Eliminate the pain of manual key distribution and N-to-N configuration. Manage your entire mesh or hub-and-spoke network from a single YAML file.
Write your network topology in one central YAML file on the control plane.
Run a lightweight, dependency-free bash agent on your servers or edge nodes.
The agent instantly syncs changes via standard wg syncconf without dropping connections.
When running production infrastructure, you need absolute predictability. Tools like Netmaker, Headscale, and ZeroTier are often painful to self-host, inject opaque binary blobs into your servers, and rely on 'magic' hole-punching that can suddenly change behavior. WG-CP offers a transparent, standards-based alternative that ensures deterministic, reliable routing you fully control.
No proprietary clients or complex user-space networking. WG-CP just orchestrates standard Linux wg commands. If you turn off the control plane, your network stays up forever with zero lock-in.
Your private keys never leave your servers. The agent is a transparent, editable bash script—no opaque binary blobs. Keys are generated locally and only public keys are transmitted to the Control Plane. Traffic cannot be intercepted, even if the control plane is compromised.
Replace scattered [Peer] blocks with a single symmetrical YAML file. The Control Plane acts as a compiler, pushing optimized wg0.conf updates instantly to all connected agents.
Adding a new device to standard WireGuard means SSH-ing into servers to manually update peer lists. WG-CP eliminates this.
Manage your entire topology from one central YAML file. When you add a new node, connected agents instantly receive the update via HTTP streaming and apply it using wg syncconf—updating routing tables dynamically without dropping active connections.
# Run the dependency-free agent on your server $ ./agent-stream.sh Connected to WG-CP Stream... [14:02:10] Received network update [14:02:10] Syncing wg0... [14:02:10] Added peer: developer-laptop # Active connections remain uninterrupted!
nodes:
- name: "gateway-server"
host_dns: true # This node automatically runs CoreDNS
wireguard:
- network: "vpn"
address: "10.0.0.1/32"
# Other clients automatically receive DNS = 10.0.0.1
# and can now connect to "gateway-server.vpn"Stop trying to remember internal IP addresses. WG-CP can automatically provision a lightweight CoreDNS server directly on your WireGuard interface, completely avoiding host OS port conflicts.
Simply flag a node with host_dns: true, and the control plane will dynamically generate and push zone files to it. Every client in your network instantly receives the correct DNS = configuration and can resolve names like production-server.vpn with zero manual setup.
Stop wrestling with complex NAT rules, bastion hosts, or exposing ports to the public internet. Securely route traffic to your internal Docker containers, databases, or cloud VPCs.
Just declare the subnets on your gateway node, and WG-CP automatically calculates the correct routing (AllowedIPs) for every connected client.
nodes:
- name: "production-server"
subnets: ["172.17.0.0/16"] # Docker network
physical:
- network: "wan"
address: "203.0.113.1"
- name: "developer-laptop"
wireguard:
- network: "vpn" # Gets automatic access to 172.17.x.xAdded built-in support for automatically provisioning a lightweight CoreDNS server on WireGuard interfaces, allowing seamless name resolution for connected clients with zero host OS port conflicts.
Created a WireGuard tutorial that is beginner-friendly and practical.
Consolidated all guides into a single page with interactive YAML references and auto-populated deployment scripts.
Introduced a new configuration format that separates physical reachability from virtual connectivity. Features include intelligent path selection, roaming node support, and granular disabled controls at the network, node, and attachment levels.
Added a recent updates feed to the landing page to keep users informed of the latest changes and improvements.
Introduced write_barrier to network configurations, preventing accidental overwrites when multiple admins edit the same network.
You can now optionally lock your network configurations by adding admin_tokens to your YAML.
Re-architected the agent protocol to support near-zero latency updates via persistent NDJSON streams.