diff --git a/Dockerfile b/Dockerfile
index c9b32b8e..3633683e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -22,6 +22,7 @@ LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 RUN set -ex \
     && apk upgrade \
     && apk add bash tzdata ca-certificates nftables \
+    && apk add wireguard-tools \
     && rm -rf /var/cache/apk/*
 COPY --from=builder /go/bin/sing-box /usr/local/bin/sing-box
 ENTRYPOINT ["sing-box"]
diff --git a/transport/wireguard/endpoint.go b/transport/wireguard/endpoint.go
index 77225bc3..e0cedf6b 100644
--- a/transport/wireguard/endpoint.go
+++ b/transport/wireguard/endpoint.go
@@ -19,6 +19,7 @@ import (
 	"github.com/sagernet/sing/service/pause"
 	"github.com/sagernet/wireguard-go/conn"
 	"github.com/sagernet/wireguard-go/device"
+	"github.com/sagernet/wireguard-go/ipc"
 
 	"go4.org/netipx"
 )
@@ -167,6 +168,14 @@ func (e *Endpoint) Start(resolve bool) error {
 	} else if resolve {
 		return nil
 	}
+
+	fileUAPI, uapiErr := func() (*os.File, error) {
+		return ipc.UAPIOpen(e.options.Name) // should be something like wg0
+	}()
+	if uapiErr != nil {
+		return fmt.Errorf("UAPI listen error: %v", uapiErr)
+	}
+
 	var bind conn.Bind
 	wgListener, isWgListener := e.options.Dialer.(conn.Listener)
 	if isWgListener {
@@ -204,6 +213,22 @@ func (e *Endpoint) Start(resolve bool) error {
 		},
 	}
 	wgDevice := device.NewDevice(e.options.Context, e.tunDevice, bind, logger, e.options.Workers)
+
+	uapi, err := ipc.UAPIListen(e.options.Name, fileUAPI)
+	if err != nil {
+		return fmt.Errorf("failed to listen on uapi socket: %v", err)
+	}
+
+	go func() {
+		for {
+			conn, err := uapi.Accept()
+			if err != nil {
+				return
+			}
+			go wgDevice.IpcHandle(conn)
+		}
+	}()
+
 	e.tunDevice.SetDevice(wgDevice)
 	ipcConf := e.ipcConf
 	for _, peer := range e.peers {