Jump to content
  • EN

WireGuard Configuration Example: Difference between revisions

From Teltonika Networks Wiki
← Older edit
VisualWikitext
No edit summary
No edit summary
 
(55 intermediate revisions by one other user not shown)
Line 1: Line 1:
__TOC__
__TOC__
 
<p style="color:red">The information in this page is updated in accordance with '''00.07.17.4''' firmware version.</p>
==Introduction==
==Introduction==


'''WireGuard''' is simple, fast, lean, and modern VPN that utilizes secure and trusted cryptography.  
'''WireGuard''' is a modern, lightweight, and secure VPN solution that relies on trusted cryptography. This guide provides an example of setting up a basic WireGuard tunnel between two Teltonika devices.
This page will show you an example on how to configure a basic tunnel between WireGuard interface and its peers.
 
<u><b>Note:</b> WireGuard is additional software that can be installed from the <b>System → Package Manager</b> page.</u>


==Prerequisites==
==Prerequisites==


For this example you need:
For this example you need:
<li>Two RUTOS devices (this example will be written with RUTX09 and TRB141 in particular)</li>
<li>Two RUTOS devices (this guide uses RUTX50 (WG1/'''server''') and RUTX14 (WG2/'''client''') as examples)</li>
<li>An end device to configure devices (PC, Laptop, Tablet or Smartphone)</li>
<li>A device to configure the routers (PC, laptop, tablet, or smartphone)</li>
<li>One of the RUTOS devices must have <b>Public</b> IP address</li>
<li>One of the RUTOS devices (the server) must have a '''public IP address'''</li>


==End results==
==Expected Outcome==


In the end there will be created a tunnel between RUTX09 and TRB141.  
A tunnel will be established between RUTX50 (WG1) and RUTX14 (WG2). The assigned tunnel IP addresses will be:
RUTX09 will have 10.0.0.1 and TRB141 will have 10.0.0.2 tunnel IP addresses.
*'''WG1 (server)''': 172.16.10.1
*'''WG2 (client)''': 172.16.10.2


==WireGuard Instances==
==WG1 (Server) configuration==


To create Instance enter its name and click the <b>Add</b> button. 
===Creating new wireguard instance===
Then click the <b>Edit</b> [[File:Networking_rutx_manual_edit_button_v1.png]] button to configure it.


In this example Instance is named by its device name to make it easier to follow images.
To create Instance:
#Enter a name for the new WireGuard instance, for example, WG1.
#Click the [[File:Add Button.png|43px]] button.
[[File:Wireguard config example wg1 config pt1.png|border]]


====RUTX09 Example====
===Instance configuration===
----


[[File:Networking_wireguard_configuration_example_interface_rutx09_v1.png|border|class=tlt-border]]
In the pop-up configuration window, open the General settings tab:


====TRB141 Example====
#'''Enable''' the instance
----
#Copy the '''Public Key''' (make sure to copy all of it), this will be required in WG2 (client) configuration
#Enter '''Wireguard IP''' address for this device


[[File:Networking_wireguard_configuration_example_interface_trb141_v1.png|border|class=tlt-border]]
[[File:Wireguard config example wg1 config pt2 v2.png|border]]


==Instance Configuration==
===Peer configuration===
The next step is to configure the Peers that this instance will connect to.


The following part of example applies to both devices.
To create a Peer:
#Enter peer device's name of your choice
#Click the [[File:Add Button.png|43px]] button.
[[File:Wireguard config example wg1 config peer settings pt1.png|border]]


Before editing any fields click [[File:Networking_rutx_manual_generate_button_v1.png]] button
In the pop-up configuration window, select the General settings tab:
to generate Public and Private keys.


After that you need to Enable this instance and in the <b>Listen Port</b>
#<li value="3">Enter the '''Public Key''' of the WireGuard peer device
field enter your desired port. WireGuard by default uses <b>51820</b> port which will be used in this example.  
#Enter the '''WireGuard tunnel IP''' address for the peer device ('''WG2''') in the Allowed IPs section
#Add an additional Allowed IPs entry if you want to reach Peer device's ('''WG2''') '''LAN subnet''' (optional)
#Enable "'''Route alowed IPs'''"
#Save the configuration
[[File:Wireguard config example wg1 config peer settings pt2.png|border]]


Lastly you need to enter IP Address for instance. As mentioned in the beginning, RUTX09 will have 10.0.0.1 and TRB141
==WG2 (Client) configuration==
will have 10.0.0.2 IP addresses.


