From 2f87fc05f20f4bfcbc3d06bb852b3f744cb7c2c6 Mon Sep 17 00:00:00 2001
From: x0sina <bulletsina77@gmail.com>
Date: Wed, 6 May 2026 14:50:06 +0330
Subject: [PATCH 1/3] feat(settings): add wireguard_enabled flag to general
 settings and update subscription logic

- Introduced `wireguard_enabled` boolean in the General settings model to control WireGuard functionality.
- Updated subscription operations to check the `wireguard_enabled` flag before processing WireGuard requests.
- Enhanced user interface to include a toggle for enabling/disabling WireGuard in the settings dashboard.
- Adjusted localization files to support new WireGuard settings descriptions.
---
 app/models/settings.py                        |   1 +
 app/operation/subscription.py                 |  10 +-
 app/settings/__init__.py                      |  10 ++
 app/subscription/share.py                     |   5 +
 app/utils/wireguard.py                        |  17 ++
 dashboard/public/statics/locales/en.json      |   4 +
 dashboard/public/statics/locales/fa.json      |   4 +
 dashboard/public/statics/locales/ru.json      |   4 +
 dashboard/public/statics/locales/zh.json      |   4 +
 .../src/components/dialogs/user-modal.tsx     | 163 +++++++++---------
 .../src/pages/_dashboard.settings.general.tsx |  28 ++-
 dashboard/src/service/api/index.ts            |   1 +
 tests/api/conftest.py                         |   2 +-
 tests/api/test_user.py                        |  58 ++++++-
 14 files changed, 228 insertions(+), 83 deletions(-)

diff --git a/app/models/settings.py b/app/models/settings.py
index ba20305dd..f4ae77dd9 100644
--- a/app/models/settings.py
+++ b/app/models/settings.py
@@ -288,6 +288,7 @@ def validate_recommended_apps(cls, v: list[Application]) -> list[Application]:
 class General(BaseModel):
     default_flow: XTLSFlows = Field(default=XTLSFlows.NONE)
     default_method: ShadowsocksMethods = Field(default=ShadowsocksMethods.CHACHA20_POLY1305)
+    wireguard_enabled: bool = Field(default=True)
 
 
 class SettingsSchema(BaseModel):
diff --git a/app/operation/subscription.py b/app/operation/subscription.py
index c8c59e3b9..54c4d26b4 100644
--- a/app/operation/subscription.py
+++ b/app/operation/subscription.py
@@ -13,7 +13,7 @@
 from app.models.settings import Application, ConfigFormat, SubRule, Subscription as SubSettings
 from app.models.stats import Period, UserUsageStatsList
 from app.models.user import SubscriptionUserResponse, UsersResponseWithInbounds
-from app.settings import subscription_settings
+from app.settings import general_settings, subscription_settings
 from app.subscription.share import encode_title, generate_subscription, setup_format_variables
 from app.templates import render_template
 from config import template_settings
@@ -299,6 +299,8 @@ async def user_subscription(
             client_type = matched_rule.target if matched_rule else None
             if client_type == ConfigFormat.block or not client_type:
                 await self.raise_error(message="Client not supported", code=406)
+            if client_type == ConfigFormat.wireguard and not (await general_settings()).wireguard_enabled:
+                await self.raise_error(message="Client not supported", code=406)
 
             # Update user subscription info
             await user_sub_update(db, db_user.id, user_agent)
@@ -351,6 +353,9 @@ async def user_subscription_with_client_type(
         """Provides a subscription link based on the specified client type (e.g., Clash, V2Ray)."""
         sub_settings: SubSettings = await subscription_settings()
 
+        if client_type == ConfigFormat.wireguard and not (await general_settings()).wireguard_enabled:
+            await self.raise_error(message="Client not supported", code=406)
+
         if client_type == ConfigFormat.block or not getattr(sub_settings.manual_sub_request, client_type):
             await self.raise_error(message="Client not supported", code=406)
         db_user = await self.get_validated_sub(db, token=token)
@@ -374,6 +379,9 @@ async def user_subscription_by_user(
         client_type: ConfigFormat,
         request_url: str = "",
     ):
+        if client_type == ConfigFormat.wireguard and not (await general_settings()).wireguard_enabled:
+            await self.raise_error(message="Client not supported", code=406)
+
         if client_type == ConfigFormat.block:
             await self.raise_error(message="Client not supported", code=406)
 
diff --git a/app/settings/__init__.py b/app/settings/__init__.py
index 88f284cd5..3bae33ad3 100644
--- a/app/settings/__init__.py
+++ b/app/settings/__init__.py
@@ -59,6 +59,15 @@ async def subscription_settings() -> settings.Subscription:
     return validated_settings
 
 
+@cached()
+async def general_settings() -> settings.General:
+    async with GetDB() as db:
+        db_settings = await get_settings(db)
+
+    validated_settings = settings.General.model_validate(db_settings.general)
+    return validated_settings
+
+
 async def refresh_caches() -> None:
     await telegram_settings.cache.clear()
     await discord_settings.cache.clear()
@@ -66,6 +75,7 @@ async def refresh_caches() -> None:
     await notification_settings.cache.clear()
     await notification_enable.cache.clear()
     await subscription_settings.cache.clear()
+    await general_settings.cache.clear()
 
 
 async def handle_settings_message(_: dict):
diff --git a/app/subscription/share.py b/app/subscription/share.py
index 96a88c381..dca2a3f83 100644
--- a/app/subscription/share.py
+++ b/app/subscription/share.py
@@ -11,6 +11,7 @@
 from app.db.models import UserStatus
 from app.models.subscription import SubscriptionInboundData
 from app.models.user import UsersResponseWithInbounds
+from app.settings import general_settings
 from app.subscription.client_templates import subscription_client_templates, subscription_xray_templates
 from app.utils.system import get_public_ip, get_public_ipv6, readable_size
 
@@ -350,6 +351,7 @@ async def process_inbounds_and_tags(
 ) -> list | str | bytes:
     proxy_settings = user.proxy_settings.dict()
     proxy_settings["_user_id"] = user.id
+    wireguard_enabled = (await general_settings()).wireguard_enabled
     hosts = await filter_hosts(list((await host_manager.get_hosts()).values()), user.status)
     if randomize_order and len(hosts) > 1:
         random.shuffle(hosts)
@@ -365,6 +367,9 @@ def _resolve_host_xray_template_content(inbound: SubscriptionInboundData) -> str
         return xray_template_overrides.get(template_id)
 
     for host_data in hosts:
+        if host_data.protocol == "wireguard" and not wireguard_enabled:
+            continue
+
         result = await process_host(host_data, format_variables, user.inbounds, proxy_settings)
         if not result:
             continue
diff --git a/app/utils/wireguard.py b/app/utils/wireguard.py
index 51815252e..fa1ae5dc1 100644
--- a/app/utils/wireguard.py
+++ b/app/utils/wireguard.py
@@ -12,6 +12,7 @@
 from app.db.models import CoreConfig, CoreType, User
 from app.models.proxy import ProxyTable
 from app.node.sync import sync_users
+from app.settings import general_settings
 from app.utils.crypto import generate_wireguard_keypair, get_wireguard_public_key
 from app.utils.ip_pool import (
     WireGuardPeerIPAllocator,
@@ -111,6 +112,9 @@ async def prepare_wireguard_proxy_settings(
     exclude_user_id: int | None = None,
 ) -> ProxyTable:
     """Prepare WireGuard proxy settings with key generation and global pool IP allocation."""
+    if not (await general_settings()).wireguard_enabled:
+        return proxy_settings
+
     wireguard_tags = await get_wireguard_tags_from_groups(groups)
     if not wireguard_tags:
         return proxy_settings
@@ -144,6 +148,9 @@ async def prepare_wireguard_keys_only(
     Used when peer_ips haven't changed during user modification.
     Avoids expensive database scans for unchanged peer networks.
     """
+    if not (await general_settings()).wireguard_enabled:
+        return proxy_settings
+
     wireguard_tags = await get_wireguard_tags_from_groups(groups)
     if not wireguard_tags:
         return proxy_settings
@@ -189,6 +196,16 @@ async def bulk_reallocate_wireguard_peer_ips(
 
