Setting up a private VPN used to mean hours of config files, key management, and debugging. Not anymore. In this guide, you’ll install WireGuard VPN on Proxmox in a single command using the Proxmox VE Community Scripts — and have clients connected from your phone and laptop within minutes. No Docker required, no manual package installs. Just paste, answer a few prompts, and you’re done. 🚀
🧰 What Are Proxmox VE Community Scripts?
Before we get to the actual install, it’s worth understanding what community-scripts.org is — because you’ll probably be back here for other things too.
Proxmox VE Community Scripts is a community-maintained collection of automated scripts for Proxmox. Each script does one job: it creates a properly configured LXC container for a specific service (WireGuard, AdGuard Home, Nginx Proxy Manager, Nextcloud, and hundreds more) and installs everything inside it automatically.
The key idea is: you run a single bash command in the Proxmox shell, and the script handles:
- 🔲 Creating the LXC container with sensible defaults (CPU, RAM, storage)
- 📦 Installing all required packages inside the container
- ⚙️ Performing initial configuration
- 🔁 Setting up services to start on boot
This means you get a clean, isolated environment for each service — no dependency conflicts, easy to delete if something goes wrong, and easy to snapshot for backups. It’s also the recommended way to run WireGuard VPN on Proxmox without touching the host system.
💡 Community Scripts vs the old tteck scripts: Community Scripts is the successor to the popular
tteck/ProxmoxVEscripts. If you’ve seen older guides usingwget -qLO - https://github.com/tteck/...— those are outdated. Community Scripts is the actively maintained fork.
✅ Prerequisites
To set up WireGuard VPN on Proxmox using this method, you need:
- Proxmox VE 8.x or 9.x up and running
- Access to the Proxmox web UI Shell (or SSH into your Proxmox host)
- A public IP address for your server, or a dynamic DNS (DDNS) hostname
- Port UDP 51820 forwarded on your router to the WireGuard LXC IP
- Basic knowledge of your home network
🚀 Step 1 — Run the Install Script
Open the Proxmox Shell (not a container shell — the host shell at the top of the left panel) and run:
bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/wireguard.sh)"The script will ask you a few questions:
- Default or Advanced settings? — For most users,
Defaultis fine. It creates a Debian 12 LXC with 1 CPU, 512 MB RAM, and 4 GB storage. - Install WGDashboard? — Type
y. This installs the web UI for managing your VPN. Without it, you’d have to manage everything through config files in the terminal.
Wait 1–2 minutes. When it’s done, you’ll see the IP address of your new LXC container. At this point, WireGuard VPN on Proxmox is installed and running.
⚠️ Note: The script runs on the Proxmox host, not inside a VM or container. It creates and configures the LXC for you automatically.
🌐 Step 2 — Access WGDashboard
WireGuard VPN on Proxmox via community scripts comes with WGDashboard — a lightweight web UI for managing peers, monitoring traffic, and generating client configs.
Open your browser and go to:
http://<LXC_IP>:10086Replace <LXC_IP> with the IP shown at the end of the install script (e.g. 192.168.1.50).
Default credentials:
- Username:
admin - Password:
admin
🔐 Step 3 — First Login & Security Setup
On first login, WGDashboard will walk you through a setup wizard:
- Change your username and password — do this immediately,
admin/adminis publicly known - Set up 2FA (optional but recommended) — scan the QR code with any authenticator app (Google Authenticator, Aegis, etc.)
- Click Finish to enter the dashboard
⚙️ Step 4 — Check Your WireGuard Configuration
Good news: when running WireGuard VPN on Proxmox via community scripts, a default wg0 configuration is created automatically on first login — you don’t need to create it manually. Once you finish the setup wizard, you’ll land on the dashboard and see wg0 already listed with:
- Listen Port:
51820 - IP Address: a pre-assigned VPN subnet (e.g.
10.0.0.1/24)
If the interface shows Off on the right side — flip the toggle slider to enable it. Once it turns active, you’re ready to add clients.
💡 WGDashboard reads and writes
/etc/wireguard/wg0.confdirectly on the LXC — this is the actual WireGuard config file. You can inspect it withcat /etc/wireguard/wg0.confinside the container if needed.
⚠️ Set Your Public IP — Critical Step
Before adding any peers, you must tell WGDashboard what your public IP address is — otherwise every generated client config will contain your local LAN IP (e.g. 192.168.1.x) as the endpoint. That only works on your home WiFi and breaks completely on mobile data or any external network.
First, find your public IP. Run this in the WireGuard LXC console:
curl ifconfig.meThen in WGDashboard, open the wg0 Configuration Settings (gear icon ⚙️ next to wg0) and scroll down to the Override Peer Settings section. Fill in the Peer Remote Endpoint field:
YOUR_PUBLIC_IPClick Save. From this point, every peer config and QR code generated by WGDashboard will automatically use the correct public endpoint.
💡 If your ISP gives you a dynamic IP (changes after router reboot), set up a free DDNS service like DuckDNS and put the hostname here instead — e.g.
yourname.duckdns.org. This way clients will always find your server even if the IP changes.
📱 Step 5 — Add a Mobile Client (iOS / Android)
Now the fun part — adding your first peer to WireGuard VPN on Proxmox. In WGDashboard, a peer = a client device that can connect to your VPN.
- Open your
wg0configuration - Click + Add Peer
- Fill in:
- Name: e.g.
iphone-vasyl - IP Address: leave as auto-generated (e.g.
10.0.0.2/32) - Allowed IPs:
0.0.0.0/0to route all traffic through VPN, or your home subnet (e.g.192.168.1.0/24) to only access home devices - DNS:
1.1.1.1or your local DNS (e.g. Pi-hole IP)
- Name: e.g.
- Click Save
The peer appears in the list. Click the QR code icon 📱:
- Install the official WireGuard app: iOS / Android
- Tap + → Scan QR Code
- Point your camera at the QR code in WGDashboard
- Tap Activate — you’re connected! 🎉
🖥️ Step 6 — Add a Desktop Client (Windows / macOS / Linux)
Same process as mobile — just download the config file instead of scanning a QR code:
- Add a new peer in WGDashboard (e.g. name it
laptop-home) - Click the ⬇ Download icon next to the peer
- Save the
.conffile
Windows / macOS:
- Download and install the official WireGuard client
- Open the app → Import tunnel from file → select your
.conf - Click Activate
Linux:
sudo apt install wireguard -y
sudo cp ~/laptop-home.conf /etc/wireguard/wg0.conf
sudo wg-quick up wg0
# Start automatically on boot
sudo systemctl enable wg-quick@wg0🔀 Step 7 — Port Forwarding on Your Router
Your router needs to forward incoming traffic to the WireGuard LXC. Without this, clients outside your home network can’t reach WireGuard VPN on Proxmox at all.
In your router’s admin panel (usually 192.168.1.1 or 192.168.0.1):
- Navigate to Port Forwarding (sometimes called “Virtual Server” or “NAT”)
- Create a new rule:
- External Port:
51820 - Protocol:
UDP - Internal IP: your WireGuard LXC IP (e.g.
192.168.1.50) - Internal Port:
51820
- External Port:
- Save and apply
⚠️ Dynamic IP? If your ISP gives you a changing IP address, use a DDNS service (like DuckDNS — free) and put the hostname in your peer configs instead of an IP.
✅ Step 8 — Verify the Connection
Connect from your phone (on mobile data, not home WiFi) or laptop (on a different network). Then check your public IP:
curl ifconfig.meIt should show your home server’s public IP, not your mobile/remote IP. If it does — WireGuard VPN on Proxmox is working correctly. 🔒
You can also verify in WGDashboard: active peers show a green status, last handshake time, and bytes sent/received.
