WireHub is a WireGuard configuration generator — it supports multiple networks and devices, label-based access rules, invitations and permissions, and secure storage of WireGuard PrivateKeys.
PrivateKeys can be generated in-browser or imported if you already have them. If provided, PrivateKeys are encrypted in-browser using WebCrypto with a password of your choice. WireHub never receives nor stores your password.
Peering between network devices is defined with label-based rules. Labels are applied to devices and are then used in connection rules, covering all your Peer, AllowedIPs, and PreSharedKey needs.
Network members may be invited as Guests, Members, Managers or Admins — Guests don't even have to create an account with WireHub. Managers and Admins can generate and manage the keys for any device, while Members and Guests can only manage their assigned devices.
Other than the in-browser PrivateKey encryption/decryption mechanism, all functionality of WireHub is accessible without JavaScript.
Read on to find out more or Join the Beta!
For example, a network called Home
may be used
for all your family's personal devices,
and a network called Office
may be used
for all your work-related devices.
A network-level CIDR of your own choosing,
like 10.10.0.0/24
, is used to automatically assign
unique IP addresses to peers added to the network.
You can even specify default DNS settings to be applied to all connected devices.
Each device automatically gets an IP addresses
from the network CIDR, like 10.10.0.5/32
,
and you may also specify additional addresses, like 192.168.65.5/32
.
Using custom labels like pihole
, media
,
server:app-1
, etc you can easily group and filter your devices.
Peering between devices is achieved via uni-directional label-based connection rules — both devices need to specify the connection using the labels applied to them.
You can also specify the AllowedIPs to be used for each connection
using keywords such as peers (only the IPs of the two peers),
network (the network CIDR),
and all (all traffic, 0.0.0.0/24
).
For direct peer-to-peer connections,
PreShared keys are automatically generated
and shared between the peers by default.
And you can specify pass-through connections to describe Hub/Site topologies, Web Proxies, or VPN exit nodes.
Simple Role-Based Access Controls to specify who gets to do what in your network.
Guests — for when you just want to securely share WireGuard Configuration files. Guests can only view devices assigned to them. No WireHub account required.
Members — for when you want people to manage their own devices. Members can add their own devices and view other network devices, but can only modify their own devices or those assigned to them.
Managers & Admins — when you want others to manage the network. Managers and Admins can invite new members, revoke memberships, create or modify connections, and make changes to network configuration.
Managers and Admins can also preview their networks from the perspective of other members to make sure everything's all right.
Interfaces represent the [Interface]
section
of a WireGuard configuration file
— most importantly the Private/Public Keys.
As such, Interfaces are considered private to the user
that created them.
Once an Interface is assigned to a network Device, either by a network Manager or the device owner, its Public Key and Endpoint (if any) are shared with the Device's peers.
Private Keys, if shared with WireHub, are client-side encrypted using WebCrypto and password protected with a password that does not leave your browser — you really own your private keys.
This is an interactive example WireGuard Configuration Preview UI
for the Hub device in my Home network
where the Hub connects to all available devices.
Try it out!
[Interface] # Name = admin/home-hub # PrivateKey = ******** # PublicKey = DHlM/s59bdfP4/sKj6eyPesWKsc2Y5QNd8kMlMzPOSI=
# Device = home/hub Address = 10.10.10.1
[Peer] # Name = home/iphone PublicKey = GkCpbysgq35AUCDGqJ5O0a086fdTbG85b3Ces2iVFCQ= PresharedKey = PMeoZ/E1/I7lg7xF5zNtJV+3MZnfXoBi4KiGXFzFwgI= AllowedIPs = 10.10.10.4/32
[Peer] # Name = home/home-server PublicKey = Y6vLxZNeGC2y9mpo0g9QCm2yuAu7UDTT77pEdgiOASg= PresharedKey = ZfZMWyeEYs6swPfY5gpxL6CRuxeNS73h6LLGHNfZQKQ= AllowedIPs = 10.10.10.2/32 AllowedIPs = 192.168.68.24/32
[Peer] # Name = home/ipad PublicKey = ygoa+Y44zbQg9loEqofkMIiKVXYhNbunVbY+KClwkys= PresharedKey = fB689E6GqReGknOEu1RrtXWmjUPA59+IZLoludmYV7k= AllowedIPs = 10.10.10.3/32
[Peer] # Name = home/macbook PublicKey = 1TgSkmCdHRyARlZy3DZ8r8/p/LbXHvb/REhiRlGj2yY= PresharedKey = YihQc9YZVvA2LSb0h6uw0FIyseRsZkMuGmZ81P3mCTE= AllowedIPs = 10.10.10.5/32
Join the Beta!
Free
Existing member? Login
No. WireHub helps you generate and distribute WireGuard configurations.
You can then use the offical WireGuard apps and command line tools to import and activate these configurations.
People who run and manage their own WireGuard networks.
WireHub is not a static, get it and forget it, WireGuard configuration generator.
You need an account to save your network settings, devices, and private and public keys. In some cases, you also need an account to accept invites to existing WireHub networks.
You can use WireHub without providing your Private Keys — only your Public Keys and Endpoints are needed in order to generate valid WireGuard configurations.
If you do provide your Private Keys, each key is encrypted in the browser with a password of your choice. The password can be anything and of any length. Neither the password nor the plain-text Private Key are ever sent to WireHub — just the encrypted string.
WireHub makes use of existing cryptographic libraries, namely the standard WebCrypto API to encrypt/decrypt Private Keys and Jason's wireguard.js to generate Private keys in the browser.