VPN Settings

The VPN Settings screen shows the full WireGuard configuration for one device's connection to a specific network. Changes you save here are pushed to the Nettica server and synced to every other peer in the same network so they know how to reach this device.

You must be logged in and have admin or owner rights to edit another device's VPN settings. You can always view and edit your own device's configuration (no login required).

Enable / Disable

The toggle at the top of the screen enables or disables this VPN on the device. When disabled, the WireGuard tunnel is stopped but the configuration remains intact. Toggle it back on to reconnect without needing to re-configure anything.

Only one VPN can be enabled at a time on a device. Enabling a second VPN will disable the currently active one, and then enable the new VPN.

DNS Name

The DNS hostname that identifies this device within the network, for example laptop.home. Must follow standard DNS hostname rules: letters, digits, and hyphens only; no leading or trailing hyphens; maximum 63 characters per label. The full name may be up to 253 characters.

Endpoint

The public IP address and UDP port that other peers use to initiate a WireGuard connection to this device, in the format 263.0.113.1:51820. IPv6 addresses use the format [2001:db8::1]:51820.

Leave the endpoint blank if this device sits behind NAT and only connects outward — peers will reach it via keepalive packets instead.

Auto-detect Endpoint (wand icon)

If this is your own device's VPN, a wand icon () appears at the right of the Endpoint field. Tapping it:

Queries https://ip.nettica.com to discover your current public IP address.
Assigns a random UDP port in the range 30000–60000.
Attempts NAT-PMP port-forwarding on your router for that port.
Fills the Endpoint field with the discovered address and port.

NAT-PMP must be available on your router for automatic port-forwarding to work. If NAT-PMP is not available, the endpoint is still set to your public IP and chosen port — but you will need to add the port-forward manually in your router settings.

The endpoint field is read-only for Service-type VPNs (relay and tunnel services). The server manages the endpoint for those connections.

Address

This device's VPN IP address (with CIDR prefix) within the VPN network, for example 10.0.0.5/32. Multiple addresses can be entered but are not recommended as mobile apps only support one address. Both IPv4 and IPv6 are supported.

DNS Provider

The DNS server(s) used while this VPN is active. Choose a preset provider from the dropdown (Cloudflare, Google, Quad9, etc.) or type a custom IP address or comma-separated list of addresses directly in the field. The custom value is saved as a "Custom" entry in the dropdown.

Allowed IPs

The IP ranges that are routed through this VPN tunnel. Common values are:

0.0.0.0/0, ::/0 — route all IPv4 and IPv6 traffic through the tunnel (full tunnel / tunnel service mode)
10.0.0.0/24 — route only traffic destined for the VPN's private subnet (split tunnel / relay mode)

For relay service peers the server populates this automatically. For your own device's entry in the peer list the field typically holds just your own VPN IP address.

Persistent Keepalive

How often (in seconds) other devices will send a keepalive packet to this device. This keeps the WireGuard session alive through NAT devices and firewalls that would otherwise close idle UDP connections. It is unnecessary to set a persistent keepalive if the device is not configured as an endpoint.

The recommended range is 17 to 23 seconds. A value of 0 disables keepalives. Keepalives are generally needed whenever this device is behind NAT and needs peers to be able to initiate connections to it.

MTU

Maximum Transmission Unit in bytes. Set to 0 to let WireGuard choose automatically (recommended). Reduce this value if you see packet fragmentation issues — common values are 1280, 1380, or 1420 depending on your network's overhead.

Read-Only Fields

At the bottom of the screen, the following information is shown but cannot be edited:

On Demand — the current on-demand rule string, if configured (iOS/macOS only). Edit it from the main screen's sparkle icon.
Included Apps — apps routed through the VPN when Per-App VPN is in Include mode (Android only).
Excluded Apps — apps bypassing the VPN when Per-App VPN is in Exclude mode (Android only).
Created / Updated — timestamps and the account that made each change.

Saving or Cancelling

Tap Save to validate all fields and push changes to the Nettica server. A spinner appears during the save. On success, a confirmation snackbar appears and the screen closes.

Tap Cancel to discard all edits and return to the previous screen without making any changes.

If you do not have admin rights, or you are not logged in, the save may fail with an error message.