====== Wireguard Support in RADIUSdesk ======
===== Introduction =====
  * As of November 2025, RADIUSdesk can centrally manage Wireguard running on Ubuntu and Raspberry Pi based devices.
  * The **Wireguard Servers** applet declares and manages one or more instances of Wireguard on these devices.
  * The device runs a lightweight agent which interacts with RADIUSdesk.
  * The agent also reports back to RADIUSdesk on the status of Wireguard and any active peer connections.
  * The following graphic shows how everything fits together.
{{:technical:wireguard:wireguard-radiusdesk.jpg|}}

===== Wireguard Servers  =====

{{:technical:wireguard:wireguard_servers.png?nolink|}}

  * Wireguard Servers can be found under the **Other** -> **VPN & Tunneling** grouping.
  * It has two tabs
        * The **Servers** tab displays all of the Wireguard servers which are managed centrally.
        * The **New Arrivals** lists Wireguard servers that reported to RADIUSdesk but which require on-boarding.
==== Server Info ====
  * When you add a Wireguard server, you will need the following information from the server where the agent is installed on.

^ Item      ^ Example       ^ 
| IP Address    | 164.160.89.129  |
| MAC Address   | 12-c1-f8-6c-53-c4 |
| Uplink Interface | eth0 |

  * **MAC Address** is used to uniquely identify the server.
  * **IP Address** will be used in the peer configuration to specify the IP Address where a peer needs to connect with.
  * **Uplink Interface** is used for the firewall rules when NAT is specified on a Wireguard instance.

Each Wireguard server will have one or more Wireguard Instances associated with it.

We will cover Wireguard Instances next.

===== Wireguard Instances  =====

{{:technical:wireguard:wireguard_instances.png?nolink|}}

  * After you defined a Wireguard Server, you can add Wireguard Instances belonging to the Wireguard server.
  * One of the requirements that our clients had was the ability to control the bandwidth on Wireguard.
  * Wireguard Instances allows for this as well as the ability to specify it as a NAT breakout point.

{{:technical:wireguard:wireguard_instance_add.png?nolink|}}

  * With each Wireguard Instance you can in turn manage the Wireguard Peers for the specific Wireguard Instance.

===== Wireguard Peers =====
{{:technical:wireguard:wireguard_peers.png?nolink|}}
  * The config of each Wireguard Peer that has been defined can be downloaded or a QR Code generated for easy configuration.

{{:technical:wireguard:wireguard_peers_qrcode.png?nolink|}}


==== New Arrivals ====
{{:technical:wireguard:wireguard_arrivals.png?nolink|}}
  * Any of the Wireguard servers that still needs on-boarding will be listed under **New Arrivals**.
  * Simply select the one you want to on-board and provide the required information to allow it to become part of the managed servers.
  * Reboot the device after on-boarding and the configuration will be applied through the RADIUSdesk Wireguard agent.

==== Next Steps ====
  * Be sure to check out the steps to follow on the Ubuntu or Raspberry Pi to install the RADIUSdesk Wireguard agent so it can be managed by RADIUSdesk.