WireGuard VPN between Vigor Routers

WireGuard is a secure, fast, and modern VPN Protocol. A WireGuard VPN connection is made by exchanging public keys and intends to be considerably more performant than OpenVPN. We support the WireGuard VPN Dial-Out on Vigor2962/3910 routers since firmware version 4.3.1. This article will show how to establish a WireGuard VPN LAN to LAN tunnel between Vigor2962 and Vigor3910.

1. On the VPN server, create a WireGuard VPN LAN to LAN profile: Go to VPN and Remote Access >> LAN to LAN, click on an available index to edit the profile.

2. Edit the profile as follows:

  • Check Enable this profile
  • Give it a Profile Name
  • Select Dial-In for Call Direction
  • Leave the Idle Timeout as 300 seconds (optional)
  • Select WireGuard as the Allowed VPN Type
  • The WireGuard Settings window will pop up after selecting WireGuard.

  • Click Generate a Key Pair for [Interface]. It will generate the keys for the VPN server.
  • Copy the Public Key to a text file. (The Public Key is required to be configured in the WireGuard VPN Client router.)
  • Leave Public Key for [Peer] as empty. (It should be configured after the WireGuard VPN Client router generates the keys on its WireGuard VPN profile.)
  • Click Generate the Pre-Shared Key then copy the Pre-Shared Key to a text file. The Pre-Shared Key cannot be any string, so please use the Generate button to produce the key.
  • Configure the Keepalive setting as 60 seconds. The Keepalive setting is to suggest the WireGuard VPN client send a keepalive packet with a regular interval to avoid the UDP session being closed by the NAT router in front of it. The setting can be modified according to the UDP session timeout of the NAT router.
  • Click X to exit the WireGuard Settings window.
  • Enter the Local Network IP/ Mask settings.
  • Enter the Remote Network IP/ Mask settings.
  • Select Routing for the Mode and click OK to save this VPN profile.
  • 3. On the VPN client, create a WireGuard VPN LAN to LAN profile: Go to VPN and Remote Access >> LAN to LAN, click on an available index to edit the profile.

  • Check Enable this Profile
  • Give it a Profile Name
  • Select Dial-Out for Call Direction
  • Select WireGuard as the VPN protocol and enter the VPN server’s IP or Domain Name.
  • Click Generate a Key Pair for [Interface]. It will generate the keys for the VPN client.
  • Copy the Public Key to a text file. (The Public Key will be configured in the WireGuard VPN Server router later.)
  • Enter the WireGuard VPN Server’s Public Key (copied in step2) in the Public Key for [Peer] field. Enter the Pre-Shared Key that the WireGuard VPN Server generated in step2.
  • Configure the Keepalive setting as 60 seconds. The Keepalive setting is to make the WireGuard VPN client send a keepalive packet with a regular interval to avoid the UDP session being closed by the NAT router in front of it. The setting can be modified according to the UDP session timeout of the NAT router.
  • Enter the Local Network IP/ Mask settings.
  • Enter the Remote Network IP/ Mask settings.
  • Select Routing for the Mode and click OK to save this VPN profile.
  • 4. Go to the VPN Server’s WireGuard VPN Settings page again and paste the VPN Client’s Public Key. Click X to exit the window then click OK to save the setting.

    5. On the VPN client router, go to VPN and Remote Access >> Connection Management, select the WireGuard VPN profile and click Dial to activate the tunnel.

    We may ping a remote IP to check if the traffic over WireGuard VPN works.

    When using WireGuard VPN in NAT mode

    We only need to add the settings below for creating the WireGuard VPN in NAT mode.

    1. On the VPN server, enter the IP that will assign to the VPN client in the Client IP Address field.

    2. On the VPN client, enter the IP that the server gives in the IP Address field.

    3. On the VPN client, select NAT for the Mode in the TCP/IP Network settings.

    Published On:2022-01-21 

    Was this helpful?   

    Sorry about that. Contact Support if you need further assistance, or leave us some comments below to help us improve.


    Related Articles