     ``target_users`` should be the users allowed by bulk scope (group/admin/user filters).
     """
+    if not (await general_settings()).wireguard_enabled:
+        return {
+            "wireguard_inbound_tags": 0,
+            "candidates": 0,
+            "updated": 0,
+            "dry_run": dry_run,
+            "sample_usernames": [],
+            "affected_users": 0,
+        }
+
     wg_tags = await get_wireguard_inbound_tags_from_db(db)
     if not wg_tags:
         return {
diff --git a/dashboard/public/statics/locales/en.json b/dashboard/public/statics/locales/en.json
index 25a715b5d..816becd5d 100644
--- a/dashboard/public/statics/locales/en.json
+++ b/dashboard/public/statics/locales/en.json
@@ -148,6 +148,10 @@
         "title": "Default Shadowsocks Method",
         "description": "Autofill the encryption method for new Shadowsocks users"
       },
+      "wireguardEnabled": {
+        "title": "Enable WireGuard",
+        "description": "Generate WireGuard peer settings and include WireGuard hosts in subscriptions"
+      },
       "errorLoadingSettings": "Error loading settings"
     },
     "notifications": {
diff --git a/dashboard/public/statics/locales/fa.json b/dashboard/public/statics/locales/fa.json
index b3fa7c6ac..2d398dc10 100644
--- a/dashboard/public/statics/locales/fa.json
+++ b/dashboard/public/statics/locales/fa.json
@@ -425,6 +425,10 @@
         "title": "روش پیش‌فرض Shadowsocks",
         "description": "پر کردن خودکار روش رمزنگاری برای کاربران جدید Shadowsocks"
       },
+      "wireguardEnabled": {
+        "title": "Enable WireGuard",
+        "description": "Generate WireGuard peer settings and include WireGuard hosts in subscriptions"
+      },
       "errorLoadingSettings": "خطا در بارگذاری تنظیمات"
     }
   },
diff --git a/dashboard/public/statics/locales/ru.json b/dashboard/public/statics/locales/ru.json
index b3975890a..3b5d7ed7f 100644
--- a/dashboard/public/statics/locales/ru.json
+++ b/dashboard/public/statics/locales/ru.json
@@ -557,6 +557,10 @@
         "title": "Метод Shadowsocks по умолчанию",
         "description": "Автоматически заполнять метод шифрования для новых пользователей Shadowsocks"
       },
+      "wireguardEnabled": {
+        "title": "Enable WireGuard",
+        "description": "Generate WireGuard peer settings and include WireGuard hosts in subscriptions"
+      },
       "errorLoadingSettings": "Ошибка загрузки настроек"
     }
   },
diff --git a/dashboard/public/statics/locales/zh.json b/dashboard/public/statics/locales/zh.json
index d9459bb42..99c8d9a89 100644
--- a/dashboard/public/statics/locales/zh.json
+++ b/dashboard/public/statics/locales/zh.json
@@ -569,6 +569,10 @@
         "title": "默认 Shadowsocks 加密方式",
         "description": "为新 Shadowsocks 用户自动填写加密方式"
       },
+      "wireguardEnabled": {
+        "title": "Enable WireGuard",
+        "description": "Generate WireGuard peer settings and include WireGuard hosts in subscriptions"
+      },
       "errorLoadingSettings": "加载设置时出错"
     },
     "errorLoadingSettings": "加载设置时出错"
diff --git a/dashboard/src/components/dialogs/user-modal.tsx b/dashboard/src/components/dialogs/user-modal.tsx
index 1219aab74..6700d95fd 100644
--- a/dashboard/src/components/dialogs/user-modal.tsx
+++ b/dashboard/src/components/dialogs/user-modal.tsx
@@ -500,6 +500,7 @@ function UserModal({ isDialogOpen, onOpenChange, form, editingUser, editingUserI
     enabled: isDialogOpen,
     refetchOnMount: true,
   })
+  const wireguardEnabled = generalSettings?.wireguard_enabled ?? true
 
