Skip to main content

Overview

WireGuard uses public/private key pairs for authentication. Each user gets a unique peer configuration per server. StartMyVPN generates, stores, and delivers these configs automatically.

Peer config lifecycle

User subscribes to plan


WireGuard peer config is generated
for the user on each accessible server
(public/private key pair created)


User downloads .conf file from dashboard


On service expiry or suspension:
peer is removed from all WireGuard servers


On reactivation:
peer is re-added to all servers

Downloading WireGuard config

Users get their per-server config from:
  • Web dashboard: /vpn/download/{server}/wireguard
  • API: GET /v1/servers/{server}/wireguard
The .conf file contains:
  • Client private key
  • Client IP address (assigned by StartMyVPN)
  • Server public key
  • Server endpoint (IP:port)
  • DNS servers
  • AllowedIPs (typically 0.0.0.0/0 for full tunnel)

Speed limits

WireGuard supports per-user bandwidth speed limits using tc (traffic control) on the server. When a plan has a speed limit configured (in Mbps), StartMyVPN enforces it on the server-side peer interface. Speed limits are applied/updated automatically when:
  • A service is created
  • A plan’s speed limit is changed
  • A service is upgraded or downgraded to a different plan
If a plan has no speed limit, the user gets full available bandwidth.

Bandwidth tracking

WireGuard doesn’t log individual connections, but StartMyVPN polls each WireGuard server periodically to read rx_bytes / tx_bytes counters per peer. This data is stored and used for:
  • User-facing bandwidth usage display
  • Bandwidth limit enforcement

Jobs that run in the background

JobWhen it runs
AddUserJobNew service created or reactivated
RemoveUserJobService suspended or terminated
UpdateSpeedLimitJobPlan speed limit changed
DeleteExpiredServiceConfigsJobService expires, cleanup configs
CreateConfigInitial config generation
InstallWireGuardNew server being provisioned

Manual installation

To set up WireGuard on an existing server: 
# On the VPN server
bash /path/to/wireguard-install.sh
After installation, add the server to StartMyVPN via Admin → Servers → Add Server and run the install scripts job.