A fully OS-agnostic Dart package to easily establish and manage local WireGuard VPN tunnels using the native OS CLI, with seamless auto-installation and privilege escalation on Windows, macOS, and Linux.
- OS-Agnostic Tunneling: Start and stop WireGuard tunnels seamlessly across Windows, macOS, and Linux.
- Intelligent Privilege Escalation: Automatically detects when Administrator/root privileges are required and cleanly prompts the user via UAC (Windows), TouchID/osascript (macOS), or pkexec (Linux).
- Auto-Installation: If the WireGuard binary is not installed on the host machine, the package can automatically download and install it in the background using the official MSI installer (Windows) or Homebrew (macOS).
- Zero-Trust Ready: Easily integrate into any application to establish secure VPN routing before executing sensitive network requests.
- Config Parsing: Parse and manipulate WireGuard
.conffiles entirely in Dart.
Add the package to your pubspec.yaml:
dependencies:
wireguard_tunnel: ^1.0.0Create a new tunnel instance and connect!
import 'package:wireguard_tunnel/wireguard_tunnel.dart';
void main() async {
// 1. Initialize the tunnel from a local .conf file
final tunnel = WireguardTunnel.fromFile(
'path/to/your/wg0.conf',
autoDownload: true, // Opt-in to auto-install the WireGuard client if missing
);
print('Starting tunnel...');
// 2. This will automatically request elevation (UAC/sudo) if needed!
await tunnel.startTunnel();
print('Tunnel is up!');
// ... Do your secure network requests over the VPN ...
print('Tearing down tunnel...');
// 3. Cleanly remove the interface
await tunnel.stopTunnel();
}You can also pass raw configuration strings if you don't have a .conf file on disk. The package will safely handle generating the temporary .conf file and cleaning it up after disconnecting.
final tunnel = WireguardTunnel.fromString('''
[Interface]
PrivateKey = aaaaaa
Address = 10.0.0.1/24
[Peer]
PublicKey = bbbbbb
Endpoint = 192.168.1.100:51820
AllowedIPs = 0.0.0.0/0
''');
await tunnel.startTunnel();If you are building a headless background daemon or service, you can run the tunnel completely silently without any GUI permission prompts (e.g. UAC on Windows, TouchID on macOS) by passing silent: true.
Important: Because WireGuard inherently requires OS-level network interface access, silent: true disables fallback permission prompts. If your application does not already have Administrator/root privileges, it will immediately throw an exception.
final tunnel = WireguardTunnel.fromFile(
'wg0.conf',
silent: true, // Fails quietly with an exception instead of showing GUI prompts
);To use silent: true successfully, you must launch your Dart application with elevated privileges from the start:
- Windows: Right-click your terminal (Command Prompt or PowerShell) and select Run as administrator, then execute
dart run. - macOS / Linux: Run your script using
sudo:sudo dart run.
If you are compiling your Dart program into an executable (or a Flutter Desktop app) and want to deploy it to end-users so it runs seamlessly in the background without them needing to open a terminal:
-
Windows:
- Compile your CLI app:
dart compile exe bin/my_app.dart - Create a Windows Shortcut (
.lnk) to your.exe. - Right-click the shortcut -> Properties -> Advanced -> Check "Run as administrator".
- Now, when the user double-clicks the shortcut, Windows will prompt for UAC once for the entire application, and WireGuard will run completely silently in the background!
- Compile your CLI app:
-
macOS / Linux (Launch Daemons): To run a background service seamlessly on boot, register your compiled executable as a
systemdservice (Linux) or alaunchddaemon (macOS). System services run asrootby default, granting the app full silent access to manage WireGuard tunnels without ever prompting the user.