WireSock VPN Client is a lightweight command line WireGuard VPN client for Windows that has advanced features not available in the official WireGuard for Windows such as selective application tunneling and disallowed IP addresses. WireSock VPN Client is easy to set up and is free* for non-commercial use.
- Transparent mode. Unlike most VPN software, WireSock VPN Client supports two modes of operation. The former (enabled with the
-laccommand line switch) works through the virtual network adapter associated with the VPN connection, while the latter (default mode) does not change your network settings and is completely transparent.
- Tunneling only certain applications. “AllowedApps” and “DisallowedApps” are WireSock extension options that allow only selected applications to be tunneled. For example, the Chrome browser can be configured to go through a VPN tunnel, while Firefox will connect directly through your normal internet connection.
- Ability to exclude subnets from ‘AllowedIPs‘. ‘DisallowedIPs’ is a WireSock extension parameter which allows exclusion of specified subnets or individual IP addresses from AllowedIPs without complex calculations.
- High performance. WireSock VPN Client is much faster than user-space WinTun based implementation in Go and competes with kernel mode WireGuardNT (though normally has slightly higher CPU impact due to user-space nature). Below are comparison throughput (upload/download) test results using a nine-year-old Intel® NUC DC3217IYE (Core i3-3217u) on the client side. In each test, iperf3 has been using 4 TCP sessions (one per vCPU). The topmost results were taken from a series of 10 sequential tests.
|iperf3 -c 10.66.66.1 -P 4|
|iperf3 -c 10.66.66.1 -R -P 4|
|WireSock VPN Client v1.0.46||879 Mbits/sec||892 Mbits/sec|
|WireGuard for Windows|
(kernel driver) v0.5
|892 Mbits/sec||719 Mbits/sec|
|WireGuard for Windows|
|288 Mbit/sec||325 Mbits/sec|
|TunSafe v1.4||435 Mbits/sec||284 Mbits/sec|
Core i3-3217u, Windows 10 x64 1809, 1Gbps wired connection
- Lightweight. WireSock VPN Client binaries take approximately 1.5 MB storage on disk, and runtime RAM footprint is under 10 MB.
- Double VPN (with nested tunnels). WireSock VPN Client is compatible and can be used with official WireGuard for Windows to organize nested WireGuard tunnels completely on the client side. In such configuration, the official client organizes the external tunnel (to the first WireGuard Server instance) and WireSock VPN Client the internal one (to the second WireGuard Server instance). You only need to remember to adjust MTU parameter for the internal tunnel accordingly to avoid fragmentation and throughput degradation.
- Windows 10 Mobile hotspot support. When WireSock VPN Client is active, Mobile hotspot connected devices are also forwarded over the WireGuard tunnel. This functionality is not available in the official WireGuard for Windows.
- SOCKS5 for WireGuard handshake. The easiest way to block WireGuard VPN is based on identifying handshake and handshake response packets (both fixed length and known format). This feature allows these packets to be passed through a SOCKS5 proxy, making identification more difficult. Note that only the handshake and handshake response packets go through the SOCKS5 proxy, all other tunnel packets are sent directly.
- Fallback WireGuard configuration. Allows you to add another WireGuard configuration that will be used if the main tunnel is down (unavailable).
Quick Start Guide
Download and install the appropriate WireSock VPN Client installer for your target platform:
- wiresock-vpn-client-x64-1.2.8.msi – MSI for Windows [Desktop 7, 8, 8.1, 10, 11 / Server 2012, 2016, 2019, 2022] x64 (64 bit)
- wiresock-vpn-client-x86-1.2.8.msi – MSI for Windows [Desktop 7, 8, 8.1, 10, 11 / Server 2012, 2016, 2019, 2022] x86 (32 bit)
WireSock VPN Client can be started from the command line as a Windows console application (wiresock-client.exe) or run in the background as a Windows service. Running wiresock-client.exe from the command line without parameters shows the following output:
WireSock LightWeight WireGuard VPN Client Parameters: install [-start-type <2..4> -account <account-name> -password <account-password> -config <wireguard-client-config-full-pathname> [-fallback-config <wireguard-fallback-client-config-full-pathname>] -log-level <none | info | debug | all>] - to install the service. service start types are: 2 - service started automatically by the service control manager during system startup. 3 - service started manually or by calling StartService function from another process. 4 - service installed in the "disabled" state, and cannot be started until enabled. run [-config <wireguard-client-config-full-pathname> [-fallback-config <wireguard-fallback-client-config-full-pathname>] -log-level <none | info | debug | all>] - to start as a regular process (not a service) uninstall - to remove the service.
