open source · apache 2.0 · mcp server

TUNNELMIND

TALK TO YOUR VPN

An open source MCP server for WireGuard. Query peers, read logs, and manage policy through natural language — directly inside your AI assistant. No dashboards. No GUIs. Just ask.

↓ Get Started See How It Works
tunnelmind — claude desktop

What it does

NATURAL LANGUAGE
FOR WIREGUARD

🔍
Peer Visibility
Ask "who's connected right now?" and get structured peer data — public keys, endpoints, last handshake, transfer totals.
v1 · live
📄
Config Intelligence
Parse and query your wg0.conf in plain English. Private keys are always redacted — never exposed to the AI.
v1 · live
📋
Log Analysis
Pull recent WireGuard log entries from journald or syslog. Filter by errors, search by peer, or ask for a plain-English summary.
v1 · live
⚙️
Policy Chat
Describe what you want to change. Get a config diff back. Nothing applies without your explicit confirmation — always.
v1 · live
eBPF Telemetry
Kernel-level traffic visibility. Real-time packet drops, latency anomalies, and per-peer flow data via BCC/libbpf.
v2 · planned
🛡️
Threat Intel
OpenClaw integration — correlate peer anomalies with threat feeds. AI-assisted policy synthesis from observed traffic patterns.
v2.5 · roadmap

MCP Tools

FIVE TOOLS.
FULL CONTROL.

Tool
Description
Status
get_peers
List all WireGuard peers with status, last handshake, endpoint, and data transfer
v1
read_config
Read and parse wg0.conf — private keys automatically redacted before returning
v1
read_logs
Tail WireGuard logs from journald or syslog with optional error filtering
v1
suggest_policy
Convert natural language intent into a WireGuard config diff — never auto-applies
v1
apply_policy
Apply a staged policy change — requires explicit confirm=True as a safety gate
v1

What's coming

ROADMAP

V1
Core MCP Tools — Available Now
Peer visibility, config parsing, log reading, and policy chat. Works with Claude Desktop and any MCP-compatible AI assistant. Install via pip.
V2
eBPF Telemetry Provider
Kernel-level WireGuard visibility using BCC/libbpf. Real-time packet drops, per-peer latency, and anomalous traffic detection — all queryable in plain English.
V2.5
OpenClaw Threat Intelligence
Cross-reference peer anomalies with OpenClaw threat feeds. The AI can correlate eBPF-observed behavior with known threat signatures and suggest defensive policy changes.
V3
Policy Synthesis Engine
"Block all peers that haven't sent traffic in 30 days" becomes an auto-generated config diff based on eBPF-observed traffic history. Natural language → policy, grounded in real data.

// open source · free forever

GET EARLY ACCESS

Stay updated as TunnelMind evolves. No spam — just release notes and major milestones.

★ Star on GitHub hello@tunnelmind.ai security@tunnelmind.ai Contribute