Skip to main content
The server binary runs on your VPS alongside WireGuard. It accepts DTLS connections from the client, unwraps the packets, and forwards them to the local WireGuard socket.

Flags

-listen
string
default:"0.0.0.0:56000"
UDP address the server binds and listens on for incoming DTLS connections from clients. Clients pass this address as their -peer flag.Example: -listen 0.0.0.0:56000
-connect
string
required
Address of the local WireGuard (or other UDP) server to forward decrypted packets to. Typically this is 127.0.0.1:<wg-port>.Example: -connect 127.0.0.1:51820
This flag is required. The server will panic and exit immediately if -connect is not provided.

DTLS configuration

The server uses the pion DTLS v3 library with the following fixed settings:
  • Cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • Extended master secret: required
  • Connection ID generator: random 8-byte CID (dtls.RandomCIDGenerator(8))
  • Certificate: self-signed, generated at startup
The client uses a matching cipher suite and OnlySendCIDGenerator. The self-signed certificates on both sides are accepted without verification (InsecureSkipVerify on the client).

Example

./server -listen 0.0.0.0:56000 -connect 127.0.0.1:51820
Replace 51820 with the actual UDP port your WireGuard interface listens on.
Make sure the port you pass to -listen is reachable from the internet. Open it in your firewall or security group rules.

Build docs developers (and LLMs) love

Get started for freeTalk to us