WireSock VPN Client

WireSock VPN Client is a lightweight command line WireGuard VPN client for Windows that has advanced features not available in the official WireGuard for Windows such as selective application tunneling and disallowed IP addresses. WireSock VPN Client is easy to set up and is free*.

WireSock VPN Client combines the power of Windows Packet Filter and BoringTun (user space WireGuard implementation in Rust) to provide exceptional performance, security and scalability.

Key Features

  • Transparent mode. Unlike most VPN software, WireSock VPN Client supports two modes of operation. The former (enabled with the -lac command line switch) works through the virtual network adapter associated with the VPN connection, while the latter (default mode) does not change your network settings and is completely transparent.
  • Tunneling only certain applications. “AllowedApps” and “DisallowedApps” are WireSock extension options that allow only selected applications to be tunneled. For example, the Chrome browser can be configured to go through a VPN tunnel, while Firefox will connect directly through your normal internet connection.
  • Ability to exclude subnets from ‘AllowedIPs‘. ‘DisallowedIPs’ is a WireSock extension parameter which allows exclusion of specified subnets or individual IP addresses from AllowedIPs without complex calculations.
  • High performance. WireSock VPN Client is much faster than user-space WinTun based implementation in Go and competes with kernel mode WireGuardNT (though normally has slightly higher CPU impact due to user-space nature). Below are comparison throughput (upload/download) test results using a nine-year-old Intel® NUC DC3217IYE (Core i3-3217u) on the client side. In each test, iperf3 has been using 4 TCP sessions (one per vCPU). The topmost results were taken from a series of 10 sequential tests.
 iperf3 -c -P 4
iperf3 -c -R -P 4
WireSock VPN Client v1.0.46879 Mbits/sec892 Mbits/sec
WireGuard for Windows
(kernel driver) v0.5
892 Mbits/sec719 Mbits/sec
WireGuard for Windows
(WinTun) v0.4.1
288 Mbit/sec325 Mbits/sec
TunSafe v1.4435 Mbits/sec284 Mbits/sec

Core i3-3217u, Windows 10 x64 1809, 1Gbps wired connection

  • Lightweight. WireSock VPN Client binaries take approximately 1.5 MB storage on disk, and runtime RAM footprint is under 10 MB.
  • Double VPN (with nested tunnels). WireSock VPN Client is compatible and can be used with official WireGuard for Windows to organize nested WireGuard tunnels completely on the client side. In such configuration, the official client organizes the external tunnel (to the first WireGuard Server instance) and WireSock VPN Client the internal one (to the second WireGuard Server instance). You only need to remember to adjust MTU parameter for the internal tunnel accordingly to avoid fragmentation and throughput degradation.
  • Windows 10 Mobile hotspot support. When WireSock VPN Client is active, Mobile hotspot connected devices are also forwarded over the WireGuard tunnel. This functionality is not available in the official WireGuard for Windows.
  • SOCKS5 for WireGuard handshake. The easiest way to block WireGuard VPN is based on identifying handshake and handshake response packets (both fixed length and known format). This feature allows these packets to be passed through a SOCKS5 proxy, making identification more difficult. Note that only the handshake and handshake response packets go through the SOCKS5 proxy, all other tunnel packets are sent directly.
  • Fallback WireGuard configuration. Allows you to add another WireGuard configuration that will be used if the main tunnel is down (unavailable).

Quick Start Guide

Download and install the appropriate WireSock VPN Client installer for your target platform:

For enhanced user experience and management with WireSock VPN Client in application mode**, we recommend using WireSockUI as your preferred UI option. There are several other options available, such as TunnlTo and EpexGUI, but WireSockUI provides a more refined and user-friendly interface with tighter integration to Wiresock.

WireSockUI is a C# project started by Rob van Oostenrijk, building upon the foundation laid by EpexGUI. The interface design is inspired by the official WireGuard for Windows interface, ensuring familiarity and ease of use. WireSockUI works directly with the Wiresock core DLL, providing more flexibility and enhanced control over the VPN client. We appreciate Rob van Oostenrijk’s valuable efforts and contributions in creating WireSockUI.

All the options mentioned above, including WireSockUI, offer several convenient features, such as importing and editing Wireguard configurations and switching between tunnels, which can greatly simplify the user experience when using the WireSock VPN Client.

Newest Versions of WireSockUI:

  • WireSockUI-v0.1.7-AnyCPU.zip – Tailored for Windows 10/11 x86/x64 systems, this package ensures smooth performance on both 32-bit and 64-bit architectures.
  • WireSockUI-v0.1.7-ARM64.zip – Optimized for Windows 10/11 ARM64 devices, this package provides a reliable and efficient VPN experience on the latest ARM-based hardware.
  • WireSockUI-v0.1.7-AnyCPU-no-uwp.zip – Compatible with Windows 7/8 x86/x64 systems, this version omits UWP (Universal Windows Platform) support to ensure compatibility with older Windows operating systems.