   const syncUserCacheFromApiResponse = (user: UserResponse, options?: { allowInsert?: boolean; notifySuccessCallback?: boolean }) => {
     upsertUserInUsersCache(queryClient, user, { allowInsert: options?.allowInsert ?? false })
@@ -2151,85 +2152,89 @@ function UserModal({ isDialogOpen, onOpenChange, form, editingUser, editingUserI
                               )
                             }}
                           />
-                          <FormField
-                            control={form.control}
-                            name="proxy_settings.wireguard.private_key"
-                            render={({ field }) => (
-                              <FormItem className="mb-2">
-                                <FormLabel>{t('userDialog.proxySettings.wireguardPrivateKey', { defaultValue: 'WireGuard Private key' })}</FormLabel>
-                                <FormControl>
-                                  <div dir="ltr" className={`flex items-center gap-2 ${dir === 'rtl' ? 'flex-row-reverse' : 'flex-row'}`}>
-                                    <Input
-                                      {...field}
-                                      value={field.value ?? ''}
-                                      placeholder={t('userDialog.proxySettings.wireguardPrivateKey', { defaultValue: 'WireGuard Private key' })}
-                                      onChange={e => {
-                                        field.onChange(e)
-                                        syncWireGuardPublicKey(e.target.value)
-                                        form.trigger('proxy_settings.wireguard.private_key')
-                                        handleFieldChange('proxy_settings.wireguard.private_key', e.target.value)
-                                      }}
-                                    />
-                                    <Button
-                                      size="icon"
-                                      type="button"
-                                      variant="ghost"
-                                      onClick={generateWireGuardProxySettings}
-                                      title={t('userDialog.proxySettings.generateWireGuardKeyPair', { defaultValue: 'Generate WireGuard keypair' })}
-                                    >
-                                      <RefreshCcw className="h-3 w-3" />
-                                    </Button>
-                                  </div>
-                                </FormControl>
-                                <FormMessage />
-                              </FormItem>
-                            )}
-                          />
-                          <FormField
-                            control={form.control}
-                            name="proxy_settings.wireguard.public_key"
-                            render={({ field }) => (
-                              <FormItem className="mb-2">
-                                <FormLabel>{t('userDialog.proxySettings.wireguardPublicKey', { defaultValue: 'WireGuard Public key' })}</FormLabel>
-                                <FormControl>
-                                  <Input
-                                    dir="ltr"
-                                    {...field}
-                                    value={field.value ?? ''}
-                                    placeholder={t('userDialog.proxySettings.wireguardPublicKey', { defaultValue: 'WireGuard Public key' })}
-                                    disabled
-                                  />
-                                </FormControl>
-                                <FormMessage />
-                              </FormItem>
-                            )}
-                          />
-                          <FormField
-                            control={form.control}
-                            name="proxy_settings.wireguard.peer_ips"
-                            render={({ field }) => (
-                              <FormItem className="mb-2">
-                                <FormLabel>{t('userDialog.proxySettings.wireguardPeerIps', { defaultValue: 'WireGuard Peer IPs' })}</FormLabel>
-                                <FormControl>
-                                  <Textarea
-                                    dir="ltr"
-                                    value={Array.isArray(field.value) ? field.value.join('\n') : ''}
-                                    placeholder={t('userDialog.proxySettings.peerIpsPlaceholder', { defaultValue: 'One CIDR per line, e.g. 10.0.0.10/32' })}
-                                    onChange={e => {
-                                      const peerIps = parseWireGuardPeerIps(e.target.value)
-                                      field.onChange(peerIps)
-                                      form.trigger('proxy_settings.wireguard.peer_ips')
-                                      handleFieldChange('proxy_settings.wireguard.peer_ips', peerIps)
-                                    }}
-                                  />
-                                </FormControl>
-                                <p className="text-xs text-muted-foreground">
-                                  {t('userDialog.proxySettings.peerIpsHint', { defaultValue: 'Leave empty to auto-assign from the global WireGuard peer pool. For manual entries, enter one CIDR per line, and keep each value within that pool.' })}
-                                </p>
-                                <FormMessage />
-                              </FormItem>
-                            )}
-                          />
+                          {wireguardEnabled && (
+                            <>
+                              <FormField
+                                control={form.control}
+                                name="proxy_settings.wireguard.private_key"
+                                render={({ field }) => (
+                                  <FormItem className="mb-2">
+                                    <FormLabel>{t('userDialog.proxySettings.wireguardPrivateKey', { defaultValue: 'WireGuard Private key' })}</FormLabel>
+                                    <FormControl>
+                                      <div dir="ltr" className={`flex items-center gap-2 ${dir === 'rtl' ? 'flex-row-reverse' : 'flex-row'}`}>
+                                        <Input
+                                          {...field}
+                                          value={field.value ?? ''}
+                                          placeholder={t('userDialog.proxySettings.wireguardPrivateKey', { defaultValue: 'WireGuard Private key' })}
+                                          onChange={e => {
+                                            field.onChange(e)
+                                            syncWireGuardPublicKey(e.target.value)
+                                            form.trigger('proxy_settings.wireguard.private_key')
+                                            handleFieldChange('proxy_settings.wireguard.private_key', e.target.value)
+                                          }}
+                                        />
+                                        <Button
+                                          size="icon"
+                                          type="button"
+                                          variant="ghost"
+                                          onClick={generateWireGuardProxySettings}
+                                          title={t('userDialog.proxySettings.generateWireGuardKeyPair', { defaultValue: 'Generate WireGuard keypair' })}
+                                        >
+                                          <RefreshCcw className="h-3 w-3" />
+                                        </Button>
+                                      </div>
+                                    </FormControl>
+                                    <FormMessage />
+                                  </FormItem>
+                                )}
+                              />
+                              <FormField
+                                control={form.control}
+                                name="proxy_settings.wireguard.public_key"
+                                render={({ field }) => (
+                                  <FormItem className="mb-2">
+                                    <FormLabel>{t('userDialog.proxySettings.wireguardPublicKey', { defaultValue: 'WireGuard Public key' })}</FormLabel>
+                                    <FormControl>
+                                      <Input
+                                        dir="ltr"
+                                        {...field}
+                                        value={field.value ?? ''}
+                                        placeholder={t('userDialog.proxySettings.wireguardPublicKey', { defaultValue: 'WireGuard Public key' })}
+                                        disabled
+                                      />
+                                    </FormControl>
+                                    <FormMessage />
+                                  </FormItem>
+                                )}
+                              />
+                              <FormField
+                                control={form.control}
+                                name="proxy_settings.wireguard.peer_ips"
+                                render={({ field }) => (
+                                  <FormItem className="mb-2">
+                                    <FormLabel>{t('userDialog.proxySettings.wireguardPeerIps', { defaultValue: 'WireGuard Peer IPs' })}</FormLabel>
+                                    <FormControl>
+                                      <Textarea
+                                        dir="ltr"
+                                        value={Array.isArray(field.value) ? field.value.join('\n') : ''}
+                                        placeholder={t('userDialog.proxySettings.peerIpsPlaceholder', { defaultValue: 'One CIDR per line, e.g. 10.0.0.10/32' })}
+                                        onChange={e => {
+                                          const peerIps = parseWireGuardPeerIps(e.target.value)
+                                          field.onChange(peerIps)
+                                          form.trigger('proxy_settings.wireguard.peer_ips')
+                                          handleFieldChange('proxy_settings.wireguard.peer_ips', peerIps)
+                                        }}
+                                      />
+                                    </FormControl>
+                                    <p className="text-xs text-muted-foreground">
+                                      {t('userDialog.proxySettings.peerIpsHint', { defaultValue: 'Leave empty to auto-assign from the global WireGuard peer pool. For manual entries, enter one CIDR per line, and keep each value within that pool.' })}
+                                    </p>
+                                    <FormMessage />
+                                  </FormItem>
+                                )}
+                              />
+                            </>
+                          )}
                         </AccordionContent>
                       </AccordionItem>
                     </Accordion>
diff --git a/dashboard/src/pages/_dashboard.settings.general.tsx b/dashboard/src/pages/_dashboard.settings.general.tsx
index 312ab4082..e07a2564c 100644
--- a/dashboard/src/pages/_dashboard.settings.general.tsx
+++ b/dashboard/src/pages/_dashboard.settings.general.tsx
@@ -5,6 +5,7 @@ import { Form, FormControl, FormDescription, FormField, FormItem, FormLabel, For
 import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '@/components/ui/select'
 import { Separator } from '@/components/ui/separator'
 import { Skeleton } from '@/components/ui/skeleton'
+import { Switch } from '@/components/ui/switch'
 import { DEFAULT_SHADOWSOCKS_METHOD } from '@/constants/Proxies'
 import { ShadowsocksMethods, XTLSFlows, useReconnectAllNode } from '@/service/api'
 import { queryClient } from '@/utils/query-client'
@@ -21,9 +22,11 @@ import { useSettingsContext } from './_dashboard.settings'
 const generalSettingsSchema = z.object({
   default_flow: z.string().default(''),
   default_method: z.string().default(''),
+  wireguard_enabled: z.boolean().default(true),
 })
 
 type GeneralSettingsFormInput = z.input<typeof generalSettingsSchema>
+type GeneralSettingsStringField = 'default_flow' | 'default_method'
 
 export default function General() {
   const { t } = useTranslation()
@@ -36,6 +39,7 @@ export default function General() {
     defaultValues: {
       default_flow: '',
       default_method: '',
+      wireguard_enabled: true,
     },
   })
 
@@ -43,6 +47,7 @@ export default function General() {
     form.reset({
       default_flow: settings?.general?.default_flow || '',
       default_method: settings?.general?.default_method || DEFAULT_SHADOWSOCKS_METHOD,
+      wireguard_enabled: settings?.general?.wireguard_enabled ?? true,
     })
   }, [settings])
 
