Skip to content

alexwoo-awso/win-wireguard-setup

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
README.md
README.md
 
 
wireguard-setup.ps1
wireguard-setup.ps1
 
 

Repository files navigation

win-wireguard-setup

PowerShell automation for installing WireGuard on Windows, creating or importing tunnel configurations, and configuring always-on tunnel services with restart-on-failure recovery.

What This Script Does

wireguard-setup.ps1 is built for real Windows client deployment work:

  • Installs WireGuard from the latest official MSI published at https://download.wireguard.com/windows-client/
  • Supports both interactive operation and batch provisioning through CLI parameters
  • Creates new tunnel configs from parameters or script defaults
  • Generates a client private key automatically when you do not provide one
  • Supports an optional preshared key, either supplied or generated
  • Prints the derived client public key in the setup summary
  • Optionally exports a server-side peer snippet for easy import on the WireGuard server
  • Installs the tunnel as an always-on Windows service
  • Configures the tunnel service to restart automatically after failures
  • Lists, edits, imports, refreshes, deletes, and removes managed tunnels
  • Updates or reinstalls WireGuard cleanly
  • Removes the tunnel service, config, WireGuard installation, or everything under the script's managed data directory

The script intentionally does not create or manage a local administrator account. WireGuard tunnel services run under the system service model already, which is the correct direction for an always-on client tunnel.

Requirements

  • Windows PowerShell 5.1 or PowerShell 7+
  • Elevated PowerShell session
  • Internet access for installing or updating WireGuard from the official download source

Managed Paths

The script stores its managed files under:

  • C:\ProgramData\WinWireGuardSetup\Configurations
  • C:\ProgramData\WinWireGuardSetup\Exports
  • C:\ProgramData\WinWireGuardSetup\Cache

Config and export files are ACL-restricted to SYSTEM and Administrators.

Interactive Usage

Run the script without parameters:

.\wireguard-setup.ps1

Menu options:

  1. Install or update WireGuard
  2. Create or update a tunnel
  3. Import a tunnel from an existing .conf
  4. List tunnels and services
  5. Edit an existing managed tunnel
  6. Reconfigure an existing tunnel service as always-on
  7. Delete a tunnel service and/or config
  8. Remove selected components
  9. Purge everything

The interactive tunnel workflow will prompt for:

  • Tunnel name
  • Client address
  • Server public key
  • Server endpoint
  • Allowed IPs
  • DNS
  • Persistent keepalive
  • Whether to generate the private key
  • Whether to use and generate a preshared key
  • Whether to export a server-side peer snippet

Batch Usage

1. Install the latest WireGuard

.\wireguard-setup.ps1 -Action InstallWireGuard

2. Force an update or reinstall of WireGuard

.\wireguard-setup.ps1 -Action UpdateWireGuard

Install a specific version when it exists on the official MSI page:

.\wireguard-setup.ps1 -Action UpdateWireGuard -WireGuardVersion 0.5.3

3. Provision a new tunnel fully from CLI parameters

.\wireguard-setup.ps1 `
  -Action SetupTunnel `
  -TunnelName office-alwayson `
  -ClientAddress 10.77.0.23/32 `
  -ServerPublicKey '<server-public-key>' `
  -ServerEndpoint vpn.example.com:51820 `
  -AllowedIPs '10.0.0.0/8, 192.168.0.0/16' `
  -DNS '10.0.0.10, 10.0.0.11' `
  -GeneratePrivateKey `
  -GeneratePresharedKey `
  -ExportServerConfig

4. Provision a tunnel but provide your own client private key

.\wireguard-setup.ps1 `
  -Action SetupTunnel `
  -TunnelName branch1 `
  -ClientPrivateKey '<client-private-key>' `
  -ClientAddress 10.77.0.24/32 `
  -ServerPublicKey '<server-public-key>' `
  -PresharedKey '<optional-preshared-key>' `
  -ServerEndpoint vpn.example.com:51820 `
  -AllowedIPs '0.0.0.0/0, ::/0'

5. Import an existing client config and make it always-on

.\wireguard-setup.ps1 `
  -Action ImportTunnel `
  -ConfigPath C:\Temp\office.conf `
  -TunnelName office-alwayson `
  -ConfigureExistingService

6. List current managed tunnels and services

.\wireguard-setup.ps1 -Action ListTunnels

Services only:

.\wireguard-setup.ps1 -Action ListTunnels -ListServicesOnly

7. Edit a managed config and refresh the service

.\wireguard-setup.ps1 `
  -Action EditTunnel `
  -TunnelName office-alwayson `
  -OpenEditor `
  -ConfigureExistingService