WireSock VPN Client CLI

Apart from the WireSockUI option mentioned earlier, the WireSock VPN Client can also be initiated from the command line as a Windows console application (wiresock-client.exe) or executed in the background as a Windows service. When running wiresock-client.exe from the command line without any parameters, the output displayed is as follows:

WireSock LightWeight WireGuard VPN Client


 install [-start-type <2..4> -account <account-name> -password <account-password> -config <wireguard-client-config-full-pathname> [-fallback-config <wireguard-fallback-client-config-full-pathname>] -log-level <none | info | debug | all>]
  - to install the service.
    service start types are:
     2 - service started automatically by the service control manager during system startup.
     3 - service started manually or by calling StartService function from another process.
     4 - service installed in the "disabled" state, and cannot be started until enabled.
 run [-config <wireguard-client-config-full-pathname> [-fallback-config <wireguard-fallback-client-config-full-pathname>] -log-level <none | info | debug | all>]
  - to start as a regular process (not a service)
  - to remove the service.

If you already have the WireGuard configuration file, you can run WireSock VPN Client as an application using the command line below:

wiresock-client.exe run -config [config_full_path_name] -log-level none

To start WireSock VPN Client in virtual network interface mode you can use the command below:

wiresock-client.exe run -config [config_full_path_name] -log-level none -lac

Please note to use -log-level none unless you need to debug the application because it affects the performance.

To install as auto-starting Windows Service, use the following:

wiresock-client.exe install -start-type 2 -config [config_full_path_name] -log-level none

OR (to install in virtual network adapter mode)

wiresock-client.exe install -start-type 2 -config [config_full_path_name] -log-level none -lac

Wiresock VPN Client Service can be started/stopped using the Services applet (services.msc) or commands below (requires Administrator privilege):

sc start wiresock-client-service
sc stop wiresock-client-service

The service can be uninstalled (remember to stop the service first) using:

wiresock-client.exe uninstall


sc delete wiresock-client-service

Application vs Service mode

As you have already noticed, you can use Wiresock VPN Client as a Windows service or as a normal application. It is worth mentioning one limitation of running it as a normal application. When a Wiresock VPN client is started in this way, it can only split tunnel processes that are accessible (e.g., started) by the current user (others will be labeled as SYSTEM).

Extended configuration parameters

In addition to WireGuard standard configuration parameters, WireSock VPN Client supports the following (parameters below should be specified in the Peer section of the configuration file):

  • AllowedApps – specifies comma separated list of application names (or partial names) to forward over VPN tunnel. This parameter narrows AllowedIPs, so the traffic to be tunneled should match both AllowedIPs and AllowedApps. For example, ‘AllowedApps = chrome’ and ‘AllowedIPs =’ will result in forwarding only Chrome browser over the VPN connection, everything else will bypass the tunnel.
  • DisallowedApps – specifies comma separated list of application names (or partial names) to be excluded from the tunneling. This parameter is the opposite of AllowedApps. Please note that AllowedApps takes precedence, and if both are specified, then AllowedApps is matched first.
  • DisallowedIPs – specifies comma separated list of IP subnets to be excluded from the tunneling. For example, AllowedIps = and DisallowedIPs = will exclude from the tunneling.
  • WireGuard handshake over SOCKS5 proxy parameters:
    • Socks5Proxy – specifies SOCKS5 proxy endpoint, e.g. Socks5Proxy = socks5.sshvpn.me:1080 or Socks5Proxy =
    • Socks5ProxyUsername – specifies SOCKS5 username (optional)
    • Socks5ProxyPassword – specifies SOCKS5 password (optional)

In the example configuration below, the WireSock VPN Client will tunnel only Google Chrome browser for all destination IP addresses except LAN ( ):

PrivateKey = AD9GaupPbRlfjPTfhLm1/lm5qtgwvFcB1rGpKOZkXXE=
Address =, fd42:42:42::2/128
DNS =,
MTU = 1420

PublicKey = tRb3/FxzJBhinaVPY/tyoX40PS7EY1mmzFyrL/dAnwY=
AllowedIPs =, ::/0
Endpoint = ora.sshvpn.me:51820
AllowedApps = chrome
DisallowedIPs =


If you encounter any issues, the first troubleshooting step to consider is initiating the application/service using the -log-level all command line parameter. When the application is run, it will output a debug log directly to the console. If it’s run as a service, the log will be saved to a file located in C:\ProgramData\NT KERNEL\WireSock VPN Client.

All processed network packets are preserved in PCAP files, which can be opened and evaluated using Wireshark. Typically, these PCAP files are stored in the working folder – for instance, Windows\System32 when started as a service.

It’s important to understand that the -log-level all command is designed solely for debugging purposes. Utilizing it can notably impact the performance of the application.


WireSock VPN Client is free for personal (non-commercial), or educational (including non-profit organization) use.


Please ask questions in our support forum.