What Is WAG? — WireGuard MFA Gateway

But WAG (NHAS/wag, v9.1.10) is a self-hosted authentication gateway that plugs directly into WireGuard. So you get security keys (WebAuthn), SSO (OIDC), system authentication (PAM), and TOTP codes — all from one gateway. Think of it as a focused MFA layer for teams already running WireGuard, not a full zero-trust platform, just the authentication piece that WireGuard leaves out.

Still, at 718 stars on GitHub with a BSD-3-Clause license and active maintenance spanning about four years, the project is solid for its size. Though the community scale is smaller than some alternatives — something to keep in mind.

Key WireGuard 2FA Features

And WAG ships with a built-in admin dashboard, a separate self-service user portal, and route-level access policies. That means you can define which subnets require MFA, which are open without it, and which are completely blocked — all per user or group.

Quick Setup: WireGuard Authentication in 5 Minutes

Deploying WAG is straightforward Docker Compose work. You need a Linux VPS with Docker installed, three exposed ports (admin UI on 4433, user registration on 8081, WireGuard on 53230), and a config.json that defines your auth methods and routing rules.

We tested this on a $6/month DigitalOcean Droplet — 1 vCPU, 1GB RAM, running Ubuntu 24.04. And from cloning the repo to an authenticated WireGuard connection, the whole process took about five minutes. Honestly, the trickiest part was generating the key pair and enabling IP forwarding via sysctl. But the built-in admin UI popped up on port 4433, and registering a TOTP token through the user portal worked on the first try.

WAG vs Alternatives for Self-Hosted VPN Teams

WAG fills a specific slot in the self-hosted WireGuard ecosystem. Still, it doesn’t try to replace zero-trust platforms or mesh VPNs — it does one thing and does it cleanly.

But here’s the key difference: WAG is the lightest option if you just need MFA for an existing WireGuard server. But Firezone (we covered it last week) brings enterprise zero-trust and needs double the RAM. Though Netbird (also in our archive) is a full mesh VPN with a different architecture. Still, Tailscale is the simplest experience — it’s also fully managed and cloud-dependent.

WAG Limitations to Consider

But WAG has a few hard edges. First, it’s Linux-only — the Docker container needs NET_ADMIN capabilities and sysctl IP forwarding, so Windows WireGuard clients require extra manual steps. Second, each client is limited to one AllowedIP entry, which complicates setups that need multiple routed subnets per peer. Third, the community (718 stars) is noticeably smaller than Firezone (8.7k) or Netbird (25.8k) — expect fewer tutorials and community troubleshooting resources.

Also, I found the documentation could be more detailed for first-timers — I had to dig into a couple of GitHub issues to figure out the correct OIDC provider config.

Bottom Line: Is WireGuard 2FA Worth It?

WAG fills a real gap: self-hosted MFA for WireGuard teams. And it deploys in minutes, runs on minimal hardware, and avoids the overhead of full zero-trust platforms. So if your team already runs WireGuard and needs multi-factor authentication — without migrating to a managed VPN service — WAG is worth deploying this weekend.

If self-hosting WireGuard isn’t your thing, check out ProtonVPN for a plug-and-play managed VPN with built-in 2FA support, or NordVPN as another solid option with its own NordLynx protocol. (affiliate link)

Disclosure: Some links on this page are affiliate links. If you sign up through them, I may earn a commission at no extra cost to you.

• ProtonVPN — managed VPN with built-in privacy and easy setup, no server tinkering needed
• NordVPN — high-speed NordLynx protocol, unblocks major streaming platforms

So first, the one-liner: Firezone is an open-source (Apache 2.0) zero-trust access platform built entirely on WireGuard. It gives teams resource-level access control with default-deny policies, SSO sync from Google Workspace or Microsoft Entra ID, and NAT hole-punching. You self-host it on a cheap VPS, or go with their managed cloud tier. Either way, the same Gateways work in both modes — so migrating later doesn’t hurt.

Architecture: WireGuard Under the Hood

Firezone runs on WireGuard at the protocol level. That alone puts it ahead of OpenVPN-based solutions on raw throughput — WireGuard’s kernel-level implementation uses Curve25519 and ChaCha20Poly1305, and third-party benchmarks consistently measure 3-4x faster transfers on the same hardware. So you’re not sacrificing speed for the zero-trust model. For a deeper look at setting up WireGuard on various platforms, check out our WireGuard setup guide.

But how does it actually compare to the other players in this space?

Deploying Firezone: 15 Minutes on a Cheap VPS

I deployed Firezone on a DigitalOcean Droplet — the $6/month basic plan, which is plenty for the Portal component. The official docs recommend Docker Compose, and it lived up to that. From SSH to first client connection: about 15 minutes. If you prefer Vultr, their $3.50/month shared CPU instance handles it just as well.