@@ -54,6 +59,7 @@ export default function General() {
           ...data,
           default_flow: data.default_flow || undefined,
           default_method: data.default_method || DEFAULT_SHADOWSOCKS_METHOD,
+          wireguard_enabled: data.wireguard_enabled,
         },
       }
 
@@ -68,6 +74,7 @@ export default function General() {
       form.reset({
         default_flow: '',
         default_method: DEFAULT_SHADOWSOCKS_METHOD,
+        wireguard_enabled: settings.general.wireguard_enabled ?? true,
       })
       toast.success(t('settings.general.cancelSuccess'))
     }
@@ -151,7 +158,7 @@ export default function General() {
     )
   }
 
-  const clearField = (field: keyof GeneralSettingsFormInput) => {
+  const clearField = (field: GeneralSettingsStringField) => {
     return (e: React.MouseEvent<HTMLButtonElement>) => {
       e.preventDefault()
       e.stopPropagation()
@@ -230,6 +237,25 @@ export default function General() {
                 )}
               />
             </div>
+
+            <div className="mt-5">
+              <FormField
+                control={form.control}
+                name="wireguard_enabled"
+                render={({ field }) => (
+                  <FormItem className="flex space-y-0 flex-col gap-3 rounded-md border p-4 sm:flex-row sm:items-center sm:justify-between">
+                    <div className="space-y-1">
+                      <FormLabel className="text-xs font-medium sm:text-sm">{t('settings.general.wireguardEnabled.title')}</FormLabel>
+                      <FormDescription className="text-xs text-muted-foreground sm:text-sm">{t('settings.general.wireguardEnabled.description')}</FormDescription>
+                    </div>
+                    <FormControl>
+                      <Switch checked={field.value} onCheckedChange={field.onChange} />
+                    </FormControl>
+                    <FormMessage />
+                  </FormItem>
+                )}
+              />
+            </div>
           </div>
 
           <Separator className="my-3" />
diff --git a/dashboard/src/service/api/index.ts b/dashboard/src/service/api/index.ts
index fc181b9f4..193a9be54 100644
--- a/dashboard/src/service/api/index.ts
+++ b/dashboard/src/service/api/index.ts
@@ -2026,6 +2026,7 @@ export const GeoFilseRegion = {
 export interface General {
   default_flow?: XTLSFlows
   default_method?: ShadowsocksMethods
+  wireguard_enabled?: boolean
 }
 
 export type GRPCSettingsInitialWindowsSize = number | null
diff --git a/tests/api/conftest.py b/tests/api/conftest.py
index 43d3f8f23..865afe162 100644
--- a/tests/api/conftest.py
+++ b/tests/api/conftest.py
@@ -428,7 +428,7 @@ def mock_settings(monkeypatch: pytest.MonkeyPatch):
                 },
             ],
         },
-        "general": {"default_flow": "", "default_method": "chacha20-ietf-poly1305"},
+        "general": {"default_flow": "", "default_method": "chacha20-ietf-poly1305", "wireguard_enabled": True},
     }
     db_settings = Settings(**settings)
 
diff --git a/tests/api/test_user.py b/tests/api/test_user.py
index 0782f5cbd..0346a88af 100644
--- a/tests/api/test_user.py
+++ b/tests/api/test_user.py
@@ -12,7 +12,7 @@
 
 from fastapi import status
 
-from app.models.settings import ConfigFormat, SubRule, Subscription
+from app.models.settings import ConfigFormat, General, SubRule, Subscription
 from app.operation.subscription import SubscriptionOperation
 from app.utils import jwt as jwt_utils
 from app.utils.crypto import generate_wireguard_keypair, get_wireguard_public_key
@@ -477,6 +477,62 @@ def test_wireguard_subscription_outputs_are_consistent(access_token):
         delete_core(access_token, core["id"])
 
 
+def test_wireguard_disabled_skips_allocation_and_subscription_outputs(access_token, monkeypatch):
+    async def disabled_general_settings():
+        return General(wireguard_enabled=False)
+
+    monkeypatch.setattr("app.utils.wireguard.general_settings", disabled_general_settings)
+    monkeypatch.setattr("app.subscription.share.general_settings", disabled_general_settings)
+    monkeypatch.setattr("app.operation.subscription.general_settings", disabled_general_settings)
+
+    interface_private_key, _ = generate_wireguard_keypair()
+    interface_name = unique_name("wg_disabled")
+    endpoint = "198.51.100.20"
+
+    core = create_core(
+        access_token,
+        name=unique_name("wireguard_disabled_core"),
+        config={
+            "interface_name": interface_name,
+            "private_key": interface_private_key,
+            "listen_port": 51820,
+            "address": ["10.40.0.1/24"],
+        },
+        type="wg",
+        fallbacks=[],
+    )
+    host_response = client.post(
+        "/api/host",
+        headers=auth_headers(access_token),
+        json={
+            "remark": "Disabled WG {USERNAME}",
+            "address": [endpoint],
+            "port": 51820,
+            "inbound_tag": interface_name,
+            "priority": 1,
+        },
+    )
+    assert host_response.status_code == status.HTTP_201_CREATED
+    host_id = host_response.json()["id"]
+    group = create_group(access_token, name=unique_name("wg_disabled_group"), inbound_tags=[interface_name])
+    user = create_user(access_token, group_ids=[group["id"]], payload={"username": unique_name("wg_disabled_user")})
+
+    try:
+        assert user["proxy_settings"]["wireguard"]["peer_ips"] == []
+
+        links_response = client.get(f"{user['subscription_url']}/links")
+        wireguard_response = client.get(f"{user['subscription_url']}/wireguard")
+
+        assert links_response.status_code == status.HTTP_200_OK
+        assert "wireguard://" not in links_response.text
+        assert wireguard_response.status_code == status.HTTP_406_NOT_ACCEPTABLE
+    finally:
+        delete_user(access_token, user["username"])
+        delete_group(access_token, group["id"])
+        client.delete(f"/api/host/{host_id}", headers=auth_headers(access_token))
+        delete_core(access_token, core["id"])
+
+
 def test_xray_subscription_includes_wireguard_outbound(access_token):
     interface_private_key, _ = generate_wireguard_keypair()
     interface_public_key = get_wireguard_public_key(interface_private_key)

From 9fd649053d0e71cd448d6281e60f480d65546b87 Mon Sep 17 00:00:00 2001
From: x0sina <bulletsina77@gmail.com>
Date: Wed, 6 May 2026 14:56:07 +0330
Subject: [PATCH 2/3] fix(wireguard): only skip WireGuard peer IP allocation
 when disabled

---
 app/utils/wireguard.py | 9 +++------
 tests/api/test_user.py | 4 +++-
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/app/utils/wireguard.py b/app/utils/wireguard.py
index fa1ae5dc1..ddc90cede 100644
--- a/app/utils/wireguard.py
+++ b/app/utils/wireguard.py
@@ -112,9 +112,6 @@ async def prepare_wireguard_proxy_settings(
     exclude_user_id: int | None = None,
 ) -> ProxyTable:
     """Prepare WireGuard proxy settings with key generation and global pool IP allocation."""
-    if not (await general_settings()).wireguard_enabled:
-        return proxy_settings
-
     wireguard_tags = await get_wireguard_tags_from_groups(groups)
     if not wireguard_tags:
         return proxy_settings
@@ -129,6 +126,9 @@ async def prepare_wireguard_proxy_settings(
     elif not proxy_settings.wireguard.public_key:
         proxy_settings.wireguard.public_key = get_wireguard_public_key(proxy_settings.wireguard.private_key)
 
