__ _____ _ _
\ \ / / __|| || |
\ V /| _| | || |__
\_/ |___||_||____|
Deploy and manage WireGuard VPN servers on AWS from the command line.
veil bootstraps a hardened EC2 instance running WireGuard and generates client configurations locally and all keys stay on your machine.
- One command VPN:
veil makedeploys a fully configured WireGuard server - Local config generation: all keys generated on your machine, never stored in the cloud
- QR codes: run
veil configs <name> --qrto display scannable codes for your mobile devices - Multipeer: default 1 peer, up to 5 via
--peers, named<vpn-name>-peer-N - Interactive TUI: minimal ui to list and manage your VPNs
- Pihole support: optional ad blocking at the DNS level cause why not
- DNS logging: optional query logging for debugging for the extra paranoid
- Crossplatform: builds for macOS, Linux, and Windows
- AWS credentials configured (
~/.aws/credentials, env vars, or IAM role) - WireGuard client on your device
git clone https://github.com/initz3r0/veil.git
cd veil
make dev
./veil# Will deploy with defaults (t3.small, eu-west-1, 1 peer)
veil make
# Import the .conf into your WireGuard client or scan QR on mobile
veil configs <name> --qr
# When done
veil destroy <name>| Command | Description |
|---|---|
veil make |
Deploy a new VPN server |
veil destroy <name> |
Tear down a VPN server |
veil list |
Interactive TUI to manage VPNs |
veil activate <name> |
Start a stopped VPN server |
veil deactivate <name> |
Stop a running VPN server (saves costs) |
veil configs <name> |
List saved WireGuard configs |
veil version |
Print version |
| Flag | Default | Description |
|---|---|---|
--name |
autogenerated | VPN name |
--region |
eu-west-1 |
AWS region |
--instance-type |
t3.small |
EC2 instance type |
--peers |
1 |
Number of WireGuard peers (max 5) |
--dns-logging |
false |
Enable DNS query logging |
--pihole |
false |
Install Pi-hole ad blocker |
| Flag | Description |
|---|---|
--qr |
Display QR codes for all peers (scan with WireGuard mobile app) |
--peer N |
Show full config for peer number N only |
| Flag | Description |
|---|---|
--region |
Override AWS region |
--profile |
AWS credentials profile name |
~/.config/veil/config.toml:
default_region = "eu-west-1"
default_instance_type = "t3.small"
default_peers = 1WireGuard configs saved to ~/.config/veil/configs/<vpn_name>/.
See iam-policy.json
- No SSH key pairm (use SSM Session Manager if you need shell access)
- IMDS is blocked from the tunnel via iptables and disabled after bootstrap (IMDSv2 only during setup)
- Each peer gets a unique preshared key for PQ forward secrecy
- Security group only opens UDP 51820 inbound
- WireGuard keys are generated locally, nothing keys related touches AWS
Connect via SSM Session Manager:
aws ssm start-session --target <instance-id> --region <region>
# dnsmasq query log (--dns-logging without Pi-hole)
tail -f /var/log/dns-queries.log
# Pi-hole query log (--pihole --dns-logging)
tail -f /var/log/pihole/pihole.log
# Bootstrap log (always present)
cat /var/log/veil-bootstrap.logPlanned:
veil logs <name>will stream logs directly from the CLI without opening an SSM session.
If you find this project valuable and would like to support its mission, instead please consider making a donation to the good folks over at the Electronic Frontier Foundation (EFF.org) and Signal Foundation (Signal.org), both of which work tirelessly to enable and defend digital privacy and free speech.