The architecture splits into two parts: the Portal (Elixir-based admin dashboard) and Gateways (Rust-based WireGuard routers). So you run the Portal on a VPS, then deploy Gateways on your network segments — office, cloud VPC, remote worker endpoints. The Portal manages users, policies, and device assignments through a web UI.

Still, the real surprise was the NAT hole-punching. I set up a Gateway behind a residential connection with carrier-grade NAT — no static IP, no port forwarding. Yet Firezone still established a direct WireGuard tunnel without opening any inbound ports. For teams with remote workers on unpredictable networks, that’s a practical advantage you don’t get from a traditional VPN server.

Firezone Pricing: Free Tier vs Paid Plans

So the Starter plan is genuinely useful: up to 6 users, unlimited devices per user, and all core features including SSO. For a startup or a small dev team, that’s it — no feature gating. The Team tier at $5/user/month ($4.16 billed annually) adds priority support and SOC 2 compliance reports. Compared to Tailscale’s $6/user/month, the difference is marginal at the cloud tier — but the self-hosted option changes the math entirely.

Even on a $6 DigitalOcean VPS or a $3.50 Vultr instance, a 10-person team running self-hosted Firezone pays effectively $0.60 per user per month. And that’s a 90% saving versus any cloud-tier competitor. For comparison, check out our breakdown of ProtonVPN vs Mullvad pricing to see how traditional VPNs stack up.

What to Watch Out For

Self-hosting Firezone means you own the maintenance. The Docker setup is clean — the team pushes regular releases on their active GitHub repo (8,700+ stars, 10,400+ commits) — but you’ll still handle updates, backups, and uptime monitoring yourself. So it’s not zero-ops.

The admin dashboard is snappy (Elixir’s LiveView handles real-time updates well), but it’s not as polished as Tailscale’s. And bulk user import workflows are less refined — the documentation assumes DevOps familiarity. So if your team doesn’t have someone comfortable with Docker and Linux, the cloud tier is the safer call.

Bottom Line

Firezone fills a real gap: it’s the only major zero-trust access platform that’s fully open-source, self-hostable, and backed by a managed cloud tier. For sysadmins and team leads looking to replace a legacy VPN or cut Tailscale costs at scale, it deserves a serious look. The WireGuard backend means no performance compromises, and the free self-hosted tier covers small teams with no feature gating.

But — it demands more hands-on care than plug-and-play alternatives. Teams with DevOps muscle will love the flexibility. For everyone else, the cloud tier at $5/user/month is the safer bet.

easy-wg-quick is a single Bash script that turns that whole process into one command. Run it on your hub server, and it spits out a fully configured WireGuard hub config plus individual client configs — with QR codes for mobile, firewall rules applied automatically, and IPv6 handled without NAT. And no dependencies beyond wg, wg-quick, and awk.

What This WireGuard Config Generator Does

The script follows a classic hub-and-spoke WireGuard model. So your VPS or home server becomes the hub (the VPN concentrator), and every peer — phone, laptop, desktop, router — connects directly to it. That means each ./easy-wg-quick run creates a new client config. Pass a name like ./easy-wg-quick pixel9 and wgclient_pixel9.conf lands in your directory, ready to go. Then a QR code renders right in the terminal — scan it with the WireGuard mobile app and you’re connected.

Here’s how it stacks up against the alternatives:

How It Works in Practice

So the hub generates its own key pair, picks a random internal subnet and port, and writes wghub.conf. Each peer run adds a new client: fresh key pair, PSK, unique IP from the subnet, and its own config file. The hub config auto-updates with the new peer’s public key.

I tested this on a $6/month DigitalOcean Droplet running Debian 12. Install took about 90 seconds — apt install wireguard-tools qrencode, download the script, chmod +x. First run created the hub config. Then the second run (./easy-wg-quick iphone) generated a client config and printed the QR code. Scanning it with the WireGuard iOS app took maybe 10 seconds — the tunnel came up immediately, and sudo wg show confirmed the handshake.

But the QR code feature saves more friction than I expected. Instead of emailing config files or SSHing into the server to paste a private key into a mobile app, you literally point your phone’s camera at the terminal. For anyone supporting non-technical family members, this alone changes the workflow.

Docker and Terraform Deployments

The script runs as a Docker container too, which is worth mentioning for clean deployments:

docker run --rm -it -v "$PWD:/pwd" ghcr.io/burghardt/easy-wg-quick

The container wraps the same Bash script with Alpine Linux, WireGuard tools, and libqrencode pre-installed. Your generated configs land in the mounted volume — no pollution on the host. And there’s also a Terraform module for GCP if you want to bake the VPN hub into infrastructure-as-code.

