries and configs while keeping the stash in /etc/v4-dashboard/wg.

App-scoped routing

App-scoped routing lets you send only a specific application’s network traffic through a WireGuard tunnel while all other server traffic uses the default route. Each routed app runs inside its own Linux network namespace with a dedicated WireGuard interface, so there is complete traffic isolation with no interference between apps or the host.

Supported applications

ApplicationService TypeService UnitNotes
Emby
Per-user (template)
emby-server@{username}
One routing profile per user instance
Jellyfin
Per-user (template)
jellyfin@{username}
One routing profile per user instance
Plex
System-wide
plexmediaserver
Single shared service — only one routing profile at a time

How to enable from the dashboard

  1. Navigate to System > VPN Control (admin only).
  2. Upload at least one WireGuard client .conf file if you have not already.
  3. Scroll to the App-Scoped Routing card.
  4. Select the application you want to route (only installed apps with running services appear).
  5. If the app has multiple service instances (e.g., Emby installed for several users), select the instance.
  6. Choose a WireGuard peer config from the dropdown.
  7. Click Enable Routing.

The dashboard shows a live health indicator once routing is active, confirming that the namespace, WireGuard interface, and routing rules are all in place.

Plex and remote access

Plex authenticates through plex.tv and reports its public IP for remote access detection. When Plex traffic is routed through WireGuard, plex.tv will see the VPN exit IP instead of the server’s real IP. This is expected behavior and does not affect local access through the QuickBox dashboard or reverse proxy. If you rely on Plex remote access, be aware that the reported external address will change to match the VPN endpoint.

Plex is system-wide

Because Plex runs as a single system-wide service (plexmediaserver), only one user can enable app-scoped routing for Plex at a time. Emby and Jellyfin use per-user template services, so multiple users can each have independent routing profiles.

Kill switch protection

The kill switch is an optional safety net that fully stops the routed application’s service if the VPN tunnel degrades. This prevents any traffic from leaking outside the VPN.

  • Trigger threshold: Configurable between 60 and 3,600 seconds (default 600 seconds / 10 minutes). The kill switch fires when the WireGuard handshake age exceeds this threshold.
  • Auto-recovery: When enabled, the system attempts to restore VPN routing automatically after a kill switch event using exponential backoff (2 minutes, 4 minutes, 8 minutes, 16 minutes, 30 minutes) up to 5 attempts.
  • Manual re-enable: If auto-recovery is disabled or all 5 attempts are exhausted, an admin must manually re-enable routing from VPN Control.

Configure the kill switch from the Kill Switch Protection panel that appears after routing is enabled for an app.

How it works (overview)

  1. A dedicated Linux network namespace is created for the app (e.g., qb_emby, qb_plex).
  2. A WireGuard interface is configured inside the namespace using the selected peer config.
  3. A veth pair bridges the namespace to the host so the reverse proxy can still reach the app.
  4. The app’s systemd service is restarted inside the namespace.
  5. All traffic originating from the app exits through the VPN tunnel. Incoming requests from the dashboard’s reverse proxy reach the app through the veth bridge.
  6. When routing is disabled, the namespace is torn down and the service restarts on the normal host network.

A background health monitor polls every 30 seconds to verify the namespace, WireGuard interface, and routing rules are intact. If the kill switch is enabled and the tunnel handshake goes stale, the monitor takes protective action.

Best practices

Do

  • Open UDP 51820 (or your chosen port) before activation; double-check upstream router NAT.
  • Keep /etc/v4-dashboard/wg backed up — this holds all client/server profiles.
  • Use qb manage wireguard calc --mtu whenever endpoints change to avoid fragmentation.
  • If tunneling all traffic, ensure SSH/HTTPS fallback access (out-of-band console or LAN path).
  • Review PostUp/PostDown rules to align with your firewall policy and interfaces.
  • Enable the kill switch for app-scoped routing when VPN privacy is critical — it prevents traffic leaks if the tunnel drops.
  • Test app-scoped routing with a single app first before routing multiple applications.

Don't

  • Do not share private keys; dashboard masks keys but files remain sensitive on disk.
  • Do not store unencrypted tokens in version control or shared directories.
  • Do not delete a WireGuard peer config that has active app-scoped routing — disable routing for the app first.

Troubleshooting

Tunnel up but no traffic

  • Confirm PostUp/PostDown MASQUERADE rules match your outbound interface (ip route list default).
  • Verify AllowedIPs is set (0.0.0.0/0,::/0 for full tunnel or specific subnets for split tunnel).

MTU or handshake issues

  • Run qb manage wireguard calc --mtu --endpoint <host> --protocol ipv4 and update the profile.
  • Check for ISP ICMP filtering; fall back to a conservative MTU like 1380 if probes fail.

Dashboard not showing peers

  • Ensure the cron entry in /etc/cron.d/quickbox exists and that /etc/v4-dashboard/wg exists with correct permissions for the v4-dashboard service.
  • Toggle a peer via qb manage wireguard check -cn <peer> to refresh software_alt_port and dashboard state.

Port blocked or double NAT

  • Test reachability: nc -u -v <public_ip> 51820 from outside; open/forward UDP if closed.
  • Consider provider configs (e.g., NordVPN) if residential IP lacks consistent port forwarding.

App-scoped routing shows Degraded health

  • The health monitor checks the namespace, WireGuard interface, iptables rules, ip rules, and ip routes every 30 seconds. A “Degraded” badge means one or more of these components is missing.
  • If the app service was manually restarted outside the dashboard, it may have started on the host network instead of inside the namespace. Disable and re-enable routing to restore it.

Kill switch fired — service stopped

  • Check the VPN Control card for the last error message. The kill switch fires when the WireGuard handshake age exceeds the configured threshold.
  • If auto-recovery is enabled, the system will attempt to restore routing automatically (up to 5 times with exponential backoff).
  • If recovery is exhausted or disabled, manually re-enable routing from the App-Scoped Routing card after verifying the VPN peer is reachable.

FAQ

Emby, Jellyfin, and Plex. These are the three media server applications that benefit most from per-app VPN routing. The application must be installed and its service must be running before it appears in the routing card.
Yes. Each supported app gets its own network namespace, so you can route Emby, Jellyfin, and Plex simultaneously — each through the same or different WireGuard peer configs.
Plex reports its public-facing IP to plex.tv for remote access. When Plex traffic goes through a WireGuard tunnel, plex.tv sees the VPN exit IP instead of your server's real IP. This is expected and does not affect access through the QuickBox dashboard.
Without a kill switch, the app continues running inside its namespace but loses internet connectivity until the tunnel recovers. With the kill switch enabled, the app service is fully stopped to prevent any traffic from leaking outside the VPN. Enable auto-recovery to let the system attempt automatic restoration.
No. Plex runs as a single system-wide service (plexmediaserver), so only one routing profile can be active at a time. Emby and Jellyfin use per-user template services, so each user can have their own independent routing profile.
No additional configuration is needed on the peer. App-scoped routing uses the same WireGuard client configs you have already uploaded to VPN Control. The routing isolation happens entirely on the server side using network namespaces.

Additional resources

WireGuard Official

Protocol overview and design

WireGuard Quick Start

Reference syntax for interface and peers

NordVPN Manual WireGuard

Generate NordLynx token required for nvpn_conf_gen

Join the Community

Media server operators sharing configs, getting support, and shaping the future of QuickBox Pro.

Dedicated Support
Feature Previews
Community Configs
Active Discussions
Join Discord Server
VPN (OpenVPN)CLI Reference