Skip to main content

Overview

WireGuard uses public/private key pairs for authentication. Each user gets a unique peer configuration per server. StartMyVPN generates, stores, and delivers these configs automatically.

Peer config lifecycle

Downloading WireGuard config

Users get their per-server config from:
  • Web dashboard: /vpn/download/{server}/wireguard
  • API: GET /v1/servers/{server}/wireguard
The .conf file contains:
  • Client private key
  • Client IP address (assigned by StartMyVPN)
  • Server public key
  • Server endpoint (IP:port)
  • DNS servers
  • AllowedIPs (typically 0.0.0.0/0 for full tunnel)

Speed limits

WireGuard supports per-user bandwidth speed limits using tc (traffic control) on the server. When a plan has a speed limit configured (in Mbps), StartMyVPN enforces it on the server-side peer interface. Speed limits are applied/updated automatically when:
  • A service is created
  • A plan’s speed limit is changed
  • A service is upgraded or downgraded to a different plan
If a plan has no speed limit, the user gets full available bandwidth.

Bandwidth tracking

WireGuard doesn’t log individual connections, but StartMyVPN polls each WireGuard server periodically to read rx_bytes / tx_bytes counters per peer. This data is stored and used for:
  • User-facing bandwidth usage display
  • Bandwidth limit enforcement

Jobs that run in the background

Manual installation

To set up WireGuard on an existing server:
After installation, add the server to StartMyVPN via Admin → Servers → Add Server and run the install scripts job.