# wireguard-server

VPN ingress for edges and remote ops. **Cloud-only stack.**

- **Networks**: `edge` (the only non-nginx public ingress) + `mgmt` (admin access into tunnel)
- **Host port**: `udp/51820`
- **Why not behind nginx?** WireGuard is connectionless UDP with crypto-routed packets; proxying it through nginx-stream breaks NAT/MTU and adds no security benefit. It publishes its port directly.
- **Peers**: managed via `wg-server-config/peer_*` config files. Each edge gets one peer.
- **TODO**: peer onboarding workflow, AllowedIPs split-tunnel decisions per peer