Skip to content


Repository files navigation

NOTE: New versions of Subspace

Subspace Commmunity

The most actively maintained fork of Subspace with a number of improvements.

WarpSpeed VPN

WarpSpeed VPN is an enhanced commercial rewrite of Subspace with a number of major improvements. It is free for personal use and for small open source projects. Designed to support the Subspace creator's new projects.

Subspace - A simple WireGuard VPN server GUI



Screenshot 1

Screenshot 2

Screenshot 3

Screenshot 4


  • WireGuard VPN Protocol
    • The most modern and fastest VPN protocol.
  • Single Sign-On (SSO) with SAML
    • Support for SAML providers like G Suite and Okta.
  • Add Devices
    • Connect from Mac OS X, Windows, Linux, Android, or iOS.
  • Remove Devices
    • Removes client key and disconnects client.
  • Auto-generated Configs
    • Each client gets a unique downloadable config file.
    • Generates a QR code for easy importing on iOS and Android.

Run Subspace on a VPS

Running Subspace on a VPS is designed to be as simple as possible.

  • Public Docker image.
  • Single static Go binary with assets bundled.
  • Automatic TLS using Let's Encrypt.
  • Redirects http to https.
  • Works with a reverse proxy or standalone.

1. Get a server

Recommended Specs

  • Type: VPS or dedicated
  • Distribution: Ubuntu 16.04 (Xenial)
  • Memory: 512MB or greater

2. Add a DNS record

Create a DNS A record in your domain pointing to your server's IP address.

Example: A

3. Enable Let's Encrypt

Subspace runs a TLS ("SSL") https server on port 443/tcp. It also runs a standard web server on port 80/tcp to redirect clients to the secure server. Port 80/tcp is required for Let's Encrypt verification.


  • Your server must have a publicly resolvable DNS record.
  • Your server must be reachable over the internet on ports 80/tcp and 443/tcp and 51820/udp (WireGuard).


Example usage:

$ subspace --http-host


  -backlink string
        backlink (optional)
  -datadir string
        data dir (default "/data")
        debug mode
        display help and exit
  -http-addr string
        HTTP listen address (default ":80")
  -http-host string
        HTTP host
        enable sessions cookies for http (no https) not recommended
        enable TLS using Let's Encrypt on port 443 (default true)
        display version and exit

Run as a Docker container

Install WireGuard on the host

The container expects WireGuard to be installed on the host. The official image is subspacecloud/subspace.

add-apt-repository -y ppa:wireguard/wireguard
apt-get update
apt-get install -y wireguard

# Remove dnsmasq because it will run inside the container.
apt-get remove -y dnsmasq

# Set DNS server.
echo nameserver >/etc/resolv.conf

# Load modules.
modprobe wireguard
modprobe iptable_nat
modprobe ip6table_nat

# Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1

Follow the official Docker install instructions: Get Docker CE for Ubuntu

Make sure to change the --env SUBSPACE_HTTP_HOST to your publicly accessible domain name.

# Your data directory should be bind-mounted as `/data` inside the container using the `--volume` flag.
$ mkdir /data

docker create \
    --name subspace \
    --restart always \
    --network host \
    --cap-add NET_ADMIN \
    --volume /usr/bin/wg:/usr/bin/wg \
    --volume /data:/data \
    --env \

$ sudo docker start subspace

$ sudo docker logs subspace

<log output>

Updating the container image

Pull the latest image, remove the container, and re-create the container as explained above.

# Pull the latest image
$ sudo docker pull subspacecloud/subspace

# Stop the container
$ sudo docker stop subspace

# Remove the container (data is stored on the mounted volume)
$ sudo docker rm subspace

# Re-create and start the container
$ sudo docker create ... (see above)

Help / Reporting Bugs

Not (currently) available. Coming soon.