WireSock Secure Connect — Advanced Configuration Parameters
NOTE
This documentation describes the advanced parameters for VPN Client – WireSock Secure Connect, intended for situations where you prefer to edit configuration files manually.
All of the parameters shown here can also be set through the GUI version of WireSock Secure Connect, which you can download from our official site. See the step-by-step GUI instructions here.
The WireSock VPN Client lets you fine-tune your tunnel by enabling you to:
- Define the traffic scope that should be routed through the VPN.
- Specify applications permitted to use (or excluded from) the tunnel.
- Exclude IP addresses or ranges from the VPN.
- Route the WireGuard handshake via a SOCKS 5 proxy for extra obfuscation.
WireSock-specific directives live in the same WireGuard .conf file that holds your standard [Interface] and [Peer] blocks. A full overview of generic WireGuard syntax is available here.
Compatibility Prefix
To ensure the configuration remains compatible with third-party WireGuard clients that do not recognize WireSock-specific directives, you can prefix any WireSock-only line with #@ws:. The WireSock client will parse these lines, while other clients treat them as harmless comments.
# Standard WireGuard options ...
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0, ::/0
#@ws:DisallowedApps = Discord
#@ws:Socks5Proxy = proxy.example.com:1080WireSock-Specific Parameters
(The following sections include only parameters unique to WireSock Secure Connect)
AllowedApps (Optional)
Define the applications that are authorized to use the VPN tunnel.
GUI equivalent: this setting corresponds to the “Tunneled applications” section in the WireSock Secure Connect interface.
Specify your applications by listing them separated by commas. It’s not necessary to include the .exe extension for process names. If your entry includes slashes (/) or backslashes (\), the system will recognize it as a full pathname. Providing a full pathname allows you to target a specific folder, automatically including all executables within that directory for convenience.
NOTE
If not set, the VPN tunnel is available to all applications.
Examples:
- Full path:
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe - Process names:
chrome, msoffice, firefox - All applications in Program Files folder:
C:\Program Files
Dependency: Must be paired with AllowedIPs to define the scope of traffic for these applications.
Example of confuguration:
[Interface]
PrivateKey = [Your Private Key Here]
Address = 10.66.66.2/32, fd42:42:42::2/128
DNS = 94.140.14.14, 94.140.15.15
MTU = 1420
[Peer]
PublicKey = [Peer Public Key Here]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = [VPN Endpoint Here]:51820
AllowedApps = chrome, msoffice
DisallowedIPs = 192.168.1.0/24DisallowedApps (Optional)
List the applications that are barred from using the VPN tunnel.
GUI equivalent: this setting corresponds to the “Non-tunneled applications” section in the WireSock Secure Connect interface.
Provide your applications by listing them separated by commas. Including the .exe extension for process names is not necessary. If an entry contains slashes (/) or backslashes (\), the system will interpret it as a full pathname. Specifying a full pathname allows you to target a specific folder, automatically excluding all executables within that directory for convenience.
NOTE
If both AllowedApps and DisallowedApps are specified, AllowedApps is prioritized and evaluated first.
Examples:
- Full path:
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe - Process names:
chrome, msoffice, firefox - All applications in Program Files folder:
C:\Program Files
Example of configuration:
[Interface]
PrivateKey = [Your Private Key Here]
Address = 10.66.66.2/32, fd42:42:42::2/128
DNS = 94.140.14.14, 94.140.15.15
MTU = 1420
[Peer]
PublicKey = [Peer Public Key Here]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = [VPN Endpoint Here]:51820
AllowedApps = C:\Program Files
DisallowedApps = msoffice
DisallowedIPs = 192.168.1.0/24DisallowedIPs (Optional)
Identify IP addresses and ranges that should not use the VPN tunnel.
GUI equivalent: this setting corresponds to the “Non-tunneled networks/addresses” section in the WireSock Secure Connect interface.
This parameter excludes specified IP addresses and ranges from the tunnel.
List the IPs and ranges separated by commas, such as 1.1.1.1, 192.168.1.0/24.
For example, if you want to access your local network, you can exclude it from the tunnel by adding 192.168.1.0/24 to the DisallowedIPs parameter.
NOTE
If AllowedApps is configured, DisallowedIPs will prevent the listed IPs and ranges from being tunneled for those applications.
Example of configuration:
[Interface]
PrivateKey = [Your Private Key Here]
Address = 10.66.66.2/32, fd42:42:42::2/128
DNS = 94.140.14.14, 94.140.15.15
MTU = 1420
[Peer]
PublicKey = [Peer Public Key Here]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = [VPN Endpoint Here]:51820
AllowedApps = C:\Program Files
DisallowedIPs = 192.168.1.0/24, 1.1.1.1SOCKS5 Proxy
For users needing to route their WireGuard handshake through a SOCKS5 proxy, additional parameters are provided:
- Socks5Proxy: Set the SOCKS5 proxy endpoint, e.g.,
socks5.sshvpn.me:1080or an IP-based endpoint like13.134.12.31:1080. - Socks5ProxyUsername: (Optional) Specify the proxy username.
- Socks5ProxyPassword: (Optional) Specify the proxy password.
- Socks5ProxyAllTraffic: (Optional) When set to
true(e.g.,Socks5ProxyAllTraffic = true), it forces all WireGuard traffic through the SOCKS5 proxy, effectively masking it from DPI detection.
Example of configuration:
[Interface]
PrivateKey = [Your Private Key Here]
Address = 10.66.66.2/32, fd42:42:42::2/128
DNS = 94.140.14.14, 94.140.15.15
MTU = 1420
[Peer]
PublicKey = [Peer Public Key Here]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = [VPN Endpoint Here]:51820
Socks5Proxy = socks5.sshvpn.me:1080
Socks5ProxyUsername = myusername
Socks5ProxyPassword = mypassword
Socks5ProxyAllTraffic = true