Skip to content

Settings

Jump to bottom
Stefano Bertelli edited this page Apr 3, 2026 · 1 revision

Settings

The Settings page (/admin/settings) is the central configuration interface for WireGUI.

Settings Page

Default Client Configuration

These defaults are applied to new devices unless overridden per-device (see Devices).

Setting Description Default
Endpoint Server hostname or IP that clients connect to localhost
DNS DNS servers pushed to clients 1.1.1.1, 1.0.0.1
Allowed IPs IP ranges routed through the tunnel 0.0.0.0/0, ::/0
MTU Maximum Transmission Unit 1280
Persistent Keepalive Keepalive interval in seconds 25

Click Save Defaults after making changes.

Authentication & Access

VPN Session Duration

Controls how often users must re-authenticate. Options:

  • Never (unlimited)
  • Every Hour
  • Every Day
  • Every Week
  • Every 30 Days
  • Every 90 Days

When a session expires, the user's WireGuard peers are temporarily removed until they log in again.

Authentication Toggles

  • Local Authentication (email/password) - Can be disabled when SSO is the only desired login method
  • Allow Unprivileged Device Management - When enabled, non-admin users can create and delete their own devices
  • Allow Unprivileged Device Configuration - When enabled, non-admin users can modify device configuration overrides (allowed IPs, DNS, endpoint, etc.)

SSO Behavior

  • Auto-disable VPN on OIDC refresh error - When enabled, if an OIDC token refresh fails (e.g., user deprovisioned from the IdP), their VPN access is automatically suspended

Click Save Security Settings after making changes.

OpenID Connect Providers

Manage OIDC identity providers for Single Sign-On. The table shows configured providers with:

Field Description
Config ID Unique identifier for the provider
Label Button text shown on the login page
Client ID OAuth2 client ID
Discovery URI OIDC discovery document URL
Auto-create Whether new users are automatically created on first SSO login

Click Add OIDC Provider to configure a new provider. Required fields:

  • Config ID - Unique identifier (used in URLs: /auth/oidc/{config_id})
  • Label - Display name on the login button
  • Client ID and Client Secret - From your identity provider
  • Discovery Document URI - The .well-known/openid-configuration URL
  • Scope - OAuth2 scopes (default: openid email profile)
  • Auto-create users - Automatically provision accounts on first login

SAML Identity Providers

Manage SAML 2.0 identity providers. Similar to OIDC, with additional SAML-specific settings:

  • Config ID and Label - Identifier and display name
  • Metadata - IdP metadata XML
  • Sign Requests / Metadata - Whether to sign SAML requests
  • Auto-create users - Automatic user provisioning

IdP Provisioning from YAML

For automated deployments, identity providers can be defined in a YAML file and loaded at startup:

WG_IDP_CONFIG_FILE=/path/to/idps.yaml

See Authentication for YAML format details.

Clone this wiki locally