Peers
Three logical peer types exist:
Jump Peer
- Acts as central hub and router.
- Requires agent; enrollment token generated on creation.
- Has listen port + NAT interface.
- Provides routing for encapsulated traffic and additional allowed IP ranges.
Regular Dynamic Peer (Agent-Based)
use_agent = true.- Receives token; agent handles config updates, endpoints, heartbeat.
- Suitable for servers or managed hosts.
Regular Static Peer
use_agent = false.- Receives a one-time WireGuard config (private key never sent again outside config generation process).
- Ideal for phones, laptops, lightweight devices.
Common Fields
| Field | Description |
|---|---|
| name | Display name |
| address | Allocated from network CIDR |
| public_key | Peer WireGuard public key |
| endpoint | IP:Port when applicable |
| is_isolated | Isolation flag (no lateral regular peer traffic) |
| full_encapsulation | Route all traffic through jump peer |
| additional_allowed_ips | Extra CIDR ranges accessible via tunnel |
Tokens & Security
Tokens allow agent enrollment; they should be treated as secrets. Token revocation is accomplished by deleting the peer from the server, which immediately invalidates the token and prevents further agent enrollment or configuration updates.
Network access
See Captive Portal — every connection is re-authenticated and bound to the peer's full public endpoint, so a stolen WireGuard config used from a different network fails the check immediately.