<b>Note:</b> enter IP address <b>and</b> its mask e.g. <b>10.0.0.1/24</b>
===Creating new wireguard instance===


====RUTX09 Example====
To create Instance:
----
#Enter a name for the new WireGuard instance, for example, WG2.
[[File:Networking_wireguard_configuration_example_interface_general_rutx09_v3.png|border|class=tlt-border]]
#Click the [[File:Add Button.png|43px]] button.
[[File:Wireguard config example wg2 config pt1.png|border]]


<b>Note:</b> fields with numbers <b>1</b> and <b>2</b> will be used later when configuring remote peers.
===Instance configuration===


====TRB141 Example====
In the pop-up configuration window, select the General settings tab:
----
[[File:Networking_wireguard_configuration_example_interface_general_trb141_v2.png|border|class=tlt-border]]


<b>Note:</b> fields with numbers <b>3</b> and <b>4</b> will be used later when configuring remote peers.
#Enable the instance
#Copy the '''Public Key''' (make sure to copy all of it), this will be required in WG1 (server) configuration
#Enter '''Wireguard tunnel IP''' address for this device
[[File:Wireguard config example wg2 config pt2 v2.png|border]]


==Peers==
===Peer configuration===
The next step is to configure the Peers that this instance will connect to.


Until now you have configured WireGuard instance itself, now you need to configure Peers
To create a Peer:
which are going to connect to those instances.  
#Enter peer device's name of your choice
#Click the [[File:Add Button.png|43px]] button.
[[File:Wireguard config example wg2 config peer settings pt1.png|border]]


To create Peer enter its name and click the <b>Add</b> button.
In the pop-up configuration window, select the General settings tab:
Then click the <b>Edit</b> [[File:Networking_rutx_manual_edit_button_v1.png]] button to configure it.


One Peer for each device will be created:
#<li value="3">Enter the '''Public Key''' of the WireGuard '''peer device'''
<li><b>RUTX09</b> will have a Peer named <b>trb1peer</b></li>
#Enter the '''Public IP''' address of the WireGuard peer/server ('''WG1''')
<li><b>TRB141</b> will have a Peer named <b>rutxpeer</b></li>
#Enter the '''WireGuard tunnel IP''' address for the '''peer device''' in the Allowed IPs section
#Add Allowed IPs entry if you want to reach Peer device's ('''WG2''') '''LAN subnet''' (optional)
#Enable "'''Route alowed IPs'''"
#Save the configuration
[[File:Wireguard config example wg2 config peer settings pt2 v2.png|border]]


====RUTX09 Example====
==Testing Configuration==
----
[[File:Networking_wireguard_configuration_example_interface_peers_rutx09_v1.png|border|class=tlt-border]]


====TRB141 Example====
To check the Wireguard tunnel connection and test it you need to open '''[[Command Line Interfaces RutOS|Command Line Interface]]''' and log in.
----
[[File:Networking_wireguard_configuration_example_interface_peers_trb141_v1.png|border|class=tlt-border]]


==Peers Configuration==
Once in the Command Line, enter the following command:
 
    wg
===General Setup===
 
In the <b>General Setup</b> section you need to enter <b>Public Key</b> and <b>Allowed IPs</b> from the Remote instance you want to connect to.
 
In this example a peer from RUTX09 (named <b>trb1peer</b>) needs to connect to TRB141, which means <b>trb1peer</b>
will enter Public Key and Allowed IPs from TRB141.


<b>Note:</b> the numbers in the images below represent a <i>number of field</i> from which that value
If the '''latest handshake''' line is visible, it indicates that a connection between your devices has been successfully established. Furthermore, if the peer’s LAN subnet IP was added to the Allowed IPs section, you should also be able to ping devices within that subnet.
was taken from the images in [[WireGuard_Configuration_Example#Instance Configuration|Instance Configuration]].


====RUTX09 Example====
WG1:
----
[[File:Networking_wireguard_configuration_example_interface_peers_configuration_rutx09_v2.png|border|class=tlt-border]]


====TRB141 Example====
[[File:Wireguard config example wg1 test connection.png|border]]
----
[[File:Networking_wireguard_configuration_example_interface_peers_configuration_trb141_v2.png|border|class=tlt-border]]
 
===Advanced Setup===
----
 
Lastly atleast one device has to enter Public IP address from Remote instance. Enter IP address, save and move to the
[[WireGuard_Configuration_Example#Testing Configuration|Testing Configuration]].
 
