Features
This section details all the app's existing features and behaviors.
Adding tunnel configs
There are multiple ways tunnel configs can be added to the app.
After clicking the floating action button on the main screen, the following options are available:
Upload a .conf file
Upload a zip containing .conf files (like an export from WG Tunnel or the official app)
Scan a QR code (Mobile only)
This option will upload the tunnel with a randomly generated name.
Create one from scratch
AmneziaWG Support
WG Tunnel fully supports a fork of WireGuard called AmneziaWG. AmneziaWG is based off of WireGuard, but adds obfuscation to WireGuard's packet signatures to prevent deep packet inspection (DPI) systems from censoring WireGuard traffic.
One of the key differences (from a user perspective) between WireGuard and Amnezia is Amnezia adds additional properties to the standard WireGuard configuration format. Without these properties populated, Amnezia will fall back to using standard WireGuard and the packet signature obfuscation will not be applied.
How to convert an existing WireGuard config to Amnezia
Open the tunnel setting screen by long pressing on a tunnel and clicking the gear icon.
Click the edit tunnel floating action button and select the Amnezia option.
The shared WireGuard properties will already be populated. Populate the addition empty Amnezia properties with the follwing data:
Junk packet count: 7 (can be anywhere between 1-128)
Junk packet minimum size: 50 (must be less than junk packet maximum size)
Junk packet maximum size: 1000 (must be less than 1280)
Init packet junk size: 0
Response packet junk size: 0
Init magic packet header: 1
Response packet magic header: 2
Underload packet magic header: 3
Transport packet magic header: 4
Alternatively, these values can be added to the .conf file before import:
When using an Amnezia server, this values will be different and should match the server values.
Auto-tunneling
Auto-tunneling is the core feature of the application. It allows users to automate which tunnel will be active under certain network circumstances.
A core concept when using auto-tunneling is setting a primary tunnel.
Setting a primary tunnel can be accomplished by doing a long-press on the desired tunnel config on the main screen and clicking the gear icon.
There are three auto-tunneling modes that can be used in combination or individually:
Tunnel on mobile data
The app detects when the device has switched to using mobile data and turns on the tunnel.
Common use case: Connecting to home server whenever leaving the house
Tunnel on ethernet.
The app detects when a device has switched to an ethernet connection and turns on the tunnel.
Common use case: AndroidTV devices (especially portable ones)
Tunnel on untrusted wifi (Location required)
The app detects when the device has connected to a new Wi-Fi network. If the network name (SSID) is not in the list of trusted network names, start the tunnel.
Common use case: Disable the tunnel on my home (trusted) network, but enable it when I connect to any public Wi-Fi network.
Auto-tunneling to a specific tunnel by wifi name and/or mobile data
A common scenario is when a user wants to use a specific tunnel config when they are connected to certain networks.
WG Tunnel now allows users to configure each tunnel to be used on specific Wi-Fi networks and/or mobile data. Tunnels configured with these settings will be prioritized over the primary tunnel if the app detects a match.
To configure:
Long press on the tunnel config you would like to configure from the main screen
Click the gear icon
Add a Wi-Fi name where you would like to prioritize using this tunnel or turn on mobile data if this is your mobile data specific tunnel.
WG Tunnel auto-tunneling will now prioritize using this specific tunnel if it detects a matching network scenario.
Auto-tunneling override
Auto-tunnel override is a feature of WG Tunnel that allows users to temporarily pause (override) auto-tunneling to toggle a tunnel.
The status of the override can be viewed on the main screen of the app when auto-tunneling is enabled.
There are two statuses:
active: auto-tunneling is active and controlling tunnel state
paused: auto-tunneling is paused by the user who can now toggle tunnels freely without fully turning off auto-tunneling from the settings screen.
This feature can be activated three different ways:
Clicking the pause button from the main screen
Toggling a tunnel via quick tile
Toggling a tunnel via shortcut/intent
It is common for users to need to manually toggle a tunnel quickly in certain situations when auto-tunneling is active. This temporary override was created to meet this need.
Split tunneling
Split tunneling is a feature that allows a user to route only selected app's traffic through the tunnel. Currently, this is configured on a per-tunnel basis.
A common use-case could be that a user wants apps that only function in another country to be tunneled to a VPN server in that country while all other apps use the normal network.
To configure split tunneling:
Long press on a tunnel config to show options
Press the gear icon to navigate to the tunnel setting screen
Press the pencil floating action button to edit the tunnel config values
At the bottom of the Interface section is a Tunneling apps to open the tunneling apps selection dialog.
Select which apps to either include or exclude from the tunnel
Click Done
Click the floating action button to save
Auto restart on boot
Auto start on boot happens automatically under the following conditions:
Auto-tunneling enabled with auto start auto tunneling again on reboot.
A tunnel was manually activated before reboot will restart that tunnel after reboot.
Always-on VPN is enabled will auto start your primate tunnel on reboot.
This feature will automatically restart the auto-tunneling service on boot if the phone has been shutdown or rebooted.
Restart on ping fail (beta)
This feature attempts to restart the tunnel if it is failing to ping your server. This feature is still in beta and will likely change in the future.
Pings vpn server address on an interval: 1-minute(s)
Cooldown after a failed ping/restart is triggered: 60-minute(s)
Enable app lock
This feature allows the user to set an app-specific pin when launching WG Tunnel.
The primary use case for this feature is to serve as a parental control mechanism to prevent phone users from being able to disable auto-tunneling.
To config:
Navigate to app settings
Toggle "Enable app lock"
Set your pin
Tunnel statistics
Clicking on a tunnel while it is running will show per peer tunnel statistics including:
Rx in MB
Tx in MB
Last successful handshake in seconds
First characters of peer public key
Quick tile settings
Quick tile settings is a feature of WG Tunnel that allows users to quickly control and see the status of the active tunnel without opening the app.
There are two tiles available. One is for toggling the currently active and/or primary tunnel. The other tile is for toggling the state of auto-tunneling from pause/resume.
Always-on VPN
Turning on the Always-On VPN setting (mobile only) in WG Tunnel allows the Android OS to control your primary tunnel (or an app selected tunnel if no primary is set) through the Android OS Always-On VPN feature.
Android will attempt to keep the tunnel always connected.
An added benefit to Always-On VPN is the ability to use the Block connections without VPN native Android feature for added security, but this will prevent split tunneling from working properly.
Exporting tunnel configs
WG Tunnel offers the ability to export all of your tunnel configurations to a zip folder (mobile only).
Navigate to the Settings screen.
Click
Export configsnear the bottom of the screen.Complete the biometrics prompt.
All configs are now saved to the Downloads folder on your device in a zip folder called
wg-export_<timestamp>.zip.
Kernel Module Support
If you are on a rooted device, WG Tunnel also supports the use of WireGuard's native kernel implementation on Android (mobile only). This has some performance benefits, but it has been known to be less reliable than the userspace implementation.