If you already have the WireGuard configuration file, you can run WireSock VPN Client as an application using the command line below:
wiresock-client.exe run -config [config_full_path_name] -log-level none
To start WireSock VPN Client in virtual network interface mode you can use the command below:
wiresock-client.exe run -config [config_full_path_name] -log-level none -lac
Please note to use
-log-level none unless you need to debug the application because it affects the performance.
To install as auto-starting Windows Service, use the following:
wiresock-client.exe install -start-type 2 -config [config_full_path_name] -log-level none
OR (to install in virtual network adapter mode)
wiresock-client.exe install -start-type 2 -config [config_full_path_name] -log-level none -lac
Wiresock VPN Client Service can be started/stopped using the Services applet (services.msc) or commands below (requires Administrator privilege):
sc start wiresock-client-service sc stop wiresock-client-service
The service can be uninstalled (remember to stop the service first) using:
sc delete wiresock-client-service
Extended configuration parameters
In addition to WireGuard standard configuration parameters, WireSock VPN Client supports the following (parameters below should be specified in the Peer section of the configuration file):
- AllowedApps – specifies comma separated list of application names (or partial names) to forward over VPN tunnel. This parameter narrows AllowedIPs, so the traffic to be tunneled should match both AllowedIPs and AllowedApps. For example, ‘AllowedApps = chrome’ and ‘AllowedIPs = 0.0.0.0/0’ will result in forwarding only Chrome browser over the VPN connection, everything else will bypass the tunnel.
- DisallowedApps – specifies comma separated list of application names (or partial names) to be excluded from the tunneling. This parameter is the opposite of AllowedApps. Please note that AllowedApps takes precedence, and if both are specified, then AllowedApps is matched first.
- DisallowedIPs – specifies comma separated list of IP subnets to be excluded from the tunneling. For example,
AllowedIps = 0.0.0.0/0and
DisallowedIPs = 192.168.0.1/24will exclude 192.168.0.1/24 from the tunneling.
- WireGuard handshake over SOCKS5 proxy parameters:
- Socks5Proxy – specifies SOCKS5 proxy endpoint, e.g.
Socks5Proxy = socks5.sshvpn.me:1080or
Socks5Proxy = 188.8.131.52:1080
- Socks5ProxyUsername – specifies SOCKS5 username (optional)
- Socks5ProxyPassword – specifies SOCKS5 password (optional)
- Socks5Proxy – specifies SOCKS5 proxy endpoint, e.g.
In the example configuration below, the WireSock VPN Client will tunnel only Google Chrome browser for all destination IP addresses except LAN (192.168.1.0/24 ):
[Interface] PrivateKey = AD9GaupPbRlfjPTfhLm1/lm5qtgwvFcB1rGpKOZkXXE= Address = 10.66.66.2/32, fd42:42:42::2/128 DNS = 184.108.40.206, 220.127.116.11 MTU = 1420 [Peer] PublicKey = tRb3/FxzJBhinaVPY/tyoX40PS7EY1mmzFyrL/dAnwY= AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = ora.sshvpn.me:51820 AllowedApps = chrome DisallowedIPs = 192.168.1.0/24
If you experience any problems, then first try starting the application/service with ‘-log-level all‘ command line parameter. If you run it as an application, then it dumps the debug log directly on the console, while service will save the log into the file located in C:\ProgramData\NT Kernel Resources\WireSock VPN Client. In both cases, all processed network packets will be stored in PCAP files (can be opened and analyzed in Wireshark) in the C:\ProgramData\NT Kernel Resources\WireSock VPN Client.
Please note that ‘-log-level all‘ exists for debug purposes only and significantly affects the application performance.
WireSock VPN Client is free for personal (non-commercial), or educational (including non-profit organization) use.
Please ask questions in our support forum.