+    if not (await general_settings()).wireguard_enabled:
+        return proxy_settings
+
     peer_ips = list(proxy_settings.wireguard.peer_ips or [])
 
     # Use merged allocate+validate function to avoid double DB scan
@@ -148,9 +148,6 @@ async def prepare_wireguard_keys_only(
     Used when peer_ips haven't changed during user modification.
     Avoids expensive database scans for unchanged peer networks.
     """
-    if not (await general_settings()).wireguard_enabled:
-        return proxy_settings
-
     wireguard_tags = await get_wireguard_tags_from_groups(groups)
     if not wireguard_tags:
         return proxy_settings
diff --git a/tests/api/test_user.py b/tests/api/test_user.py
index 0346a88af..82a731b75 100644
--- a/tests/api/test_user.py
+++ b/tests/api/test_user.py
@@ -477,7 +477,7 @@ def test_wireguard_subscription_outputs_are_consistent(access_token):
         delete_core(access_token, core["id"])
 
 
-def test_wireguard_disabled_skips_allocation_and_subscription_outputs(access_token, monkeypatch):
+def test_wireguard_disabled_skips_peer_ip_allocation_and_subscription_outputs(access_token, monkeypatch):
     async def disabled_general_settings():
         return General(wireguard_enabled=False)
 
@@ -518,6 +518,8 @@ async def disabled_general_settings():
     user = create_user(access_token, group_ids=[group["id"]], payload={"username": unique_name("wg_disabled_user")})
 
     try:
+        assert user["proxy_settings"]["wireguard"]["private_key"]
+        assert user["proxy_settings"]["wireguard"]["public_key"]
         assert user["proxy_settings"]["wireguard"]["peer_ips"] == []
 
         links_response = client.get(f"{user['subscription_url']}/links")

From a1027948d92cf82d62c675ae65f974a6c9d3cfbc Mon Sep 17 00:00:00 2001
From: x0sina <bulletsina77@gmail.com>
Date: Wed, 6 May 2026 17:06:13 +0330
Subject: [PATCH 3/3] refactor: move WireGuard enable flag to env

- Add WIREGUARD_ENABLED config setting
- Remove persisted wireguard_enabled general setting
- Remove dashboard WireGuard enable toggle and related API state
- Gate WireGuard allocation and subscription output from env config
---
 .env.example                                  |   2 +
 app/models/settings.py                        |   1 -
 app/operation/subscription.py                 |  10 +-
 app/subscription/share.py                     |   5 +-
 app/utils/wireguard.py                        |   6 +-
 config.py                                     |   1 +
 dashboard/public/statics/locales/en.json      |   4 -
 dashboard/public/statics/locales/fa.json      |   4 -
 dashboard/public/statics/locales/ru.json      |   4 -
 dashboard/public/statics/locales/zh.json      |   4 -
 .../src/components/dialogs/user-modal.tsx     | 174 ++++++++----------
 .../src/pages/_dashboard.settings.general.tsx |  24 ---
 dashboard/src/service/api/index.ts            |   1 -
 tests/api/conftest.py                         |   2 +-
 tests/api/test_user.py                        |   9 +-
 15 files changed, 96 insertions(+), 155 deletions(-)

diff --git a/.env.example b/.env.example
index 6c254ba11..1a1f0ca60 100644
--- a/.env.example
+++ b/.env.example
@@ -27,6 +27,8 @@ UVICORN_PORT = 8000
 ## External config to import into v2ray format subscription
 # EXTERNAL_CONFIG = "config://..."
 
+## WireGuard: enable peer allocation and subscription output
+# WIREGUARD_ENABLED = True
 ## WireGuard: IPv4 range for auto-allocated user peer addresses (and validation of manual peer_ips)
 # WIREGUARD_GLOBAL_POOL = "10.0.0.0/8"
 ## Comma-separated IPv4 CIDR subnets never assigned from the pool (e.g. network + gateway on a point-to-point link)
diff --git a/app/models/settings.py b/app/models/settings.py
index f4ae77dd9..ba20305dd 100644
--- a/app/models/settings.py
+++ b/app/models/settings.py
@@ -288,7 +288,6 @@ def validate_recommended_apps(cls, v: list[Application]) -> list[Application]:
 class General(BaseModel):
     default_flow: XTLSFlows = Field(default=XTLSFlows.NONE)
     default_method: ShadowsocksMethods = Field(default=ShadowsocksMethods.CHACHA20_POLY1305)
-    wireguard_enabled: bool = Field(default=True)
 
 
 class SettingsSchema(BaseModel):
diff --git a/app/operation/subscription.py b/app/operation/subscription.py
index 54c4d26b4..b7b8452c0 100644
--- a/app/operation/subscription.py
+++ b/app/operation/subscription.py
@@ -13,10 +13,10 @@
 from app.models.settings import Application, ConfigFormat, SubRule, Subscription as SubSettings
 from app.models.stats import Period, UserUsageStatsList
 from app.models.user import SubscriptionUserResponse, UsersResponseWithInbounds
-from app.settings import general_settings, subscription_settings
+from app.settings import subscription_settings
 from app.subscription.share import encode_title, generate_subscription, setup_format_variables
 from app.templates import render_template
-from config import template_settings
+from config import template_settings, wireguard_settings
 
 from . import BaseOperation
 from .user import UserOperation
@@ -299,7 +299,7 @@ async def user_subscription(
             client_type = matched_rule.target if matched_rule else None
             if client_type == ConfigFormat.block or not client_type:
                 await self.raise_error(message="Client not supported", code=406)
-            if client_type == ConfigFormat.wireguard and not (await general_settings()).wireguard_enabled:
+            if client_type == ConfigFormat.wireguard and not wireguard_settings.enabled:
                 await self.raise_error(message="Client not supported", code=406)
 
             # Update user subscription info
@@ -353,7 +353,7 @@ async def user_subscription_with_client_type(
         """Provides a subscription link based on the specified client type (e.g., Clash, V2Ray)."""
         sub_settings: SubSettings = await subscription_settings()
 
-        if client_type == ConfigFormat.wireguard and not (await general_settings()).wireguard_enabled:
+        if client_type == ConfigFormat.wireguard and not wireguard_settings.enabled:
             await self.raise_error(message="Client not supported", code=406)
 
         if client_type == ConfigFormat.block or not getattr(sub_settings.manual_sub_request, client_type):
@@ -379,7 +379,7 @@ async def user_subscription_by_user(
         client_type: ConfigFormat,
         request_url: str = "",
     ):
-        if client_type == ConfigFormat.wireguard and not (await general_settings()).wireguard_enabled:
+        if client_type == ConfigFormat.wireguard and not wireguard_settings.enabled:
             await self.raise_error(message="Client not supported", code=406)
 
         if client_type == ConfigFormat.block:
diff --git a/app/subscription/share.py b/app/subscription/share.py
index dca2a3f83..de77a953a 100644
--- a/app/subscription/share.py
+++ b/app/subscription/share.py
@@ -11,9 +11,9 @@
 from app.db.models import UserStatus
 from app.models.subscription import SubscriptionInboundData
 from app.models.user import UsersResponseWithInbounds
-from app.settings import general_settings
 from app.subscription.client_templates import subscription_client_templates, subscription_xray_templates
 from app.utils.system import get_public_ip, get_public_ipv6, readable_size
+from config import wireguard_settings
 
