User Guide


To understand the basics of the WireGuard protocol, please take a moment to read WireGuard's Conceptual Overview and the WireGuard Quick Start Guide. TunSafe is an implementation of this protocol for Windows. Unlike WireGuard, but similar to OpenVPN, TunSafe runs as a user-mode application and does not run inside of the kernel. To facilitate this, TunSafe uses the TAP-Windows network adapter. This is an open source network adapter created by the OpenVPN team in order to get direct access to the low-level TCP/IP packets.

For performance reasons, it's typically preferred to run this type of packet routing fully inside of the kernel. However, TunSafe has been carefully tuned and optimized for speed, so the benefits of running it as a user-mode application arguably outweighs the costs. For example, TunSafe won't compromise the stability of your operating system or cause the computer to crash. TunSafe is also easy to configure and upgrade.

Using TunSafe on Windows

TunSafe is available as a 32-bit or 64-bit application for computers running Windows 7 or later. Please first go ahead and Download TunSafe. The installation program will then automatically download and install the GPL licensed TAP network adapter.

The main window of TunSafe looks like this:

The Edit Config button will let you edit the current configuration file in a text editor. By pressing Options, you see a menu where you can load one of the available configuration files.

You can also Import a configuration file from this menu, or drag-and-drop a configuration file from another program onto TunSafe. This will make a copy of the file in TunSafe's configuration directory, in C:\Program Files\TunSafe\Config.

If you press Generate Key Pair you get to see a dialog that randomizes a secure keypair. The private key can be used in the configuration file, while the public key will be used on the WireGuard server.

The format of the configuration files uses the same syntax as the wg-quick(8) tool.

Here's an example configuration file.

# This is a sample config file for TunSafe. It uses the same syntax as
# WireGuard's wg-quick tool

# The private key of this computer. This is a secret key, don't give it out.
# To convert it to a public key you can go to 'Generate Key Pair' in TunSafe.
PrivateKey = gIIBl0OHb3wZjYGqZtgzRml3wec0e5vqXtSvCTfa42w=

# Whether we want to bind a port to allow others to initiate connections to us.
# Please ensure this port is mapped in your router.
# ListenPort = 51820

# Switch DNS server while connected. Either IPv4 or IPv6.
# DNS = 

# Whether to block all outgoing DNS and force all DNS to go through the VPN. This
# prevents leakage of what websites you visit.
# BlockDNS = true

# The addresses to bind to. Either IPv4 or IPv6. /31 and /32 are not supported.
Address =

# Can be used to change MTU of the network adapter in Windows. We want this to
# be lower than the default 1500 to ensure the WireGuard headers don't cause
# fragmentation.
# MTU = 1420


# The public key of the peer. Do not use the private key here. Use the 'Generate Key Pair'
# function in TunSafe to convert a private key to a public key.
PublicKey = hIA3ikjlSOAo0qqrI+rXaS3ZH04Yx7Q2YQ4m2Syz+XE=

# It's also possible to use a preshared key for extra security
PresharedKey  =  SNz4BYc61amtDhzxNCxgYgdV9rPU+WiC8woX47Xf/2Y=

# The IP range that we may send packets to for this peer. Specify or ::/0 here
# to also insert an entry in the routing table to tunnel all traffic through the VPN.
AllowedIPs =

# Address of the server. Can be either IPv4 or IPv6.
Endpoint =

# Send periodic keepalives to ensure connection stays up behind NAT, in seconds.
PersistentKeepalive = 25

# When the peer is used as default gateway, whether to forward multicast and broadcast
# packets through the tunnel.
# AllowMulticast = false

Example Configuration of WireGuard on Linux

There are many different ways to setup WireGuard on Linux, and many different elaborate guides. The below is just a short introduction to give an understanding how it works on Ubuntu. For other Linux distributions please have a look at the official WireGuard installation instructions. For support with using WireGuard, please visit the official WireGuard web page.

First install the wireguard package.

# add-apt-repository ppa:wireguard/wireguard && apt-get update && apt-get install wireguard

Create a public and private keypair for the server using the wg(8) tool.

# wg genkey | tee server_private | wg pubkey > server_public

Then create a keypair for the client:

# wg genkey | tee client_private | wg pubkey > client_public

The keys are just short strings that can be easily copied and pasted from the terminal.

# cat client_private client_public

Load the kernel module and create a WireGuard network interface using ip-link(8).

# ip link add dev wg0 type wireguard

Configure an IP address of the server using ip-address(8).

# ip address add dev wg0

Configure the private key of the server and add the client's public key using the wg(8) tool. In this example we use UDP port 8040 but you may choose a port of your liking. Ensure this port is properly mapped through your router if you want to access your WireGuard server from the Internet.

# wg set wg0 listen-port 8040 private-key server_private
# wg set wg0 peer `cat client_public` allowed-ips          

Activate the newly configured network interface using ip-link(8).

# ip link set up dev wg0

All done, verify that WireGuard is properly configured with the wg(8) tool. It should look similar to this.

root@ubuntu:~# wg
interface: wg0
  public key: 8q1SiKy7hKDTPXltp2iimxLjWpL53lRnQzms9f8LXU0=
  private key: (hidden)
  listening port: 8040

peer: T/DjhrM8hkbqYnOYQvHExF0HI/Csi6DktQth5ijcpDI=
  allowed ips: