Hub
The coordinator is not fully configured yet. Copy the generated values below
into your .env file, then restart the container.
These are generated fresh on every page load. Use them once — regenerate if needed.
Used for JWT signing and private-key encryption. Set once — never change it after first run.
ADMIN_PASSWORD=your-chosen-password WG_SERVER_PUBLIC_IP=your-vps-public-ip
Loading…
Install WireGuard and enable IP forwarding — required before starting the agent container:
sudo apt install -y wireguard sudo modprobe wireguard echo wireguard | sudo tee /etc/modules-load.d/wireguard.conf sudo sysctl -w net.ipv4.ip_forward=1 echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/99-vpn-agent.conf
⚠️ On custom-kernel hosts (e.g. NVIDIA Jetson/Tegra) the WireGuard kernel module may not be available. If wireguard-go is not in apt, download the pre-compiled binary:
sudo apt install -y wireguard-tools
# If wireguard-go is not available in apt (e.g. Jetson/Tegra):
sudo curl -fsSL …/static/downloads/wireguard-go-arm64 -o /usr/local/bin/wireguard-go
sudo chmod +x /usr/local/bin/wireguard-go
For nodes already added via the admin UI, use the Deploy button on the node row instead — it generates a ready-to-run command with that node's individual token.
Creates /opt/vpn-agent/docker-compose.yml using the shared ENROLL_TOKEN. The agent self-registers and will self-update automatically when the coordinator is upgraded.
sudo mkdir -p /opt/vpn-agent
sudo tee /opt/vpn-agent/docker-compose.yml <<'EOF'
services:
vpn-agent:
image: 569234188113.dkr.ecr.us-east-2.amazonaws.com/vpncoordinator:agent-lts
container_name: vpn-agent
restart: unless-stopped
network_mode: host
pid: "host"
privileged: true
volumes:
- /lib/modules:/lib/modules:ro
environment:
COORDINATOR_URL: …
ENROLL_TOKEN: loading…
EOF
# Authenticate to ECR before pulling
aws ecr get-login-password --region us-east-2 | docker login --username AWS --password-stdin 569234188113.dkr.ecr.us-east-2.amazonaws.com
cd /opt/vpn-agent && docker compose pull && docker compose up -d
# Set up automatic updates via cron (runs every 30 min)
(crontab -l 2>/dev/null | grep -v 'vpn-agent'; echo "*/30 * * * * cd /opt/vpn-agent && docker compose pull -q && docker compose up -d 2>&1") | crontab -
# Refresh ECR login every 6 hours (token expires after 12h)
(crontab -l 2>/dev/null | grep -v 'ecr-login-agent'; echo "0 */6 * * * aws ecr get-login-password --region us-east-2 | docker login --username AWS --password-stdin 569234188113.dkr.ecr.us-east-2.amazonaws.com 2>&1 # ecr-login-agent") | crontab -
Stop the container, remove the cron job, and clean up the deployment directory:
# Stop and remove the container cd /opt/vpn-agent && docker compose down # Remove the cron jobs (crontab -l 2>/dev/null | grep -v 'vpn-agent' | grep -v 'ecr-login-agent') | crontab - # Delete the deployment directory sudo rm -rf /opt/vpn-agent
Optionally revert host settings applied during installation:
# Remove IP forwarding config sudo rm -f /etc/sysctl.d/99-vpn-agent.conf sudo sysctl -w net.ipv4.ip_forward=0 # Remove WireGuard autoload sudo rm -f /etc/modules-load.d/wireguard.conf
Loading…
Stop the container, remove the cron job, and clean up the deployment directory. The wg-user interface is brought down automatically when the container stops.
cd /opt/vpn-user-agent && sudo docker compose down # Remove the cron jobs (crontab -l 2>/dev/null | grep -v 'vpn-user-agent' | grep -v 'ecr-login-user-agent') | crontab - sudo rm -rf /opt/vpn-user-agent
Loading…
Export all nodes and users to a JSON file. Includes decrypted WireGuard private keys — keep the backup file secure. Use to migrate to a new VPS without re-deploying agents.
Restore from a backup file. The database must be empty (no existing nodes or users) — delete all records first if needed. This operation cannot be undone.
Record of all management actions (most recent first).
Click Refresh to load.
Loading…