 from . import (
     ClashConfiguration,
@@ -351,7 +351,6 @@ async def process_inbounds_and_tags(
 ) -> list | str | bytes:
     proxy_settings = user.proxy_settings.dict()
     proxy_settings["_user_id"] = user.id
-    wireguard_enabled = (await general_settings()).wireguard_enabled
     hosts = await filter_hosts(list((await host_manager.get_hosts()).values()), user.status)
     if randomize_order and len(hosts) > 1:
         random.shuffle(hosts)
@@ -367,7 +366,7 @@ def _resolve_host_xray_template_content(inbound: SubscriptionInboundData) -> str
         return xray_template_overrides.get(template_id)
 
     for host_data in hosts:
-        if host_data.protocol == "wireguard" and not wireguard_enabled:
+        if host_data.protocol == "wireguard" and not wireguard_settings.enabled:
             continue
 
         result = await process_host(host_data, format_variables, user.inbounds, proxy_settings)
diff --git a/app/utils/wireguard.py b/app/utils/wireguard.py
index ddc90cede..3e5b186a4 100644
--- a/app/utils/wireguard.py
+++ b/app/utils/wireguard.py
@@ -12,7 +12,6 @@
 from app.db.models import CoreConfig, CoreType, User
 from app.models.proxy import ProxyTable
 from app.node.sync import sync_users
-from app.settings import general_settings
 from app.utils.crypto import generate_wireguard_keypair, get_wireguard_public_key
 from app.utils.ip_pool import (
     WireGuardPeerIPAllocator,
@@ -20,6 +19,7 @@
     collect_used_peer_networks_from_proxy_settings_rows,
     peer_ips_outside_global_pool,
 )
+from config import wireguard_settings
 
 
 def _normalized_peer_networks(peer_ips: Iterable[str]) -> list[str]:
@@ -126,7 +126,7 @@ async def prepare_wireguard_proxy_settings(
     elif not proxy_settings.wireguard.public_key:
         proxy_settings.wireguard.public_key = get_wireguard_public_key(proxy_settings.wireguard.private_key)
 
-    if not (await general_settings()).wireguard_enabled:
+    if not wireguard_settings.enabled:
         return proxy_settings
 
     peer_ips = list(proxy_settings.wireguard.peer_ips or [])
@@ -193,7 +193,7 @@ async def bulk_reallocate_wireguard_peer_ips(
 
     ``target_users`` should be the users allowed by bulk scope (group/admin/user filters).
     """
-    if not (await general_settings()).wireguard_enabled:
+    if not wireguard_settings.enabled:
         return {
             "wireguard_inbound_tags": 0,
             "candidates": 0,
diff --git a/config.py b/config.py
index b34b35e8a..f6dc6177f 100644
--- a/config.py
+++ b/config.py
@@ -188,6 +188,7 @@ class FeatureSettings(EnvSettings):
 
 
 class WireGuardSettings(EnvSettings):
+    enabled: bool = Field(default=True, validation_alias="WIREGUARD_ENABLED")
     global_pool: str = Field(default="10.0.0.0/8", validation_alias="WIREGUARD_GLOBAL_POOL")
     reserved: str = Field(default="10.0.0.0/31", validation_alias="WIREGUARD_RESERVED")
 
diff --git a/dashboard/public/statics/locales/en.json b/dashboard/public/statics/locales/en.json
index 816becd5d..25a715b5d 100644
--- a/dashboard/public/statics/locales/en.json
+++ b/dashboard/public/statics/locales/en.json
@@ -148,10 +148,6 @@
         "title": "Default Shadowsocks Method",
         "description": "Autofill the encryption method for new Shadowsocks users"
       },
-      "wireguardEnabled": {
-        "title": "Enable WireGuard",
-        "description": "Generate WireGuard peer settings and include WireGuard hosts in subscriptions"
-      },
       "errorLoadingSettings": "Error loading settings"
     },
     "notifications": {
diff --git a/dashboard/public/statics/locales/fa.json b/dashboard/public/statics/locales/fa.json
index 2d398dc10..b3fa7c6ac 100644
--- a/dashboard/public/statics/locales/fa.json
+++ b/dashboard/public/statics/locales/fa.json
@@ -425,10 +425,6 @@
         "title": "روش پیش‌فرض Shadowsocks",
         "description": "پر کردن خودکار روش رمزنگاری برای کاربران جدید Shadowsocks"
       },
-      "wireguardEnabled": {
-        "title": "Enable WireGuard",
-        "description": "Generate WireGuard peer settings and include WireGuard hosts in subscriptions"
-      },
       "errorLoadingSettings": "خطا در بارگذاری تنظیمات"
     }
   },
diff --git a/dashboard/public/statics/locales/ru.json b/dashboard/public/statics/locales/ru.json
index 3b5d7ed7f..b3975890a 100644
--- a/dashboard/public/statics/locales/ru.json
+++ b/dashboard/public/statics/locales/ru.json
@@ -557,10 +557,6 @@
         "title": "Метод Shadowsocks по умолчанию",
         "description": "Автоматически заполнять метод шифрования для новых пользователей Shadowsocks"
       },
-      "wireguardEnabled": {
-        "title": "Enable WireGuard",
-        "description": "Generate WireGuard peer settings and include WireGuard hosts in subscriptions"
-      },
       "errorLoadingSettings": "Ошибка загрузки настроек"
     }
   },
diff --git a/dashboard/public/statics/locales/zh.json b/dashboard/public/statics/locales/zh.json
index 99c8d9a89..d9459bb42 100644
--- a/dashboard/public/statics/locales/zh.json
+++ b/dashboard/public/statics/locales/zh.json
@@ -569,10 +569,6 @@
         "title": "默认 Shadowsocks 加密方式",
         "description": "为新 Shadowsocks 用户自动填写加密方式"
       },
-      "wireguardEnabled": {
-        "title": "Enable WireGuard",
-        "description": "Generate WireGuard peer settings and include WireGuard hosts in subscriptions"
-      },
       "errorLoadingSettings": "加载设置时出错"
     },
     "errorLoadingSettings": "加载设置时出错"
diff --git a/dashboard/src/components/dialogs/user-modal.tsx b/dashboard/src/components/dialogs/user-modal.tsx
index 6700d95fd..feb1c14ce 100644
--- a/dashboard/src/components/dialogs/user-modal.tsx
+++ b/dashboard/src/components/dialogs/user-modal.tsx
@@ -22,8 +22,6 @@ import useDirDetection from '@/hooks/use-dir-detection'
 import useDynamicErrorHandler from '@/hooks/use-dynamic-errors.ts'
 import { cn } from '@/lib/utils'
 import {
-  getGeneralSettings,
-  getGetGeneralSettingsQueryKey,
   getGetGroupsSimpleQueryKey,
   useCreateUser,
   useCreateUserFromTemplate,
@@ -41,7 +39,7 @@ import { parseDateInput } from '@/utils/dateTimeParsing'
 import { bytesToFormGigabytes, formatBytes, gbToBytes } from '@/utils/formatByte'
 import { invalidateUserMetricsQueries, upsertUserInUsersCache } from '@/utils/usersCache'
 import { generateWireGuardKeyPair, getWireGuardPublicKey } from '@/utils/wireguard'
-import { useQuery, useQueryClient } from '@tanstack/react-query'
+import { useQueryClient } from '@tanstack/react-query'
 import { CalendarClock, CalendarPlus, ChevronDown, EllipsisVertical, Info, Layers, Link2Off, ListStart, Lock, Network, PieChart, RefreshCcw, Group, Users, Pencil, UserRoundPlus } from 'lucide-react'
 import React, { useEffect, useState } from 'react'
 import { UseFormReturn } from 'react-hook-form'
@@ -494,14 +492,6 @@ function UserModal({ isDialogOpen, onOpenChange, form, editingUser, editingUserI
     },
   )
 
