AutoGuard VPN
AutoGuard VPN is a fully self-hosted, containerized VPN stack. It provides automated peer registration via a secure API, network-wide ad blocking through Pi-hole, and private recursive DNS resolution via Unbound — all running on a single Docker host.
Features
- Zero-touch client onboarding — run one script on Linux or Windows to connect
- Ad-blocking DNS — Pi-hole intercepts all VPN client DNS queries
- Recursive DNSSEC DNS — Unbound resolves from root servers with no third-party DNS in the chain
- Hot peer reload —
inotifywaitloads new peers into WireGuard without restarting any container - Timing-safe token auth —
secrets.compare_digestprevents timing attacks on peer registration
Network Topology
Quick Start
git clone https://github.com/ElvinSuleymanov/AutoGuard-VPN.git
cd AutoGuard-VPN
chmod +x setup.sh
./setup.shAfter setup.sh completes, copy ./scripts/setupclient.sh (Linux) or ./scripts/setupclient.ps1 (Windows) to each client and run it as root/Administrator.
Service Summary
| Service | Image | IP | Exposed Port | Role |
|---|---|---|---|---|
wireguard | custom | 172.29.144.10 | 51820/udp | WireGuard VPN server |
unbound | mvance/unbound | 172.29.144.20 | none | Recursive DNS |
pihole | pihole/pihole | 172.29.144.30 | 65231/tcp | Ad-blocking DNS |
nginx-proxy | nginx:alpine | 172.29.144.40 | 443/tcp | TLS reverse proxy |
auth-service | custom FastAPI | 172.29.144.50 | none | Peer registration API |
WireGuard clients receive IPs in 10.13.26.0/24 starting at 10.13.26.2, supporting up to 253 peers.