WireSock VPN Gateway

WireSock VPN Gateway sets up a WireGuard VPN Server on Windows and allows WireGuard clients to connect to the server’s Internet/LAN. WireSock VPN Gateway is an add-on to the official WireGuard Windows Client that takes only a couple of minutes to install and is free*.

There are tutorials and scripts to configure WireGuard Server with Windows ICS; however, the standard Windows ICS has issues when used with WireGuard Server. WireSock VPN Gateway intends to solve those issues and create an overall simpler solution with a streamlined setup process.

Use Cases

  • Share your PCs internet connection to WireGuard clients.
  • Route your internet connection through a remote Windows server.


Quick Start Guide for Windows Desktop

Quick Start Guide for Windows Server

Port Forwarding

Quick Start Guide for Windows Desktop

Install WireGuard client

If you don’t already have WireGuard installed, download and install the latest WireGuard Windows Client

Install WireSock VPN Gateway

Download and install the appropriate WireSock VPN Gateway installer for your target platform:

Setup WireGuard Server

Start a command prompt as Administrator and use the following command. Make sure to make a note of the UDP port number for later use :

wg-quick-config -add -start

The screenshot below provides a visual representation of the menu you will encounter.

Follow the prompts to configure your WireGuard server endpoint. Take note of the UDP port – in the above image it is 56443, or you may have set a custom port.

Port Forwarding

Setup port forwarding by using the port forwarding guide for your home router or VPS provider.

Something not working?

If you experience any issues with using your VPN after installing or updating the software, please try a system reboot. If the issue persists, please post a message in the support forum.

Quick Start Guide for Windows Server Core

WireGuard VPN Server can be set up using the command-line interface. This may be useful if you are using a Windows Server Core installation.

Start PowerShell

By default, connecting to Windows Server Core via RDP starts a command prompt in Administrator mode. Run the following command:

start powershell.exe

Download and install WireGuard Windows Client

Visit the WireGuard Windows Client MSI list page to obtain the latest version number. Modify and run the command below to suit your server architecture and the client version number.

Invoke-WebRequest "https://download.wireguard.com/windows-client/wireguard-amd64-x.x.x.msi" -OutFile "wireguard-client.msi"

Example command to download WireGuard Windows client version 0.5.3 for AMD64:

Invoke-WebRequest "https://download.wireguard.com/windows-client/wireguard-amd64-0.5.3.msi" -OutFile "wireguard-client.msi"

Once it has finished downloading, install the client:

MsiExec.exe /i wireguard-client.msi DO_NOT_LAUNCH=1 /qn

Download and install WireSock VPN Gateway

Modify and run the following PowerShell command to suit the desired version number:

Invoke-WebRequest "http://www.wiresock.net/downloads/wiresock-vpn-gateway-x64-x.x.x.x.msi" -OutFile "wiresock-gateway-x64.msi"

Example command to download version

Invoke-WebRequest "http://www.wiresock.net/downloads/wiresock-vpn-gateway-x64-" -OutFile "wiresock-gateway-x64.msi"

Once it has finished downloading, run the installer:

MsiExec.exe /i wiresock-gateway-x64.msi /qn  

Refresh Environment Variables and Start the WireGuard Server

Refresh environment variables:

$env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")

Followed by the command below to set up your WireGuard server endpoint. Make sure to make a note of the UDP port number for later use:

wg-quick-config -add -start

Port Forwarding

Setup port forwarding by using the port forwarding guide for your home router or VPS provider.

Port Forward the WireGuard Server Port

Ensure you open and forward the WireGuard server port. If you are running your WireGuard server on a home PC, forward the UDP port (or the custom port you set) to your local PC. If you are running the WireGuard server on a VPS, you may need to forward the port and open the firewall through the admin panel. And, finally, if you are using DDNS, it needs to be reconfigured to point to the correct port.

Other Useful Commands

  • wg-quick-config -add -restart to add new peer and restart WireGuard tunnel
  • wg-quick-config -stop to stop WireGuard tunnel
  • wg-quick-config -start to start WireGuard tunnel
  • wg-quick-config -qrcode 1 to display QR code for the first client
  • To switch from default PROXY mode to NAT mode. Start a command prompt as Administrator and run the following commands:
    • wiresock-service uninstall
    • wiresock-service install -start-type 2 -mode nat -interface wiresock -log-level none
    • sc start wiresock-service

Package content

The WireSock VPN Gateway package consists of two main components:

  • wiresock-service – Internet/LAN connection sharing service built on top of Windows Packet Filter driver. It supports two operational modes:
    • Network Address Translation (NAT) is an advanced version of Internet Gateway sample and somewhat similar to the built-in Windows Internet Connection Sharing (ICS).
    • Transparent TCP/UDP proxy (default) In this mode a service filters the WireGuard server network interface (named wiresock by default) and all TCP/UDP connections from the WireGuard clients are transparently redirected to local TCP/UDP proxies, which then establish connections to network resources. Moreover, if the local system has active HTTP/SOCKSv5 proxy system settings, the service will detect these settings and use them for outgoing connections.
      Note that DNS service is an exception to this rule. By default, instead of the original destination DNS, requests are forwarded to locally available DNS servers to speed up the DNS resolution. If this behavior is not desired, then you can use the special command line parameter -dns followed by a list of preferred DNS servers.
      If the host has no DNS server configured and the -dns command has not provided the list of preferred DNS servers, then are used.
      By default, the WireSock service is installed in proxy mode, but if you prefer NAT, then you can change it using the commands listed in Other Useful Commands.
      One issue of note about proxy mode – since it supports only TCP and UDP protocols. The ICMP protocol is not supported, meaning WireGuard clients will not be able to ping external IP addresses.
  • wg-quick-config – is a console-based application specifically designed for managing WireGuard servers and clients. Its primary functions include generating initial WireGuard configurations, starting and stopping the server WireGuard tunnel, adding peers, and much more. For those interested in its inner workings, the source code for wg-quick-config is openly accessible on GitHub.


WireSock VPN Gateway is free for personal (non-commercial), or educational (including non-profit organization) use.


Please ask questions in our support forum.