WireGuard VPN Setup

Overview

iNetPanel includes WireGuard VPN as an optional full system lockdown mode. When enabled, it is not just the admin panel that is restricted — the entire server is locked down:

• The only open port is UDP 1443 (WireGuard listen port) — all other ports are blocked
• Admin panel, Client portal, and phpMyAdmin are inaccessible without an active VPN connection
• FTP (vsftpd) is restricted to VPN peers only
• SSH (port 1022) is restricted to VPN peers only
• Websites are still publicly served via Cloudflare Zero Trust Tunnel — public traffic is unaffected
• Combined with Cloudflare Tunnel, your server has zero publicly exposed management interfaces

This makes iNetPanel suitable for home networks, CGNAT environments, or any deployment where the server should be completely invisible from the public internet except through Cloudflare.

Setting up WireGuard

WireGuard can be set up during the initial installation wizard, or afterward:

inetp wireguard_setup

You'll be prompted for:

• Listen port (default: 1443/UDP)
• VPN subnet (default: 10.8.0.0/24)
• Endpoint — your server's public hostname or IP for peer connections
• Auto-peer — whether new hosting accounts automatically get a VPN peer

Adding VPN peers

From the admin panel: Settings → WireGuard → Add Peer

Or via CLI:

inetp wg_peer add myphone

This generates a peer config and displays a QR code for easy import into the WireGuard mobile app.

Viewing a peer's QR code

inetp wg_peer qr myphone

Scan the QR code with the WireGuard app on iOS or Android to import the configuration.

Removing a peer

inetp wg_peer delete myphone

Removing WireGuard entirely

inetp wireguard_uninstall

This removes the WireGuard interface and configuration and re-opens admin access without VPN requirement.