diff --git a/app/vpn/wireguardconfig.h b/app/vpn/wireguardconfig.h
new file mode 100644
index 0000000..67bed59
--- /dev/null
+++ b/app/vpn/wireguardconfig.h
@@ -0,0 +1,43 @@
+// wireguardconfig.h — Parsed representation of a WireGuard .conf file.
+//
+// DragonRelay returns a standard .conf from POST /api/vpn/peer.
+// This class parses it so TunnelManager can bring up the tunnel.
+
+#pragma once
+
+#include <QString>
+#include <QStringList>
+
+struct WireGuardConfig {
+    // ── [Interface] ────────────────────────────────────────────────────────
+    QString  privateKey;  ///< Base64 private key for this peer.
+    QString  address;     ///< CIDR assigned to this peer, e.g. "10.99.0.2/24".
+    QString  dns;         ///< Optional DNS server, e.g. "1.1.1.1".
+
+    // ── [Peer] ─────────────────────────────────────────────────────────────
+    QString     peerPublicKey;        ///< Base64 public key of the WireGuard server.
+    QString     presharedKey;         ///< Base64 preshared key (may be empty).
+    QString     endpoint;             ///< "host:port" of the server, e.g. "1.2.3.4:51820".
+    QStringList allowedIPs;           ///< CIDRs routed through the tunnel.
+    uint16_t    persistentKeepalive = 25; ///< Keepalive interval in seconds.
+
+    // ── Helpers ────────────────────────────────────────────────────────────
+
+    /// Returns the host portion of endpoint (strips the port).
+    QString endpointHost() const;
+
+    /// Returns the port portion of endpoint, defaulting to 51820.
+    quint16 endpointPort() const;
+
+    /// Returns the bare IP from address (strips the CIDR prefix length).
+    QString localIP() const;
+
+    /// True if all required fields are present.
+    bool isValid() const;
+
+    // ── Factory ────────────────────────────────────────────────────────────
+
+    /// Parse a WireGuard .conf string as returned by DragonRelay.
+    /// Unrecognised keys are silently ignored.
+    static WireGuardConfig fromConf(const QString &conf);
+};