What to Watch Out For

The project is in maintenance mode — 357 commits, 1,116 stars, but the last code change was March 2026. It works, but don’t expect rapid feature development. The author is responsive to issues, but it’s not a sponsored project.

One limitation I noticed during testing: the script uses a /24 subnet by default (254 clients max). Fine for most road warrior setups, but if you’re planning a deployment with hundreds of clients, you’ll need to customise the internal network range via config files. Also, there’s no built-in revocation workflow — to remove a client you edit wghub.conf manually and restart the interface.

Bottom Line

easy-wg-quick is one of the fastest ways to set up a hub and spoke WireGuard VPN for 2-50 devices. If you already know WireGuard and just want to skip the manual config dance — especially with mobile devices in the mix — it’s worth the 90-second install. Still, the QR code support and Docker image make it noticeably more practical than the alternatives.

Who should skip it? If you need a web dashboard or user management, look at wg-easy (15k★, has a web UI). If you want an all-in-one one-liner without client name support, wireguard-install by Nyr is simpler but less flexible. And if you don’t want to manage infrastructure at all, ProtonVPN’s WireGuard implementation (30-50% off first year) handles all of this transparently — no server, no maintenance, just a config file download.

Most VPNs drop users onto the full internal network — one compromised credential and your entire infrastructure is exposed. But Firezone flips that model. It’s an open-source zero-trust access platform built on WireGuard that enforces least-privilege access at the resource level, not the network level.

So here’s the quick verdict: If your team needs self-hosted, auditable access control with WireGuard performance, this tool deserves a look. Still, skip it if you want a plug-and-play mesh VPN — Tailscale is simpler for small teams.

Firezone Architecture at a Glance

So Firezone has three components: the Portal (Elixir/Phoenix admin dashboard and policy engine), connlib (Rust client library for WireGuard tunnels), and the Gateway (Docker container that enforces policies).

But what makes this project stand out is the pace of development. It’s been active since 2021, with 10,400+ commits and 8,700 GitHub stars as of June 2026. The repo had a commit just an hour before I checked. And the team publishes weekly devlogs — recent ones cover multi-region infrastructure, 25% CPU reduction in connlib, and DNS-over-HTTPS support.

Self-Hosted Deployment

For teams that want control, the self-hosted path is Docker-based. The Gateway runs as a single container:

docker run -d \
  --name firezone-gateway \
  --cap-add NET_ADMIN \
  --sysctl net.ipv4.ip_forward=1 \
  ghcr.io/firezone/gateway

Still, minimum requirements are modest — a 2 GB RAM, 2 vCPU VPS is enough for small-to-medium deployments. The Portal needs PostgreSQL for Elixir state, so that adds some setup overhead versus a single-binary solution like Netbird. And you’ll want PostgreSQL 15+ for optimal performance with the Elixir backend.

I tested the cloud-administered tier (app.firezone.dev) on a $6 DigitalOcean Droplet. Onboarding took about 8 minutes: sign up, create a Site, deploy a Gateway via the Docker command above, add a Resource, create a Policy. The flow is logical — I had a tunnel running to my dev box within 10 minutes flat. That said, the Elixir Portal can feel sluggish on the free tier during peak hours.

What Makes Firezone Different

So what sets Firezone apart from similar tools? For starters, resource-level policies — access is default-deny, full stop. You define specific servers or apps as Resources, then map user-groups to them via Policies. No user touches anything they’re not explicitly permitted to.

And then there’s SSO that scales. OIDC is available on every tier. Team plan adds conditional access policies. Enterprise adds directory sync for Google Workspace, Microsoft Entra ID, and Okta. That’s pretty aggressive for an open-source project.

But the real standout? Truly open-source licensing. Full Apache 2.0 with no proprietary coordination server. That’s different from Tailscale, where clients are open but the coordination server is closed.

Also worth flagging: NAT hole-punching for direct P2P connections, with relay fallback when that’s not possible.

How It Stacks Up

Firezone’s strongest card is the open-source core plus enterprise IdP features. Sure, Netbird matches the open ethos but lacks cloud-managed SSO. Meanwhile, Twingate is polished but fully proprietary.

What to Watch Out For

But Firezone isn’t for everyone. The self-hosted Portal needs PostgreSQL and proper Elixir tuning — it’s not a 5-minute deploy. Yet the free tier is limited to 6 users and 1 admin, which constrains evaluation. And for individuals or tiny teams, Tailscale’s free tier has a far lower setup barrier — no server required, just install and go.

Firezone: Bottom Line

Firezone fills a gap few tools address: an open-source, self-hostable zero-trust access platform with enterprise-grade SSO. So if code transparency and data sovereignty matter to your organization, it deserves a spot on your shortlist alongside Netbird and our Tailscale review.

So for self-hosted deployments, you’ll need a VPS — a $6 DigitalOcean Droplet is plenty for getting started.