← Back to Docs

WireGuard Server

What It Does

TLSOps includes a built-in WireGuard server. Remote devices — phones, laptops, or any other device away from your home network — connect back through this server and appear in your device list alongside LAN devices. They inherit the same content filtering and per-device VPN routing policy as local devices.

WireGuard server profiles are available on Starter and higher plans. The Free plan does not include WireGuard server profiles.

Prerequisites

  • An active Starter, Pro, or Ultimate plan license (or within your plan's profile limit)
  • A port forwarded to the TLSOps machine for the WireGuard server (default: UDP 51820), or a direct public IP
  • The WireGuard Server feature enabled in the dashboard

Blunt prerequisite: TLSOps does not test your router, ISP, or CGNAT situation during setup. If you want remote WireGuard access, you must already know that this appliance has a reachable public IP or that your router forwards the chosen UDP port to it.

Issuing a Client Profile

  1. Go to the VPN Server tab in the dashboard
  2. Click New Profile
  3. Enter a name for the profile — for example Ali's iPhone or Work Laptop
  4. Click Create — the profile is generated immediately
  5. Scan the QR code from the WireGuard mobile app, or click Download Config to save the .conf file for desktop clients

Installing the Profile on a Device

iOS / Android: Open the WireGuard app → tap the + button → select Create from QR code → scan the code shown in the dashboard.

macOS / Windows / Linux: Download the .conf file from the dashboard → open the WireGuard app → import the configuration file.

Once connected, an unlinked profile appears as its own entry in Devices and Telemetry using a VPN-subnet IP. If you link the profile to a known device in the dashboard, VPN activity stays attached to that device and the same per-device routing and filtering rules carry over on and off the home network.

Managing Profiles

  • To revoke a profile, open the profile card and click Delete — the device can no longer connect
  • To rename a profile, open the profile card and click Edit
  • Each profile corresponds to one profile limit on your plan

Port Forwarding

For remote devices to reach the WireGuard server, UDP port 51820 must be forwarded from the public IP your router uses to the TLSOps machine's LAN IP. Configure this in your router's port-forwarding settings. If your ISP uses CGNAT, you may need a VPS relay — contact support for guidance.

If a remote client cannot connect, do not assume TLSOps can diagnose it for you. Check the public IP or DNS name in the profile, confirm the router forward targets the TLSOps machine, verify local firewall rules, and confirm your ISP is not placing the connection behind CGNAT.