WireGuard Setup for Players

Some challenges require you to connect to a private lab network to reach the target. These are called dynamic or lab challenges. When you spawn one, the platform generates a personal WireGuard configuration that tunnels your traffic directly to the challenge container.

Only for lab/dynamic challenges

Static challenges (download-and-solve) do not need a VPN. If a challenge does not show a "Spawn" button, skip this guide entirely.

Labs must be enabled

This feature is only available if the organiser has turned on lab support. If you do not see a spawn option on a dynamic challenge, the organiser may not have labs enabled for this event.

---

How isolation works

Each team (or solo player) gets its own principal — the platform's word for a scoring identity. When you spawn a lab, the platform:

1. Creates a Docker network dedicated to your principal.
2. Issues you a unique WireGuard keypair; the server registers your public key so only your WireGuard peer can route to your container's IP.
3. Enforces that rule in iptables: packets from any other WireGuard peer are dropped by the firewall before they reach your container.

In plain terms: your lab is yours. Another team cannot reach your container even if they somehow learned its IP.

---

Step 1 — Install the WireGuard client

Choose the client for your operating system:

LinuxmacOSWindowsAndroidiOS

Most distributions ship WireGuard in their package manager:

# Debian / Ubuntu
sudo apt install wireguard-tools

# Fedora / RHEL
sudo dnf install wireguard-tools

# Arch
sudo pacman -S wireguard-tools

Official page: https://www.wireguard.com/install/

Install from the Mac App Store or Homebrew:

brew install wireguard-tools

GUI client: https://apps.apple.com/app/wireguard/id1451685025

Download the installer from: https://www.wireguard.com/install/

The GUI client lets you import .conf files with a single click.

Install from the Play Store: https://play.google.com/store/apps/details?id=com.wireguard.android

Install from the App Store: https://apps.apple.com/app/wireguard/id1441195209

---

Step 2 — Spawn the challenge instance

1. Navigate to the challenge detail page.
2. Click the Spawn button. The platform starts your container and generates your WireGuard keys.
3. Wait for the confirmation message (typically a few seconds).

---

Step 3 — Download your WireGuard config

After spawning, go to /dispatch/instances (or the "Instances" link in the navigation). You will see a card for your running instance.

Each team member gets their own config slot (the organiser configures how many, typically up to 4). Find the slot for your position and click the Download link. The file is named wg-player-N.conf (e.g. wg-player-1.conf, wg-player-2.conf) and contains your unique private key, VPN IP address, and the server's public key and endpoint.

Re-download after a reset

If you reset or destroy and respawn the instance, a new keypair is generated. The old config file will no longer work — download a fresh one from /dispatch/instances after each respawn.

---

Step 4 — Import and activate the tunnel

Linux (wg-quick)macOS / Windows / Mobile (GUI)

# Activate (use the filename you downloaded, e.g. wg-player-1.conf)
sudo wg-quick up ./wg-player-1.conf

# Deactivate when done
sudo wg-quick down ./wg-player-1.conf

The config uses a split tunnel: only traffic to the challenge's lab subnet is routed through WireGuard. Your normal internet traffic is unaffected.

1. Open the WireGuard app.
2. Click Import Tunnel (or the + button on mobile).
3. Select the .conf file you downloaded.
4. Toggle the tunnel on.

Same split-tunnel behaviour applies.

---

Step 5 — Confirm connectivity

After activating the tunnel, ping the challenge IP shown on the instance card:

ping <challenge-ip>

If the ping succeeds, you are connected. Open the service in your browser or connect with nc/curl as described on the challenge page.

If the ping fails, check:

• The tunnel is actually active in the WireGuard app.
• You downloaded the config after spawning (not a stale file from a previous spawn).
• The instance is still running (check /dispatch/instances; instances expire after the time-to-live shown on the card).

---

Step 6 — Tear down when done

Leaving the tunnel active when you are not using it is harmless but wastes a VPN slot. To stop:

Linux (wg-quick)macOS / Windows / Mobile (GUI)

sudo wg-quick down ./wg-player-1.conf

Toggle the tunnel off in the WireGuard app.

You can also Destroy the instance from /dispatch/instances once you have solved the challenge (or if you want to free the slot for another attempt).

---

Reference: what the config file contains

[Interface]
PrivateKey = <your unique private key>
Address = <your VPN IP>/32
DNS = 1.1.1.1

[Peer]
PublicKey = <server public key>
Endpoint = <vpn-host>:51820
AllowedIPs = <your lab subnet>     # only lab traffic goes through the tunnel
PersistentKeepalive = 25

The AllowedIPs entry is set to your team's lab subnet — not 0.0.0.0/0 — so browsing the internet works normally while the tunnel is up.

---

Troubleshooting

Symptom	Likely cause	Fix
Ping to challenge IP fails immediately	Tunnel not active, or wrong config file	Check WireGuard app is toggled on and file matches current spawn
Tunnel activates but no handshake	Stale config from a previous spawn	Destroy and respawn; download the new config
"Permission denied" on wg-quick	Need root/sudo on Linux	Run with sudo
Instance card shows "expired"	TTL reached	Click Respawn (or Destroy then Spawn) and re-download config
Multiple team members need access	Each needs their own slot	Up to the per-event player limit; each downloads their numbered config