-  const { data: generalSettings } = useQuery({
-    queryKey: getGetGeneralSettingsQueryKey(),
-    queryFn: () => getGeneralSettings(),
-    enabled: isDialogOpen,
-    refetchOnMount: true,
-  })
-  const wireguardEnabled = generalSettings?.wireguard_enabled ?? true
-
   const syncUserCacheFromApiResponse = (user: UserResponse, options?: { allowInsert?: boolean; notifySuccessCallback?: boolean }) => {
     upsertUserInUsersCache(queryClient, user, { allowInsert: options?.allowInsert ?? false })
     invalidateUserMetricsQueries(queryClient)
@@ -2152,89 +2142,85 @@ function UserModal({ isDialogOpen, onOpenChange, form, editingUser, editingUserI
                               )
                             }}
                           />
-                          {wireguardEnabled && (
-                            <>
-                              <FormField
-                                control={form.control}
-                                name="proxy_settings.wireguard.private_key"
-                                render={({ field }) => (
-                                  <FormItem className="mb-2">
-                                    <FormLabel>{t('userDialog.proxySettings.wireguardPrivateKey', { defaultValue: 'WireGuard Private key' })}</FormLabel>
-                                    <FormControl>
-                                      <div dir="ltr" className={`flex items-center gap-2 ${dir === 'rtl' ? 'flex-row-reverse' : 'flex-row'}`}>
-                                        <Input
-                                          {...field}
-                                          value={field.value ?? ''}
-                                          placeholder={t('userDialog.proxySettings.wireguardPrivateKey', { defaultValue: 'WireGuard Private key' })}
-                                          onChange={e => {
-                                            field.onChange(e)
-                                            syncWireGuardPublicKey(e.target.value)
-                                            form.trigger('proxy_settings.wireguard.private_key')
-                                            handleFieldChange('proxy_settings.wireguard.private_key', e.target.value)
-                                          }}
-                                        />
-                                        <Button
-                                          size="icon"
-                                          type="button"
-                                          variant="ghost"
-                                          onClick={generateWireGuardProxySettings}
-                                          title={t('userDialog.proxySettings.generateWireGuardKeyPair', { defaultValue: 'Generate WireGuard keypair' })}
-                                        >
-                                          <RefreshCcw className="h-3 w-3" />
-                                        </Button>
-                                      </div>
-                                    </FormControl>
-                                    <FormMessage />
-                                  </FormItem>
-                                )}
-                              />
-                              <FormField
-                                control={form.control}
-                                name="proxy_settings.wireguard.public_key"
-                                render={({ field }) => (
-                                  <FormItem className="mb-2">
-                                    <FormLabel>{t('userDialog.proxySettings.wireguardPublicKey', { defaultValue: 'WireGuard Public key' })}</FormLabel>
-                                    <FormControl>
-                                      <Input
-                                        dir="ltr"
-                                        {...field}
-                                        value={field.value ?? ''}
-                                        placeholder={t('userDialog.proxySettings.wireguardPublicKey', { defaultValue: 'WireGuard Public key' })}
-                                        disabled
-                                      />
-                                    </FormControl>
-                                    <FormMessage />
-                                  </FormItem>
-                                )}
-                              />
-                              <FormField
-                                control={form.control}
-                                name="proxy_settings.wireguard.peer_ips"
-                                render={({ field }) => (
-                                  <FormItem className="mb-2">
-                                    <FormLabel>{t('userDialog.proxySettings.wireguardPeerIps', { defaultValue: 'WireGuard Peer IPs' })}</FormLabel>
-                                    <FormControl>
-                                      <Textarea
-                                        dir="ltr"
-                                        value={Array.isArray(field.value) ? field.value.join('\n') : ''}
-                                        placeholder={t('userDialog.proxySettings.peerIpsPlaceholder', { defaultValue: 'One CIDR per line, e.g. 10.0.0.10/32' })}
-                                        onChange={e => {
-                                          const peerIps = parseWireGuardPeerIps(e.target.value)
-                                          field.onChange(peerIps)
-                                          form.trigger('proxy_settings.wireguard.peer_ips')
-                                          handleFieldChange('proxy_settings.wireguard.peer_ips', peerIps)
-                                        }}
-                                      />
-                                    </FormControl>
-                                    <p className="text-xs text-muted-foreground">
-                                      {t('userDialog.proxySettings.peerIpsHint', { defaultValue: 'Leave empty to auto-assign from the global WireGuard peer pool. For manual entries, enter one CIDR per line, and keep each value within that pool.' })}
-                                    </p>
-                                    <FormMessage />
-                                  </FormItem>
-                                )}
-                              />
-                            </>
-                          )}
+                          <FormField
+                            control={form.control}
+                            name="proxy_settings.wireguard.private_key"
+                            render={({ field }) => (
+                              <FormItem className="mb-2">
+                                <FormLabel>{t('userDialog.proxySettings.wireguardPrivateKey', { defaultValue: 'WireGuard Private key' })}</FormLabel>
+                                <FormControl>
+                                  <div dir="ltr" className={`flex items-center gap-2 ${dir === 'rtl' ? 'flex-row-reverse' : 'flex-row'}`}>
+                                    <Input
+                                      {...field}
+                                      value={field.value ?? ''}
+                                      placeholder={t('userDialog.proxySettings.wireguardPrivateKey', { defaultValue: 'WireGuard Private key' })}
+                                      onChange={e => {
+                                        field.onChange(e)
+                                        syncWireGuardPublicKey(e.target.value)
+                                        form.trigger('proxy_settings.wireguard.private_key')
+                                        handleFieldChange('proxy_settings.wireguard.private_key', e.target.value)
+                                      }}
+                                    />
+                                    <Button
+                                      size="icon"
+                                      type="button"
+                                      variant="ghost"
+                                      onClick={generateWireGuardProxySettings}
+                                      title={t('userDialog.proxySettings.generateWireGuardKeyPair', { defaultValue: 'Generate WireGuard keypair' })}
+                                    >
+                                      <RefreshCcw className="h-3 w-3" />
+                                    </Button>
+                                  </div>
+                                </FormControl>
+                                <FormMessage />
+                              </FormItem>
+                            )}
+                          />
+                          <FormField
+                            control={form.control}
+                            name="proxy_settings.wireguard.public_key"
+                            render={({ field }) => (
+                              <FormItem className="mb-2">
+                                <FormLabel>{t('userDialog.proxySettings.wireguardPublicKey', { defaultValue: 'WireGuard Public key' })}</FormLabel>
+                                <FormControl>
+                                  <Input
+                                    dir="ltr"
+                                    {...field}
+                                    value={field.value ?? ''}
+                                    placeholder={t('userDialog.proxySettings.wireguardPublicKey', { defaultValue: 'WireGuard Public key' })}
+                                    disabled
+                                  />
+                                </FormControl>
+                                <FormMessage />
+                              </FormItem>
+                            )}
+                          />
+                          <FormField
+                            control={form.control}
+                            name="proxy_settings.wireguard.peer_ips"
+                            render={({ field }) => (
+                              <FormItem className="mb-2">
+                                <FormLabel>{t('userDialog.proxySettings.wireguardPeerIps', { defaultValue: 'WireGuard Peer IPs' })}</FormLabel>
+                                <FormControl>
+                                  <Textarea
+                                    dir="ltr"
+                                    value={Array.isArray(field.value) ? field.value.join('\n') : ''}
+                                    placeholder={t('userDialog.proxySettings.peerIpsPlaceholder', { defaultValue: 'One CIDR per line, e.g. 10.0.0.10/32' })}
+                                    onChange={e => {
+                                      const peerIps = parseWireGuardPeerIps(e.target.value)
+                                      field.onChange(peerIps)
+                                      form.trigger('proxy_settings.wireguard.peer_ips')
+                                      handleFieldChange('proxy_settings.wireguard.peer_ips', peerIps)
+                                    }}
+                                  />
+                                </FormControl>
+                                <p className="text-xs text-muted-foreground">
+                                  {t('userDialog.proxySettings.peerIpsHint', { defaultValue: 'Leave empty to auto-assign from the global WireGuard peer pool. For manual entries, enter one CIDR per line, and keep each value within that pool.' })}
+                                </p>
+                                <FormMessage />
+                              </FormItem>
+                            )}
+                          />
                         </AccordionContent>
                       </AccordionItem>
                     </Accordion>
diff --git a/dashboard/src/pages/_dashboard.settings.general.tsx b/dashboard/src/pages/_dashboard.settings.general.tsx
index e07a2564c..a56af289f 100644
--- a/dashboard/src/pages/_dashboard.settings.general.tsx
+++ b/dashboard/src/pages/_dashboard.settings.general.tsx
@@ -5,7 +5,6 @@ import { Form, FormControl, FormDescription, FormField, FormItem, FormLabel, For
 import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '@/components/ui/select'
 import { Separator } from '@/components/ui/separator'
 import { Skeleton } from '@/components/ui/skeleton'
-import { Switch } from '@/components/ui/switch'
 import { DEFAULT_SHADOWSOCKS_METHOD } from '@/constants/Proxies'
 import { ShadowsocksMethods, XTLSFlows, useReconnectAllNode } from '@/service/api'
 import { queryClient } from '@/utils/query-client'
@@ -22,7 +21,6 @@ import { useSettingsContext } from './_dashboard.settings'
 const generalSettingsSchema = z.object({
   default_flow: z.string().default(''),
   default_method: z.string().default(''),
-  wireguard_enabled: z.boolean().default(true),
 })
 
