Status: Active | Owner: @roof | Applies to: main (2026-06) | Updated: 2026-06-11
Admin – Manage Peers
A peer is a device or person that connects to your cell over WireGuard. Each peer gets a private key pair, a VPN IP address, and optionally an account on installed services.
Adding a peer
- Go to Peers in the sidebar.
- Click Add Peer.
- Enter a peer name (letters, digits, underscores, hyphens, dots — max 64 characters).
- Click Save. PIC generates a key pair and assigns the next available VPN IP automatically.
You should now see the new peer in the list with a VPN IP assigned.
Exporting a peer configuration
After adding a peer:
- Click the QR code icon to show the configuration as a QR code. The peer can scan it with the WireGuard mobile app.
- Click the Download icon to download the
.conffile. The peer imports it into the WireGuard desktop app.
The configuration file contains the peer's private key. Treat it like a password. If a peer loses their configuration, you cannot retrieve the private key — delete the peer and create a new one.
Peer VPN IPs
VPN IPs are assigned sequentially from the WireGuard subnet (10.0.0.0/24). The cell's VPN address is 10.0.0.1. Peers start from 10.0.0.2.
The IP is automatically included in the exported config's AllowedIPs field.
Per-peer routing
From the peer's detail page, you can set the peer's exit connection (default, or a named connection from the Connectivity page). See Admin – Configure Connectivity for details.
You can also set the peer's fail-open override:
null— use the type's default (fail-closed for VPN/SSH/proxy, fail-open for Tor)true— fall back to direct internet if the exit is downfalse— block traffic if the exit is down
Per-peer service access
From the service pages (for example /services/email, /services/calendar), you can provision or revoke a peer's account on that service. When a peer is deleted, all their service accounts are removed automatically.
Deleting a peer
- Go to Peers, find the peer, and click Delete.
- Confirm.
⚠️ Warning: Deleting a peer is immediate and irreversible. PIC removes the peer from
wg0.conf, removes their accounts on all installed services, and revokes any cell-to-cell routing entries for that peer. The peer's WireGuard config (which they have on their device) stops working immediately.
Listing peers from the command line
# Run on: the cell server host, from /opt/pic
make list-peers # calls the API and prints peer names and VPN IPs
make show-routes # runs wg show inside the cell-wireguard container
Peer roles
Two roles exist:
| Role | Access |
|---|---|
admin |
Full access to all API endpoints and the admin dashboard |
peer |
Access to /api/peer/* only — their own dashboard and service credentials |
Peers created through the Peers page are peer role. The admin account is created during setup. There can only be one admin; additional admins are not currently supported.
Personal Internet Cell
New here?
Users
User – Connect to the VPN User – Use Your Services User – Troubleshooting
Admins
Admin – Overview Admin – Install and First Run Admin – Configure Domains and TLS Admin – Manage Services Admin – Configure Connectivity Admin – Manage Peers Admin – Back Up and Restore Admin – Logging and Audit Admin – Monitor and Troubleshoot
Developers
Dev – Overview Dev – Architecture Dev – Build a Store Service Dev – Service Manifest Reference Dev – API Reference Dev – Testing Dev – Install Internals
Decisions (ADRs)
ADR – 001 Store Images Are Signed and Verified by Cells ADR – 002 Named Connection Instances for Connectivity ADR – 003 All Optional Functionality Ships as Store Services
Meta
Meta – Glossary Meta – Template Runbook Meta – Template ADR
Archive
Archive – User Guide Archive – ADR 004 The Wiki Is the Single Documentation Source