Vpn

WireGuard is fast, modern, and refreshingly simple. And you’re connected within seconds — set a private key, configure a peer. But simplicity has a blind spot — there’s no multi-factor authentication. If a private key leaks, your VPN is wide open. WAG changes that. What Is WAG? — WireGuard MFA Gateway But WAG (NHAS/wag, v9.1.10) is a self-hosted authentication gateway that plugs directly into WireGuard. So you get security keys (WebAuthn), SSO (OIDC), system authentication (PAM), and TOTP codes — all from one gateway. Think of it as a focused MFA layer for teams already running WireGuard, not a full zero-trust platform, just the authentication piece that WireGuard leaves out. ...

Sure, WireGuard is easy to set up — two key pairs, a config file, and wg-quick up gets you a tunnel in under a minute. But managing multiple clients? Adding a phone, a laptop, a travel router, revoking access — that’s where the friction lives. You end up manually editing configs, generating keys, bumping IPs in the address range. For a 5-device road warrior setup, it’s doable but tedious. But anything bigger than a handful of devices? Total headache. ...

Firezone: open-source zero-trust via WireGuard with Docker self-hosted deploy. Quick review of features, pricing, and comparison to Tailscale and Netbird.