VPN Control

The VPN Control page lets you manage your WireGuard and OpenVPN VPN directly from the dashboard. Add peers, manage OpenVPN client tunnels, monitor active connections on a geographic map, configure app-scoped VPN routing, and generate NordVPN configurations — all without touching the command line.

Key features

VPN overview

The top of the page features a hero section divided into two areas:

• Active Connection Carousel — Displays your active VPN connections (both system VPN and app routing connections) in a rotating carousel. Each card shows the connection name, status, endpoint, and data transfer statistics. The carousel auto-rotates and pauses when you interact with it.
• Geographic Map — An interactive map that highlights the geographic location of the currently selected connection. As the carousel rotates or you select a connection, the map updates to show where that peer is located.

Peer management

The peer table below the hero section lists all configured WireGuard peers. Each row shows the peer name, endpoint, status, and available actions.

Adding a peer

Upload a WireGuard configuration file to add a new peer:

1. Click Add Peer or the upload button
2. Select a .conf file containing the WireGuard peer configuration
3. The peer appears in the table in a deactivated state

Activating and deactivating peers

• Activate — Bring a peer connection online. Only one system VPN connection can be active at a time — activating a new one deactivates the current one
• Deactivate — Take a peer connection offline without removing it

Click the expand arrow on any peer row to view the full WireGuard configuration details.

Removing a peer

Click Delete on a peer row to permanently remove its configuration from the server.

OpenVPN

When OpenVPN (the vpn package) is installed, switch to the OpenVPN tab using the selector at the top of the page. The OpenVPN surface has three parts.

Server status and per-user profiles

A status card shows whether the OpenVPN server is installed and running, along with its subnet and port. A profile table lists the per-user .ovpn profiles the installer built for end users to download. You can view a profile’s contents from the dashboard — private keys and tls-crypt material are redacted on screen. The downloadable bundle itself is served from the nginx route created at install time; see the OpenVPN application docs.

Client tunnel management

Client tunnels are the OpenVPN analogue of WireGuard peer configs — a provider .ovpn the box itself dials out through, used to carry app-scoped routing. Upload a config from your VPN provider (Mullvad, PIA, NordVPN, and so on); the dashboard stores it in /etc/v4-dashboard/openvpn/ and drives the openvpn-client@<name>.service unit.

All four actions run as background jobs with a live console, mirroring the WireGuard peer workflow.

NordVPN config generator

The VPN Control page includes a built-in NordVPN configuration generator. Select a country from the dropdown, and the dashboard generates a WireGuard-compatible configuration file that you can use to connect through NordVPN’s network.

This is particularly useful for routing specific applications through a VPN for privacy or geo-restriction bypass.

App-scoped VPN routing

One of the most powerful VPN features is the ability to route specific applications through the VPN while keeping everything else on the direct connection. This uses Linux network namespaces to isolate VPN traffic per application.

Choosing a tunnel backend

App-scoped routing can carry an app’s traffic over either WireGuard or OpenVPN. When you expand an app in the App-Scoped Routing card, a Tunnel Backend selector lets you pick which one to use — the OpenVPN option appears only once at least one OpenVPN client tunnel has been uploaded (see OpenVPN > Client tunnel management above). Pick the backend, then select a matching config: a WireGuard peer for the WireGuard backend, or an OpenVPN client tunnel for the OpenVPN backend.

Everything else — kill switch, automatic failback, health monitoring, the namespace model, inbound access paths — behaves identically regardless of backend. An already-enabled route shows its locked-in backend in the Current Routing panel and cannot be switched in place; disable and re-enable to change it.

Two routing modes

WireGuard on QuickBox Pro operates in two distinct modes. Understanding the difference matters before configuring either one.

Peer activation (main VPN) — Toggling the Active switch on a peer in the peer table starts a wg-quick@<peer> tunnel that routes all server traffic through that peer. Every outbound connection from your server — the dashboard, SSH, running applications — exits through the VPN. This is a full-tunnel, server-wide configuration. Only one system VPN peer can be active at a time.

App-scoped routing — A separate feature that routes only one application’s traffic through a WireGuard tunnel using a private Linux network namespace. The rest of the server keeps its default route. Dispatcharr, Emby, Jellyfin, Plex, and qBittorrent are supported. Each routed app runs inside its own isolated namespace with a dedicated WireGuard interface, so there is complete traffic separation.

Both modes can run simultaneously — but each active routing slot requires its own WireGuard peer config.

How app-scoped routing works

• Enable routing for an app — The selected application’s traffic is routed through the active VPN connection
• Kill switch — When enabled, the app loses network access entirely if the VPN disconnects, preventing unprotected traffic
• Live stats — Real-time routing statistics streamed via server-sent events show data transfer per routed app

Routing is restored automatically after a reboot

App-scoped routing survives a server reboot with no manual step. When the box comes back up, QuickBox Pro rebuilds every routing namespace and tunnel and restarts the routed services automatically.