8. Reinstall the service for an existing managed config

.\wireguard-setup.ps1 -Action ConfigureService -TunnelName office-alwayson

9. Delete a tunnel service and config

.\wireguard-setup.ps1 `
  -Action DeleteTunnel `
  -TunnelName office-alwayson `
  -RemoveService `
  -RemoveConfig

10. Remove only services, only configs, WireGuard itself, or a full purge

Remove one tunnel service only:

.\wireguard-setup.ps1 -Action Remove -TunnelName office-alwayson -RemoveService

Remove one config only:

.\wireguard-setup.ps1 -Action Remove -TunnelName office-alwayson -RemoveConfig

Uninstall WireGuard but keep configs:

.\wireguard-setup.ps1 -Action Remove -RemoveWireGuard

Purge everything managed by the script and uninstall WireGuard:

.\wireguard-setup.ps1 -Action Purge

Parameters

Core Actions

  • -Action Interactive
  • -Action InstallWireGuard
  • -Action UpdateWireGuard
  • -Action SetupTunnel
  • -Action AddTunnel
  • -Action ImportTunnel
  • -Action ListTunnels
  • -Action EditTunnel
  • -Action ConfigureService
  • -Action DeleteTunnel
  • -Action Remove
  • -Action Purge

Tunnel Settings

  • -TunnelName
  • -ClientPrivateKey
  • -ClientAddress
  • -ServerPublicKey
  • -PresharedKey
  • -ServerEndpoint
  • -AllowedIPs
  • -DNS
  • -PersistentKeepalive

Import and Export

  • -ConfigPath
  • -ImportConfigText
  • -ExportServerConfig
  • -ServerExportPath

WireGuard Installation

  • -WireGuardVersion
  • -WireGuardDownloadUrl
  • -SkipWireGuardInstall

Service and Key Controls

  • -SkipServiceInstall
  • -GeneratePrivateKey
  • -GeneratePresharedKey
  • -ConfigureExistingService
  • -OpenEditor
  • -ListServicesOnly

Removal Controls

  • -RemoveService
  • -RemoveConfig
  • -RemoveWireGuard
  • -PurgeAll

Real-World Deployment Notes

1. Always-on client tunnel

For an always-on client, use:

  • narrow AllowedIPs for split tunnel
  • 0.0.0.0/0, ::/0 only when you explicitly want full tunnel
  • PersistentKeepalive = 25 when the client is behind NAT and needs stable inbound reachability

2. Private key handling

If you omit -ClientPrivateKey, the script generates one locally using wg.exe genkey. The summary prints the derived public key so you can immediately register the peer on the server.

3. Preshared keys

Preshared keys are optional. If you use them, the same value must exist on both ends. The script can either accept -PresharedKey or generate one using -GeneratePresharedKey.

4. Service recovery

The script configures the WireGuardTunnel$<TunnelName> service with automatic restart-on-failure actions:

  • first restart after 5 seconds
  • second restart after 15 seconds
  • third and later restart after 60 seconds

This is intended for unattended always-on laptop or workstation deployments.

5. Editing existing tunnels

EditTunnel operates on configs managed by this script in C:\ProgramData\WinWireGuardSetup\Configurations. If you already have ad hoc configs elsewhere, import them first so the script can manage the service and lifecycle consistently.

6. WireGuard version discovery

By default the script queries the official WireGuard Windows MSI listing page and selects the latest version for the current architecture. If you need a pinned version or an internal mirror, use -WireGuardVersion and/or -WireGuardDownloadUrl.

Common Workflows

New laptop deployment

  1. Run InstallWireGuard or let SetupTunnel install it automatically.
  2. Run SetupTunnel with generated keys.
  3. Copy the printed public key into the server config, or use the exported peer snippet.
  4. Verify the WireGuardTunnel$<TunnelName> service is running.

Convert an existing manual config into an always-on service

  1. Run ImportTunnel -ConfigPath <path> -TunnelName <name> -ConfigureExistingService
  2. Confirm the service exists with ListTunnels
  3. Edit and refresh later through EditTunnel

Replace a broken tunnel cleanly

  1. Run DeleteTunnel -TunnelName <name> -RemoveService -RemoveConfig
  2. Recreate it with SetupTunnel or ImportTunnel

Limitations

  • The script expects elevation for all actions.
  • It manages plaintext configs under its own secured ProgramData path.
  • It does not modify your WireGuard server automatically; it only exports a server-side peer snippet for easier import.

Source Reference

The script's latest-version lookup is based on the official WireGuard Windows installation and MSI listing pages:

  • https://www.wireguard.com/install/
  • https://download.wireguard.com/windows-client/

About

PowerShell automation for installing WireGuard on Windows, managing tunnel configs, and running always-on VPN services.

Topics

windows automation networking powershell vpn wireguard

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages