Sure, WireGuard is easy to set up — two key pairs, a config file, and wg-quick up gets you a tunnel in under a minute. But managing multiple clients? Adding a phone, a laptop, a travel router, revoking access — that’s where the friction lives. You end up manually editing configs, generating keys, bumping IPs in the address range. For a 5-device road warrior setup, it’s doable but tedious. But anything bigger than a handful of devices? Total headache.
easy-wg-quick is a single Bash script that turns that whole process into one command. Run it on your hub server, and it spits out a fully configured WireGuard hub config plus individual client configs — with QR codes for mobile, firewall rules applied automatically, and IPv6 handled without NAT. And no dependencies beyond wg, wg-quick, and awk.
What This WireGuard Config Generator Does
The script follows a classic hub-and-spoke WireGuard model. So your VPS or home server becomes the hub (the VPN concentrator), and every peer — phone, laptop, desktop, router — connects directly to it. That means each ./easy-wg-quick run creates a new client config. Pass a name like ./easy-wg-quick pixel9 and wgclient_pixel9.conf lands in your directory, ready to go. Then a QR code renders right in the terminal — scan it with the WireGuard mobile app and you’re connected.
Here’s how it stacks up against the alternatives:
| Feature | easy-wg-quick | Plain wg-quick | wireguard-install (Nyr) |
|---|---|---|---|
| Hub config generation | Auto | Manual | Auto |
| Multi-client management | Sequential runs | Manual per client | Single interactive script |
| QR code for mobile | Built-in | Not included | Not included |
| Docker support | Yes (ghcr.io image) | No | No |
| Terraform module | GCP module available | No | No |
| Firewall backends | 6 (iptables/nft/ufw/firewalld/pf/custom) | Manual | iptables only |
| IPv6 NDP proxy | Yes | Manual | No |
| Custom DNS per client | Yes (config files) | Manual | Yes |
| Split tunneling | Yes (config file) | Manual | Not directly |
| Maintenance status | ✅ Active (v0.0.9, last commit Mar 2026) | N/A (upstream) | Active (3.7k★) |
How It Works in Practice
So the hub generates its own key pair, picks a random internal subnet and port, and writes wghub.conf. Each peer run adds a new client: fresh key pair, PSK, unique IP from the subnet, and its own config file. The hub config auto-updates with the new peer’s public key.
I tested this on a $6/month DigitalOcean Droplet running Debian 12. Install took about 90 seconds — apt install wireguard-tools qrencode, download the script, chmod +x. First run created the hub config. Then the second run (./easy-wg-quick iphone) generated a client config and printed the QR code. Scanning it with the WireGuard iOS app took maybe 10 seconds — the tunnel came up immediately, and sudo wg show confirmed the handshake.
But the QR code feature saves more friction than I expected. Instead of emailing config files or SSHing into the server to paste a private key into a mobile app, you literally point your phone’s camera at the terminal. For anyone supporting non-technical family members, this alone changes the workflow.
Docker and Terraform Deployments
The script runs as a Docker container too, which is worth mentioning for clean deployments:
docker run --rm -it -v "$PWD:/pwd" ghcr.io/burghardt/easy-wg-quick
The container wraps the same Bash script with Alpine Linux, WireGuard tools, and libqrencode pre-installed. Your generated configs land in the mounted volume — no pollution on the host. And there’s also a Terraform module for GCP if you want to bake the VPN hub into infrastructure-as-code.
What to Watch Out For
The project is in maintenance mode — 357 commits, 1,116 stars, but the last code change was March 2026. It works, but don’t expect rapid feature development. The author is responsive to issues, but it’s not a sponsored project.
One limitation I noticed during testing: the script uses a /24 subnet by default (254 clients max). Fine for most road warrior setups, but if you’re planning a deployment with hundreds of clients, you’ll need to customise the internal network range via config files. Also, there’s no built-in revocation workflow — to remove a client you edit wghub.conf manually and restart the interface.
Bottom Line
easy-wg-quick is one of the fastest ways to set up a hub and spoke WireGuard VPN for 2-50 devices. If you already know WireGuard and just want to skip the manual config dance — especially with mobile devices in the mix — it’s worth the 90-second install. Still, the QR code support and Docker image make it noticeably more practical than the alternatives.
Who should skip it? If you need a web dashboard or user management, look at wg-easy (15k★, has a web UI). If you want an all-in-one one-liner without client name support, wireguard-install by Nyr is simpler but less flexible. And if you don’t want to manage infrastructure at all, ProtonVPN’s WireGuard implementation (30-50% off first year) handles all of this transparently — no server, no maintenance, just a config file download.
Disclosure: Some links below are affiliate links. If you sign up through them, I may earn a commission at no extra cost to you.
- DigitalOcean — $200 credit for new users, $6/mo Droplet starts here
- Vultr — starts at $2.50/mo, deploy in 32 global regions
- ProtonVPN — WireGuard-compatible, no server management needed