• Apps are held until their namespace exists, so routed services no longer race ahead of the tunnel and flap at boot.
• Routed services start in parallel and non-blocking, so one slow app cannot stall recovery of the others.
• A boot run that stalls self-heals. The reconcile step has a generous timeout (up to 10 minutes for a multi-namespace rebuild) and retries on failure, and a periodic safety-net timer re-checks routing shortly after boot and again on an interval — worst case the system converges within about 15 minutes.

You do not have to re-enable any routing profile after a reboot. If a routed app looks briefly disconnected right after boot, give the safety-net recovery a few minutes to converge before intervening.

Reaching an app-routed service

App-scoped routing tunnels the app’s outbound traffic through the VPN. Your inbound access paths stay the same.

App-scoped routing has no effect on how you reach the app — only on where the app’s own connections exit.

Plex-specific inbound bypass

Plex has additional handling beyond the general model above. QuickBox wires Plex’s inbound and outbound paths separately:

• Outbound (library scans, plex.tv API, account registration) — routed through the VPN tunnel as usual
• Inbound (remote clients connecting to your server on port 32400) — delivered directly via your server’s real public IP, bypassing the VPN for the return path

This means Plex can register correctly with plex.tv using a reachable address, and clients connect at full bandwidth without going through Plex Relay. The inbound bypass is automatic when you enable VPN routing for Plex — no additional configuration is needed.

For downloaders like qBittorrent, inbound connections come through the VPN peer port (set via the Peer Listen Port field), so those connections travel through the tunnel end-to-end rather than using the bypass.

Supported applications

Dispatcharr

Emby

Jellyfin

Plex

qBittorrent

Installed applications with running services appear in the routing card. Plex also appears even when not yet installed, because VPN routing can be staged before install — see Staging routing before Plex install below. Dispatcharr and qBittorrent appear in the card once they are installed and their services are running.

Staging routing before Plex install

Plex registers the server with your plex.tv account during its first connection after install. If that connection goes through the VPN, plex.tv records the VPN exit IP. If it goes over the direct connection, plex.tv records the real server IP.

To ensure Plex’s initial registration uses the VPN, you can stage routing before installing Plex. Staging sets up the VPN tunnel in advance so it is already in place when the install runs.

How to stage routing for Plex:

1. On the App-Scoped Routing card, select Plex from the app list. Plex appears in the list even when not installed.
2. Choose a tunnel backend, then pick a matching config from the dropdown — a WireGuard peer or an OpenVPN client tunnel.
3. Click Stage Routing (shown instead of “Enable Routing” when Plex is not yet installed).

The Plex row changes to a Staged · awaiting install pill — a sky-blue badge with a clock icon. This means the VPN configuration is ready and waiting. Kill switch settings and live metrics are not available at this stage.

4. Install Plex from Package Management (or via qb install plex -u username).

After the install completes, the routing profile automatically finalizes. The badge changes from Staged · awaiting install to Active (green). No manual step is needed.

For full guidance on why install order matters for Plex account registration, see the Plex application documentation.

qBittorrent-specific tuning

qBittorrent requires one additional setting when enabling app-scoped routing: the Peer Listen Port.

Why it matters: qBittorrent uses a dedicated port to accept incoming connections from other peers in a swarm. When qBittorrent is inside a private VPN tunnel, that port needs to be forwarded from the server’s public interface into the tunnel so that remote peers can reach it. The dashboard sets up this port forwarding automatically — but it needs to know which port you have configured inside qBittorrent itself.

What to do:

1. Open qBittorrent’s Web UI and go to Settings → BitTorrent → Listening Port.
2. Note the port number (or set one you want to use, in the 1024–65535 range).
3. Back in VPN Control, enter that same port number in the Peer Listen Port field before clicking Enable Routing.

qBittorrent WebUI access: Even though qBittorrent’s Web UI normally only listens on the local loopback inside the VPN tunnel, the dashboard handles the internal routing automatically so the /qbittorrent/ URL and the dashboard tile keep working without any action on your part.

Kill switch threshold: The default kill switch threshold for qBittorrent is 30 minutes — longer than the 10-minute default for media servers. Torrent sessions are long-lived, and brief WireGuard handshake stalls are common during normal operation. An aggressive threshold would trigger false-positive kill switch events and interrupt active downloads unnecessarily. You can adjust the threshold (between 60 seconds and 24 hours) in the kill switch settings panel after enabling routing.

For full guidance on routing qBittorrent through the VPN, see the qBittorrent application documentation.

Server configuration

The footer drawer shows your WireGuard server configuration:

• Server keys — Public and private WireGuard keys for your server
• Listen port — The UDP port WireGuard listens on
• DNS settings — DNS servers configured for VPN clients
• Peer statistics — Summary of total peers, active connections, and data transferred

Connection monitoring

The VPN Control page provides real-time monitoring of all VPN connections:

• Data transfer stats — Bytes sent and received per peer
• Connection history — View past connections and their duration
• Active session tracking — See which peers are currently connected

Statistics update in real time via server-sent events.

CLI equivalents

For the full WireGuard installation and CLI reference, see the WireGuard application documentation.

Best practices

FAQ

Related pages