🔧 Useful Management Commands (inside the LXC)
These commands are useful for day-to-day management of WireGuard VPN on Proxmox. To access the WireGuard LXC shell, click on it in the Proxmox UI → Console, or from the host:
pct enter <CTID>Then inside the container:
# Show active WireGuard peers and their status
wg show
# Restart WireGuard interface
wg-quick down wg0 && wg-quick up wg0
# Check WGDashboard service status
systemctl status wg-dashboard
# Restart WGDashboard
systemctl restart wg-dashboard
# View WGDashboard logs
journalctl -u wg-dashboard -f🔁 Using Nginx Reverse Proxy for WGDashboard
If you already have Nginx Proxy Manager (or any nginx-based reverse proxy) running in your homelab, you can put the WGDashboard web UI for WireGuard VPN on Proxmox behind it to get a clean domain and HTTPS instead of accessing it via http://IP:10086.
⚠️ Important distinction: Only the WGDashboard web UI (TCP port 10086) can be proxied through nginx. The WireGuard VPN traffic itself uses UDP port 51820 — nginx cannot proxy UDP, so that port still needs direct router port forwarding to the LXC, as described in Step 7. These are two separate things.
In Nginx Proxy Manager
- Open Nginx Proxy Manager → Proxy Hosts → Add Proxy Host
- Fill in the Details tab:
- Domain Names: e.g.
wg.yourdomain.com - Scheme:
http - Forward Hostname / IP: the LXC IP (e.g.
192.168.1.50) - Forward Port:
10086 - ✅ Enable Websockets Support
- Domain Names: e.g.
- In the SSL tab:
- Select your SSL certificate (or request a new Let’s Encrypt one)
- ✅ Enable Force SSL
- ✅ Enable HTTP/2 Support
- Click Save
WGDashboard will now be accessible at https://wg.yourdomain.com with a valid certificate.
Update WGDashboard to trust the proxy
By default WGDashboard may not correctly detect the client’s real IP when behind a proxy. Inside the WireGuard LXC, open the dashboard config:
nano /etc/WGDashboard/wg-dashboard.iniFind or add this line under [Server]:
ini
# Trust the reverse proxy to forward real client IPs
under_proxy = trueThen restart the service:
bash
systemctl restart wg-dashboardPeer endpoint — what to put in the client config
When generating a peer config from WGDashboard, the Endpoint field in the .conf file will contain whatever your WGDashboard knows as the server address. This is set in the WireGuard configuration settings inside the dashboard.
Make sure it points to your public IP or domain on UDP port 51820 — not the nginx domain. nginx does not carry WireGuard traffic. The correct endpoint in every client config should look like:
Endpoint = your-public-ip-or-ddns:51820Not wg.yourdomain.com:51820 — unless that domain also points to your public IP and you have UDP 51820 forwarded correctly on your router.
🛡️ Security Tips
- Change
admin/adminimmediately — this is the first thing to do after login - Enable 2FA — WGDashboard supports TOTP, takes 30 seconds
- Never expose port 10086 directly to the internet — keep it reachable only from your home LAN. If you need external access to the dashboard, put it behind Nginx with HTTPS (see the Nginx section above) — never open raw port 10086 on your router
- Use
AllowedIPs = 192.168.1.0/24instead of0.0.0.0/0if you only need access to home devices — reduces your attack surface - Snapshot the LXC in Proxmox before major changes — easy one-click rollback
🔄 Updating
Keeping WireGuard VPN on Proxmox up to date is straightforward. Community Scripts handles updates too. Run this in the Proxmox host shell:
bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/update-lxcs.sh)"Or update just the WireGuard LXC from within the container:
apt update && apt upgrade -y🏁 Conclusion
Deploying WireGuard VPN on Proxmox has never been simpler. With Proxmox VE Community Scripts, what used to take hours of manual setup is reduced to a single command and a few clicks in a web UI. WGDashboard gives you full control over peers, configs, and monitoring without ever touching a terminal again.
The whole setup of WireGuard VPN on Proxmox runs in an isolated LXC container — lightweight, easy to snapshot, easy to delete and redo if needed. It’s the self-hosting approach at its best: powerful, clean, and under your full control. 💪
Want to go deeper? Check out the rest of the self-hosting series on vahac.com for more Proxmox guides, Docker setups, and home server infrastructure.
Leave a Reply