WireGuard is a secure, fast, and modern VPN Protocol. A WireGuard VPN connection is made by exchanging public keys and intends to be considerably more performant than OpenVPN. We support the WireGuard VPN Dial-Out on Vigor2962/3910 routers since firmware version 4.3.1. This article will show how to establish a WireGuard VPN LAN to LAN tunnel between Vigor2962 and Vigor3910.
1. On the VPN server, create a WireGuard VPN LAN to LAN profile: Go to VPN and Remote Access >> LAN to LAN, click on an available index to edit the profile.
2. Edit the profile as follows:
Check Enable this profile
Give it a Profile Name
Select Dial-In for Call Direction
Leave the Idle Timeout as 300 seconds (optional)
Select WireGuard as the Allowed VPN Type
The WireGuard Settings window will pop up after selecting WireGuard.
Click Generate a Key Pair for [Interface]. It will generate the keys for the VPN server.
Copy the Public Key to a text file. (The Public Key is required to be configured in the WireGuard VPN Client router.)
Leave Public Key for [Peer] as empty. (It should be configured after the WireGuard VPN Client router generates the keys on its WireGuard VPN profile.)
Click Generate the Pre-Shared Key then copy the Pre-Shared Key to a text file. The Pre-Shared Key cannot be any string, so please use the Generate button to produce the key.
Configure the Keepalive setting as 60 seconds. The Keepalive setting is to suggest the WireGuard VPN client send a keepalive packet with a regular interval to avoid the UDP session being closed by the NAT router in front of it. The setting can be modified according to the UDP session timeout of the NAT router.
Click X to exit the WireGuard Settings window.
Enter the Local Network IP/ Mask settings.
Enter the Remote Network IP/ Mask settings.
Select Routing for the Mode and go to the VPN client to create WireGuard Key Pair first. Do not click OK to save the VPN profile because the VPN profile can save when the Peer public key exists.
3. On the VPN client, create a WireGuard VPN LAN to LAN profile: Go to VPN and Remote Access >> LAN to LAN, click on an available index to edit the profile.
Check Enable this Profile
Give it a Profile Name
Select Dial-Out for Call Direction
Select WireGuard as the VPN protocol and enter the VPN server’s IP or Domain Name.
Click Generate a Key Pair for [Interface]. It will generate the keys for the VPN client.
Copy the Public Key to a text file. (The Public Key will be configured in the WireGuard VPN Server router later.)
Enter the WireGuard VPN Server’s Public Key (copied in step2) in the Public Key for [Peer] field. Enter the Pre-Shared Key that the WireGuard VPN Server generated in step2.
Configure the Keepalive setting as 60 seconds. The Keepalive setting is to make the WireGuard VPN client send a keepalive packet with a regular interval to avoid the UDP session being closed by the NAT router in front of it. The setting can be modified according to the UDP session timeout of the NAT router.
Enter the Local Network IP/ Mask settings.
Enter the Remote Network IP/ Mask settings.
Select Routing for the Mode and click OK to save this VPN profile.
4. Go to the VPN Server’s WireGuard VPN Settings page again and paste the VPN Client’s Public Key. Click X or OK to exit the window then click OK to save the setting.
5. On the VPN client router, go to VPN and Remote Access >> Connection Management, select the WireGuard VPN profile and click Dial to activate the tunnel.
We may ping a remote IP to check if the traffic over WireGuard VPN works.
Note: If the Wireguard LAN to LAN VPN is up, but the ping to remote network doesn't work, we can check if the Interface IP is conflicted with the remote VPN network via VPN and Remote Access >> WireGuard. The interface IP is an IP for the Wireguard interface, and it can be any IP as long as it is not conflicted with a network IP. We recommend using the router's LAN IP as the Interface IP. Click Generate a Key Pair, change the Interface IP, and click OK to save it.
When using WireGuard VPN in NAT mode
We only need to add the settings below for creating the WireGuard VPN in NAT mode.
1. On the VPN server, enter the IP that will assign to the VPN client in the Client IP Address field.
2. On the VPN client, enter the IP that the server gives in the IP Address field.
3. On the VPN client, select NAT for the Mode in the TCP/IP Network settings.