WireSock VPN Gateway sets up a WireGuard VPN Server on Windows and allows WireGuard clients to connect to the server’s Internet/LAN. WireSock VPN Gateway is an add-on to the official WireGuard Windows Client that takes only a couple of minutes to install and is free*.
There are tutorials and scripts to configure WireGuard Server with Windows ICS; however, the standard Windows ICS has issues when used with WireGuard Server. WireSock VPN Gateway intends to solve those issues and create an overall simpler solution with a streamlined setup process.
- Share your PCs internet connection to WireGuard clients.
- Route your internet connection through a remote Windows server.
Quick Start Guide for Windows Desktop
Install WireGuard client
If you don’t already have WireGuard installed, download and install the latest WireGuard Windows Client
Install WireSock VPN Gateway
Download and install the appropriate WireSock VPN Gateway installer for your target platform:
- wiresock-vpn-gateway-x64-22.214.171.124.msi – MSI for Windows [Desktop 7, 8, 8.1, 10, 11 / Server 2012, 2016, 2019, 2022] x64 (64 bit)
- wiresock-vpn-gateway-x86-126.96.36.199.msi – MSI for Windows [Desktop 7, 8, 8.1, 10, 11 / Server 2012, 2016, 2019, 2022] x86 (32 bit)
- wiresock-vpn-gateway-ARM64-188.8.131.52.msi – MSI for Windows [Desktop 10, 11] ARM64 (64 bit)
Setup WireGuard Server
Start a command prompt as Administrator and use the following command. Make sure to make a note of the UDP port number for later use :
wg-quick-config -add -start
The screenshot below provides a visual representation of the menu you will encounter.
Follow the prompts to configure your WireGuard server endpoint. Take note of the UDP port – in the above image it is 56443, or you may have set a custom port.
Setup port forwarding by using the port forwarding guide for your home router or VPS provider.
Something not working?
If you experience any issues with using your VPN after installing or updating the software, please try a system reboot. If the issue persists, please post a message in the support forum.
Quick Start Guide for Windows Server Core
WireGuard VPN Server can be set up using the command-line interface. This may be useful if you are using a Windows Server Core installation.
By default, connecting to Windows Server Core via RDP starts a command prompt in Administrator mode. Run the following command:
Download and install WireGuard Windows Client
Visit the WireGuard Windows Client MSI list page to obtain the latest version number. Modify and run the command below to suit your server architecture and the client version number.
Invoke-WebRequest "https://download.wireguard.com/windows-client/wireguard-amd64-x.x.x.msi" -OutFile "wireguard-client.msi"
Example command to download WireGuard Windows client version 0.5.3 for AMD64:
Invoke-WebRequest "https://download.wireguard.com/windows-client/wireguard-amd64-0.5.3.msi" -OutFile "wireguard-client.msi"
Once it has finished downloading, install the client:
MsiExec.exe /i wireguard-client.msi DO_NOT_LAUNCH=1 /qn
Download and install WireSock VPN Gateway
Modify and run the following PowerShell command to suit the desired version number:
Invoke-WebRequest "http://www.wiresock.net/downloads/wiresock-vpn-gateway-x64-x.x.x.x.msi" -OutFile "wiresock-gateway-x64.msi"
Example command to download version 184.108.40.206:
Invoke-WebRequest "http://www.wiresock.net/downloads/wiresock-vpn-gateway-x64-220.127.116.11.msi" -OutFile "wiresock-gateway-x64.msi"
Once it has finished downloading, run the installer:
MsiExec.exe /i wiresock-gateway-x64.msi /qn
Refresh Environment Variables and Start the WireGuard Server
Refresh environment variables:
$env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")
Followed by the command below to set up your WireGuard server endpoint. Make sure to make a note of the UDP port number for later use:
wg-quick-config -add -start
Port Forward the WireGuard Server Port
Ensure you open and forward the WireGuard server port. If you are running your WireGuard server on a home PC, forward the UDP port (or the custom port you set) to your local PC. If you are running the WireGuard server on a VPS, you may need to forward the port and open the firewall through the admin panel. And, finally, if you are using DDNS, it needs to be reconfigured to point to the correct port.
Other Useful Commands
wg-quick-config -add -restartto add new peer and restart WireGuard tunnel
wg-quick-config -stopto stop WireGuard tunnel
wg-quick-config -startto start WireGuard tunnel
wg-quick-config -qrcode 1to display QR code for the first client
- To switch from default PROXY mode to NAT mode. Start a command prompt as Administrator and run the following commands:
wiresock-service install -start-type 2 -mode nat -interface wiresock -log-level none
sc start wiresock-service
The WireSock VPN Gateway package consists of two main components:
- wiresock-service – Internet/LAN connection sharing service built on top of Windows Packet Filter driver. It supports two operational modes:
- Network Address Translation (NAT) is an advanced version of Internet Gateway sample and somewhat similar to the built-in Windows Internet Connection Sharing (ICS).
- Transparent TCP/UDP proxy (default) In this mode a service filters the WireGuard server network interface (named wiresock by default) and all TCP/UDP connections from the WireGuard clients are transparently redirected to local TCP/UDP proxies, which then establish connections to network resources. Moreover, if the local system has active HTTP/SOCKSv5 proxy system settings, the service will detect these settings and use them for outgoing connections.
Note that DNS service is an exception to this rule. By default, instead of the original destination DNS, requests are forwarded to locally available DNS servers to speed up the DNS resolution. If this behavior is not desired, then you can use the special command line parameter
-dnsfollowed by a list of preferred DNS servers.
If the host has no DNS server configured and the
-dnscommand has not provided the list of preferred DNS servers, then 18.104.22.168/22.214.171.124 are used.
By default, the WireSock service is installed in proxy mode, but if you prefer NAT, then you can change it using the commands listed in Other Useful Commands.
One issue of note about proxy mode – since it supports only TCP and UDP protocols. The ICMP protocol is not supported, meaning WireGuard clients will not be able to ping external IP addresses.
- wg-quick-config – is a console-based application specifically designed for managing WireGuard servers and clients. Its primary functions include generating initial WireGuard configurations, starting and stopping the server WireGuard tunnel, adding peers, and much more. For those interested in its inner workings, the source code for wg-quick-config is openly accessible on GitHub.
WireSock VPN Gateway is free for personal (non-commercial), or educational (including non-profit organization) use.
Please ask questions in our support forum.