VPN Peers & Clients
Setting Up Peers
What is a Peer?
A peer is a WireGuard endpoint — a device or server connected to GateControl through the VPN tunnel. Each peer gets its own IP address within the WireGuard subnet (default: 10.8.0.0/24).
Creating a Peer (Server Side)
- Navigate to Peers in the sidebar
- Click Add Peer (or the + button on mobile)
- Fill in:
- Name: A descriptive name (e.g. "Home NAS", "Office Server")
- DNS: DNS servers for the client (default:
1.1.1.1, 8.8.8.8) - Persistent Keepalive: Keeps the connection alive, recommended
25seconds for NAT scenarios - Expiry Date: Optional — peer is automatically disabled after expiration
- Group: Optional — organize peers by team, location, or purpose
- Click Save
GateControl automatically generates:
- Private key (stored encrypted in the database)
- Public key
- Preshared key (additional encryption layer)
- Next available IP address in the subnet
Downloading the Peer Configuration
After creating a peer, two options are available:
Config File:
- Click on the peer → Download Config
- You get a
.conffile that can be imported into any WireGuard client
QR Code:
- Click on the QR code icon
- Scan the code with the WireGuard app on your smartphone
Peer Configuration (Client Side)
The downloaded config looks like this:
[Interface]
PrivateKey = <auto-generated>
Address = 10.8.0.2/32
DNS = 1.1.1.1, 8.8.8.8
[Peer]
PublicKey = <Server Public Key>
PresharedKey = <auto-generated>
Endpoint = your-server.example.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25AllowedIPs Explained:
0.0.0.0/0— All traffic through VPN (full tunnel)10.8.0.0/24— Only traffic to the VPN subnet (split tunnel)
For reverse proxy usage, split tunnel (10.8.0.0/24) is sufficient, since only the GateControl server needs to reach the peers.
WireGuard Clients
Recommended Software by Operating System
| Operating System | Client | Notes |
|---|---|---|
| Windows | WireGuard for Windows | Official client, easy config import |
| macOS | WireGuard for macOS | App Store, menu bar integration |
| Linux | wg-quick (package wireguard-tools) | wg-quick up wg0 with the .conf file |
| Android | WireGuard for Android | QR code or config import |
| iOS / iPadOS | WireGuard for iOS | QR code or config import |
| Synology NAS | docker-wireguard-go | Recommended for NAS systems |
| Docker (general) | docker-wireguard-go | Works on any Docker host |
Setting Up a Client
Windows / macOS / Smartphone:
- Install the WireGuard app
- "Add Tunnel" → Import config file (or scan QR code)
- Activate the tunnel
- Done — the peer appears in GateControl as "Online"
Linux:
# Copy the config file to /etc/wireguard/
sudo cp gatecontrol-peer.conf /etc/wireguard/wg0.conf
# Start the tunnel
sudo wg-quick up wg0
# Auto-start on boot
sudo systemctl enable wg-quick@wg0docker-wireguard-go — WireGuard for NAS & Docker
docker-wireguard-go is our own companion project for GateControl. It is a Docker container that runs WireGuard as a VPN client — specifically designed for Synology NAS systems, but compatible with any Docker host.
Advantages over other WireGuard clients:
| Feature | Kernel WireGuard | Standard Container | docker-wireguard-go |
|---|---|---|---|
| Kernel module required | Yes | Yes | No |
SYS_MODULE capability | Yes | Yes | No |
| Synology DSM compatible | No | No | Yes |
| Image size | — | ~50-100 MB | ~8.5 MB |
| Performance | ~1+ Gbit/s | ~1+ Gbit/s | ~200-400 Mbit/s |
Setup on Synology NAS:
- Create a peer in GateControl and download the config
- Copy the config file to the NAS (e.g. to
/volume1/docker/wireguard/wg0.conf) - Start the container:
# docker-compose.yml
services:
wireguard:
image: ghcr.io/callmetechie/docker-wireguard-go:latest
container_name: wireguard
network_mode: host
cap_add:
- NET_ADMIN
volumes:
- /volume1/docker/wireguard/wg0.conf:/etc/wireguard/wg0.conf:ro
restart: unless-stopped- Start the container:
docker compose up -d - Verify:
docker exec wireguard wg show— should show the tunnel and handshake - The peer will appear as "Online" in GateControl
Performance: The userspace implementation achieves ~200-400 Mbit/s — more than sufficient for typical NAS use cases (file access, reverse proxy, media streaming).