 type GeneralSettingsFormInput = z.input<typeof generalSettingsSchema>
@@ -39,7 +37,6 @@ export default function General() {
     defaultValues: {
       default_flow: '',
       default_method: '',
-      wireguard_enabled: true,
     },
   })
 
@@ -47,7 +44,6 @@ export default function General() {
     form.reset({
       default_flow: settings?.general?.default_flow || '',
       default_method: settings?.general?.default_method || DEFAULT_SHADOWSOCKS_METHOD,
-      wireguard_enabled: settings?.general?.wireguard_enabled ?? true,
     })
   }, [settings])
 
@@ -59,7 +55,6 @@ export default function General() {
           ...data,
           default_flow: data.default_flow || undefined,
           default_method: data.default_method || DEFAULT_SHADOWSOCKS_METHOD,
-          wireguard_enabled: data.wireguard_enabled,
         },
       }
 
@@ -74,7 +69,6 @@ export default function General() {
       form.reset({
         default_flow: '',
         default_method: DEFAULT_SHADOWSOCKS_METHOD,
-        wireguard_enabled: settings.general.wireguard_enabled ?? true,
       })
       toast.success(t('settings.general.cancelSuccess'))
     }
@@ -238,24 +232,6 @@ export default function General() {
               />
             </div>
 
-            <div className="mt-5">
-              <FormField
-                control={form.control}
-                name="wireguard_enabled"
-                render={({ field }) => (
-                  <FormItem className="flex space-y-0 flex-col gap-3 rounded-md border p-4 sm:flex-row sm:items-center sm:justify-between">
-                    <div className="space-y-1">
-                      <FormLabel className="text-xs font-medium sm:text-sm">{t('settings.general.wireguardEnabled.title')}</FormLabel>
-                      <FormDescription className="text-xs text-muted-foreground sm:text-sm">{t('settings.general.wireguardEnabled.description')}</FormDescription>
-                    </div>
-                    <FormControl>
-                      <Switch checked={field.value} onCheckedChange={field.onChange} />
-                    </FormControl>
-                    <FormMessage />
-                  </FormItem>
-                )}
-              />
-            </div>
           </div>
 
           <Separator className="my-3" />
diff --git a/dashboard/src/service/api/index.ts b/dashboard/src/service/api/index.ts
index 193a9be54..fc181b9f4 100644
--- a/dashboard/src/service/api/index.ts
+++ b/dashboard/src/service/api/index.ts
@@ -2026,7 +2026,6 @@ export const GeoFilseRegion = {
 export interface General {
   default_flow?: XTLSFlows
   default_method?: ShadowsocksMethods
-  wireguard_enabled?: boolean
 }
 
 export type GRPCSettingsInitialWindowsSize = number | null
diff --git a/tests/api/conftest.py b/tests/api/conftest.py
index 865afe162..43d3f8f23 100644
--- a/tests/api/conftest.py
+++ b/tests/api/conftest.py
@@ -428,7 +428,7 @@ def mock_settings(monkeypatch: pytest.MonkeyPatch):
                 },
             ],
         },
-        "general": {"default_flow": "", "default_method": "chacha20-ietf-poly1305", "wireguard_enabled": True},
+        "general": {"default_flow": "", "default_method": "chacha20-ietf-poly1305"},
     }
     db_settings = Settings(**settings)
 
diff --git a/tests/api/test_user.py b/tests/api/test_user.py
index 82a731b75..1d25a98a2 100644
--- a/tests/api/test_user.py
+++ b/tests/api/test_user.py
@@ -12,7 +12,7 @@
 
 from fastapi import status
 
-from app.models.settings import ConfigFormat, General, SubRule, Subscription
+from app.models.settings import ConfigFormat, SubRule, Subscription
 from app.operation.subscription import SubscriptionOperation
 from app.utils import jwt as jwt_utils
 from app.utils.crypto import generate_wireguard_keypair, get_wireguard_public_key
@@ -478,12 +478,7 @@ def test_wireguard_subscription_outputs_are_consistent(access_token):
 
 
 def test_wireguard_disabled_skips_peer_ip_allocation_and_subscription_outputs(access_token, monkeypatch):
-    async def disabled_general_settings():
-        return General(wireguard_enabled=False)
-
-    monkeypatch.setattr("app.utils.wireguard.general_settings", disabled_general_settings)
-    monkeypatch.setattr("app.subscription.share.general_settings", disabled_general_settings)
-    monkeypatch.setattr("app.operation.subscription.general_settings", disabled_general_settings)
+    monkeypatch.setattr("config.wireguard_settings.enabled", False)
 
     interface_private_key, _ = generate_wireguard_keypair()
     interface_name = unique_name("wg_disabled")