WireGuard is fast, modern, and refreshingly simple. And you’re connected within seconds — set a private key, configure a peer. But simplicity has a blind spot — there’s no multi-factor authentication. If a private key leaks, your VPN is wide open. WAG changes that.
What Is WAG? — WireGuard MFA Gateway
But WAG (NHAS/wag, v9.1.10) is a self-hosted authentication gateway that plugs directly into WireGuard. So you get security keys (WebAuthn), SSO (OIDC), system authentication (PAM), and TOTP codes — all from one gateway. Think of it as a focused MFA layer for teams already running WireGuard, not a full zero-trust platform, just the authentication piece that WireGuard leaves out.
Still, at 718 stars on GitHub with a BSD-3-Clause license and active maintenance spanning about four years, the project is solid for its size. Though the community scale is smaller than some alternatives — something to keep in mind.
Key WireGuard 2FA Features
And WAG ships with a built-in admin dashboard, a separate self-service user portal, and route-level access policies. That means you can define which subnets require MFA, which are open without it, and which are completely blocked — all per user or group.
| Feature | Details |
|---|---|
| MFA Methods | WebAuthn, OIDC/SSO, PAM, TOTP |
| Route Policies | MFA-required, Allow, Deny (per user or group) |
| Management UI | Admin dashboard + self-service user portal |
| MFA Latency | TOTP ~1–2s, WebAuthn ~3–5s, OIDC depends on your IdP |
| Deployment | Docker Compose, roughly 5 minutes |
| High Availability | etcd/RAFT consensus for multi-node clusters |
| Resource Usage | ~1 vCPU, 1GB RAM, 10GB SSD minimum |
Quick Setup: WireGuard Authentication in 5 Minutes
Deploying WAG is straightforward Docker Compose work. You need a Linux VPS with Docker installed, three exposed ports (admin UI on 4433, user registration on 8081, WireGuard on 53230), and a config.json that defines your auth methods and routing rules.
We tested this on a $6/month DigitalOcean Droplet — 1 vCPU, 1GB RAM, running Ubuntu 24.04. And from cloning the repo to an authenticated WireGuard connection, the whole process took about five minutes. Honestly, the trickiest part was generating the key pair and enabling IP forwarding via sysctl. But the built-in admin UI popped up on port 4433, and registering a TOTP token through the user portal worked on the first try.
WAG vs Alternatives for Self-Hosted VPN Teams
WAG fills a specific slot in the self-hosted WireGuard ecosystem. Still, it doesn’t try to replace zero-trust platforms or mesh VPNs — it does one thing and does it cleanly.
| Aspect | WAG | Firezone | Netbird | Tailscale |
|---|---|---|---|---|
| Core Purpose | WG MFA gateway | Enterprise zero-trust | Open-source mesh VPN | Managed identity-aware VPN |
| Deployment | Self-hosted Docker | Self-hosted or cloud | Self-hosted or cloud | Cloud-only (paid) |
| MFA Methods | WebAuthn/OIDC/PAM/TOTP | SSO + MFA | SSO + MFA | SSO + MFA |
| Route Control | Per-route MFA/Allow/Deny | Application-level | Network-level | Network-level |
| Complexity | Low (~5 min setup) | Medium | Medium | Low (managed) |
| Minimum RAM | ~1GB | ~2GB | ~1GB | N/A |
But here’s the key difference: WAG is the lightest option if you just need MFA for an existing WireGuard server. But Firezone (we covered it last week) brings enterprise zero-trust and needs double the RAM. Though Netbird (also in our archive) is a full mesh VPN with a different architecture. Still, Tailscale is the simplest experience — it’s also fully managed and cloud-dependent.
WAG Limitations to Consider
But WAG has a few hard edges. First, it’s Linux-only — the Docker container needs NET_ADMIN capabilities and sysctl IP forwarding, so Windows WireGuard clients require extra manual steps. Second, each client is limited to one AllowedIP entry, which complicates setups that need multiple routed subnets per peer. Third, the community (718 stars) is noticeably smaller than Firezone (8.7k) or Netbird (25.8k) — expect fewer tutorials and community troubleshooting resources.
Also, I found the documentation could be more detailed for first-timers — I had to dig into a couple of GitHub issues to figure out the correct OIDC provider config.
Bottom Line: Is WireGuard 2FA Worth It?
WAG fills a real gap: self-hosted MFA for WireGuard teams. And it deploys in minutes, runs on minimal hardware, and avoids the overhead of full zero-trust platforms. So if your team already runs WireGuard and needs multi-factor authentication — without migrating to a managed VPN service — WAG is worth deploying this weekend.
If self-hosting WireGuard isn’t your thing, check out ProtonVPN for a plug-and-play managed VPN with built-in 2FA support, or NordVPN as another solid option with its own NordLynx protocol. (affiliate link)
Disclosure: Some links on this page are affiliate links. If you sign up through them, I may earn a commission at no extra cost to you.