WireGuard VPN Setup Guide for VyOS

Overview

This guide explains how to set up a WireGuard VPN server on VyOS and configure a client connection. WireGuard is a modern, secure, and high-performance VPN protocol.

Interactive Configuration Generator

Use this panel to generate keys and create your configuration automatically:

Key Generation

Server Keys

Server Private Key:

Generate keys using the panel above

Server Public Key:

Generate keys using the panel above

Client Keys

Client Private Key:

Generate keys using the panel above

Client Public Key:

Generate keys using the panel above

Server Configuration Commands

Run these commands on your VyOS router to set up the WireGuard server:

# Basic Interface Setup
set interfaces wireguard wg1 address '10.254.254.1/24'
set interfaces wireguard wg1 description 'VPN'

# Performance Optimization
set interfaces wireguard wg1 ip adjust-mss '1380'
set interfaces wireguard wg1 mtu '1420'

# Connection Settings
set interfaces wireguard wg1 port '51921'
set interfaces wireguard wg1 private-key 'SERVER_PRIVATE_KEY'

# Firewall Rules
set firewall name OUTSIDE-LOCAL rule 40 action accept
set firewall name OUTSIDE-LOCAL rule 40 destination port 51921
set firewall name OUTSIDE-LOCAL rule 40 protocol udp
set firewall name OUTSIDE-LOCAL rule 40 description 'Allow WireGuard VPN'

set firewall name LOCAL-LOCAL rule 30 action accept
set firewall name LOCAL-LOCAL rule 30 source address 10.254.254.0/24
set firewall name LOCAL-LOCAL rule 30 description 'Allow WireGuard subnet traffic'

# Apply configuration
commit
save

Client Peer Configuration (Server Side)

Run these commands on your VyOS router to add the client as a peer:

set interfaces wireguard wg1 peer CLIENT_NAME allowed-ips '10.254.254.X/32'
set interfaces wireguard wg1 peer CLIENT_NAME public-key 'CLIENT_PUBLIC_KEY'
set interfaces wireguard wg1 peer CLIENT_NAME persistent-keepalive '25'
commit
save

Generate Client Configuration Command

Run this command to generate a client configuration file on your VyOS router:

generate wireguard client-config CLIENT_NAME interface wg1 server YOUR_PUBLIC_IP address 10.254.254.X/24

Client Configuration File

This is what the client configuration file will look like. You can also use this template with your generated keys:

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.254.254.X/24
DNS = 1.1.1.1, 8.8.8.8

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = YOUR_PUBLIC_IP:51921
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Connection Testing

After setup, test the connection from a client:

ping 10.254.254.1

A successful ping confirms basic connectivity to the VyOS WireGuard server.

Troubleshooting

Issue Command Description
Interface status show interfaces wireguard wg1 Displays the WireGuard interface status
Peer connections show interfaces wireguard wg1 peer all Shows all connected peers and their status
System logs show log tail Displays recent system logs for error messages

Security Best Practices

  1. Use unique private/public key pairs for each client
  2. Limit "allowed-ips" to specific IP addresses when possible
  3. Regularly update VyOS to ensure WireGuard security patches are applied
  4. Consider implementing additional authentication methods
  5. Backup your WireGuard configuration
Copied to clipboard!