WireSock VPN Client is a lightweight command line WireGuard VPN client for Windows that has advanced features not available in the official WireGuard for Windows such as selective application tunneling and disallowed IP addresses. WireSock VPN Client is easy to set up and is free* for non-commercial use.

WireSock VPN Client combines the power of Windows Packet Filter and BoringTun (user space WireGuard implementation in Rust) to provide exceptional performance, security and scalability.

Key Features

  • Transparent. Unlike most VPN software, WireSock VPN Client does not modify your network settings. It does not add a VPN adapter or modify the host routing table.
  • Tunneling only certain applications. ‘AllowedApps’ is a WireSock extension parameter which allows tunneling only selected applications. For example, Chrome browser can be configured to go over the VPN tunnel while at the same time Firefox will connect directly through your normal internet connection.
  • Ability to exclude subnets from ‘AllowedIPs‘. ‘DisallowedIPs’ is a WireSock extension parameter which allows exclusion of specified subnets or individual IP addresses from AllowedIPs without complex calculations.
  • High performance. WireSock VPN Client is much faster than user-space WinTun based implementation in Go and competes with kernel mode WireGuardNT (though normally has slightly higher CPU impact due to user-space nature). Below are comparison throughput (upload/download) test results using a nine-year-old Intel® NUC DC3217IYE (Core i3-3217u) on the client side. In each test, iperf3 has been using 4 TCP sessions (one per vCPU). The topmost results were taken from a series of 10 sequential tests.
 iperf3 -c -P 4
iperf3 -c -R -P 4
WireSock VPN Client v1.0.46879 Mbits/sec892 Mbits/sec
WireGuard for Windows
(kernel driver) v0.5
892 Mbits/sec719 Mbits/sec
WireGuard for Windows
(WinTun) v0.4.1
288 Mbit/sec325 Mbits/sec
TunSafe v1.4435 Mbits/sec284 Mbits/sec

Core i3-3217u, Windows 10 x64 1809, 1Gbps wired connection

  • Lightweight. WireSock VPN Client binaries take approximately 1.5 MB storage on disk, and runtime RAM footprint is under 10 MB.
  • Double VPN (with nested tunnels). WireSock VPN Client is compatible and can be used with official WireGuard for Windows to organize nested WireGuard tunnels completely on the client side. In such configuration, the official client organizes the external tunnel (to the first WireGuard Server instance) and WireSock VPN Client the internal one (to the second WireGuard Server instance). You only need to remember to adjust MTU parameter for the internal tunnel accordingly to avoid fragmentation and throughput degradation.
  • Windows 10 Mobile hotspot support. When WireSock VPN Client is active, Mobile hotspot connected devices are also forwarded over the WireGuard tunnel. This functionality is not available in the official WireGuard for Windows.

Quick Start Guide

Download and install the appropriate WireSock VPN Client installer for your target platform:


WireSock VPN Client can be started from the command line as a Windows console application (wiresock-client.exe) or run in the background as a Windows service. Running wiresock-client.exe from the command line without parameters shows the following output:

WireSock LightWeight WireGuard VPN Client


 install [-start-type <2..4> -account <account-name> -password <account-password> -config <wireguard-client-config-full-pathname> -log-level <none | info | debug | all>]
  - to install the service.
    service start types are:
     2 - service started automatically by the service control manager during system startup.
     3 - service started manually or by calling StartService function from another process.
     4 - service installed in the "disabled" state, and cannot be started until enabled.
 run [-config <wireguard-client-config-full-pathname> -log-level <none | info | debug | all>]
  - to start as a regular process (not a service)
  - to remove the service.

If you already have the WireGuard configuration file, you can run WireSock VPN Client as an application using the command line below:

wiresock-client.exe run -config [config_full_path_name] -log-level none

Please note to use -log-level none unless you need to debug the application because it affects the performance.

To install as auto-starting Windows Service, use the following:

wiresock-client.exe install -start-type 2 -config 
[config_full_path_name] -log-level none

Wiresock VPN Client Service can be started/stopped using the Services applet (services.msc) or commands below (requires Administrator privilege):

sc start wiresock-client-service
sc stop wiresock-client-service

The service can be uninstalled (remember to stop the service first) using:

wiresock-client.exe uninstall


sc delete wiresock-client-service

Extended configuration parameters

In addition to WireGuard standard configuration parameters, WireSock VPN Client supports the following (parameters below should be specified in the Peer section of the configuration file):

  • ‘AllowedApps’ – specifies comma separated list of application names (or partial names) to forward over VPN tunnel. This parameter narrows AllowedIPs, so the traffic to be tunneled should match both AllowedIPs and AllowedApps. For example, ‘AllowedApps = chrome’ and ‘AllowedIPs =’ will result in forwarding only Chrome browser over the VPN connection, everything else will bypass the tunnel.
  • ‘DisallowedIPs’ – specifies comma separated list of IP subnets to be excluded from the tunneling. For example, ‘AllowedIps =’ and ‘DisallowedIPs =’ will exclude from the tunneling.

In the example configuration below, the WireSock VPN Client will tunnel only Google Chrome browser for all destination IP addresses except LAN ( ):

PrivateKey = AD9GaupPbRlfjPTfhLm1/lm5qtgwvFcB1rGpKOZkXXE=
Address =, fd42:42:42::2/128
DNS =,
MTU = 1420

PublicKey = tRb3/FxzJBhinaVPY/tyoX40PS7EY1mmzFyrL/dAnwY=
AllowedIPs =, ::/0
Endpoint = ora.sshvpn.me:51820
AllowedApps = chrome
DisallowedIPs =


If you experience any problems, then first try starting the application/service with ‘-log-level all‘ command line parameter. If you run it as an application, then it dumps the debug log directly on the console, while service will save the log into the file located in C:\ProgramData\NT Kernel Resources\WireSock VPN Client. In both cases, all processed network packets will be stored in PCAP files (can be opened and analyzed in Wireshark) in the C:\ProgramData\NT Kernel Resources\WireSock VPN Client.

Please note that ‘-log-level all‘ exists for debug purposes only and significantly affects the application performance.


WireSock VPN Client is free for personal (non-commercial), or educational (including non-profit organization) use.


Please ask questions in our support forum.