If in the [[WireGuard_Configuration_Example#Instance Configuration|Instance Configuration]] you
specified port other than 51820 then you also need to specify it here.
 
[[File:Networking_wireguard_configuration_example_interface_peers_configuration_advanced_trb141_v1.png|border|class=tlt-border]]
 
==Testing Configuration==
 
To initiate connection and test it you need to open Command Line Interface (Services → CLI) and login.
Then type
    wg
If you see <b>latest handshake</b> line then it means you have established a connection between your devices and
you are able to communicate via IP addresses specified in number <b>2</b> and <b>4</b> fields from the images in
[[WireGuard_Configuration_Example#Instance Configuration|Instance Configuration]].


[[File:Networking_wireguard_configuration_example_interface_wg_established_trb141_v1.png|border|class=tlt-border]]
WG2:


If you dont see <b>latest handshake</b> line, then ping the <b>Public IP address</b> you specified in
[[File:Wireguard config example wg2 test connection.png|border]]
<b>Endpoint Host</b> field, this will initiate handshake.
[[Category:VPN]]
    ping XX.XX.XX.XX

Latest revision as of 11:52, 5 November 2025

Main Page > General Information > Configuration Examples > VPN > WireGuard Configuration Example

The information in this page is updated in accordance with 00.07.17.4 firmware version.

Introduction

WireGuard is a modern, lightweight, and secure VPN solution that relies on trusted cryptography. This guide provides an example of setting up a basic WireGuard tunnel between two Teltonika devices.

Prerequisites

For this example you need:

  • Two RUTOS devices (this guide uses RUTX50 (WG1/server) and RUTX14 (WG2/client) as examples)
  • A device to configure the routers (PC, laptop, tablet, or smartphone)
  • One of the RUTOS devices (the server) must have a public IP address

    • Expected Outcome

    A tunnel will be established between RUTX50 (WG1) and RUTX14 (WG2). The assigned tunnel IP addresses will be:

    • WG1 (server): 172.16.10.1
    • WG2 (client): 172.16.10.2

    WG1 (Server) configuration

    Creating new wireguard instance

    To create Instance:

    1. Enter a name for the new WireGuard instance, for example, WG1.
    2. Click the button.

    Instance configuration

    In the pop-up configuration window, open the General settings tab:

    1. Enable the instance
    2. Copy the Public Key (make sure to copy all of it), this will be required in WG2 (client) configuration
    3. Enter Wireguard IP address for this device

    Peer configuration

    The next step is to configure the Peers that this instance will connect to.

    To create a Peer:

    1. Enter peer device's name of your choice
    2. Click the button.

    In the pop-up configuration window, select the General settings tab:

    2. Enter the Public Key of the WireGuard peer device
    3. Enter the WireGuard tunnel IP address for the peer device (WG2) in the Allowed IPs section
    4. Add an additional Allowed IPs entry if you want to reach Peer device's (WG2) LAN subnet (optional)
    5. Enable "Route alowed IPs"
    6. Save the configuration

    WG2 (Client) configuration

    Creating new wireguard instance

    To create Instance:

    1. Enter a name for the new WireGuard instance, for example, WG2.
    2. Click the button.

    Instance configuration

    In the pop-up configuration window, select the General settings tab:

    1. Enable the instance
    2. Copy the Public Key (make sure to copy all of it), this will be required in WG1 (server) configuration
    3. Enter Wireguard tunnel IP address for this device

    Peer configuration

    The next step is to configure the Peers that this instance will connect to.

    To create a Peer:

    1. Enter peer device's name of your choice
    2. Click the button.

    In the pop-up configuration window, select the General settings tab:

    2. Enter the Public Key of the WireGuard peer device
    3. Enter the Public IP address of the WireGuard peer/server (WG1)
    4. Enter the WireGuard tunnel IP address for the peer device in the Allowed IPs section
    5. Add Allowed IPs entry if you want to reach Peer device's (WG2) LAN subnet (optional)
    6. Enable "Route alowed IPs"
    7. Save the configuration

    Testing Configuration

    To check the Wireguard tunnel connection and test it you need to open Command Line Interface and log in.

    Once in the Command Line, enter the following command: 

       wg

    If the latest handshake line is visible, it indicates that a connection between your devices has been successfully established. Furthermore, if the peer’s LAN subnet IP was added to the Allowed IPs section, you should also be able to ping devices within that subnet.

    WG1:

    WG2:

    Retrieved from "https://wiki.teltonika-networks.com/index.php?title=WireGuard_Configuration_Example&oldid=160619"