Step-by-step VyOS Wireguard Configuration

A step-by-step recipe for VyOS configuration.

Wireguard roadwarrior configuration

Since this is my home router, I want remote administration capabilities for while I’m travelling.

  1. First, generate a public/private key for the wireguard server to use. The server will store it’s private key, and the public key will be included in client devices to connect to this wireguard server.
     $ generate pki wireguard key-pair install interface wg01
     You are not in configure mode, commands to install manually from configure mode:
     set interfaces wireguard wg11 private-key 'eKGOqwZ07a7d9dlSWtydVQyqF1+44bJcgtp3JJrG6Fc=' (only stored on server)
     Corresponding public-key to use on peer system is: 'dAH7uVduQHnV6bAl7TVMEEdYT4xIzL8TubZScK+X/TM=' (stored on clients)
  2. Now, enter configure mode, and set the private key on the wireguard server.

     $ configure
     # set interfaces wireguard wg01 private-key 'eKGOqwZ07a7d9dlSWtydVQyqF1+44bJcgtp3JJrG6Fc='
  3. Pick a subnet/address range for the wireguard server to use to talk to it’s clients. My internal network is 10.10.x.x/16, so I’m going to use so it’s not conflicting. (And clients will use,, etc.). I’m using udp/51820 as the wireguard server port.
     # set interfaces wireguard wg01 address ''
     # set interfaces wireguard wg01 description 'remote admin'
     # set interfaces wireguard wg01 port '51820'
  4. Permit the wireguard server traffic through. Pick a rule number that is not already in use. If you’ve been following this guide you can use
     # set firewall name WAN_LOCAL rule 200 action 'accept'
     # set firewall name WAN_LOCAL rule 200 description 'Allow wg'
     # set firewall name WAN_LOCAL rule 200 destination port '51820'
     # set firewall name WAN_LOCAL rule 200 protocol 'udp'
  5. To configure a client/’peer’ device that is allowed to connect to this server, we need a (another) private/public key pair. The private key will only exist on the client (that’s how it identifies itself) and the public key will be stored on the server so it can uniquely identify this client. We’ll generate both of these on the server, for ease, but for better security you can obviously create this public/private key directly on the client and only transfer the public key to the server.
     # run generate pki wireguard key-pair
     Private key: qOs9mxFSLpBxeM7t8bx7EbDVrJj5DLxCN1HXiUQH8Vc=  (only stored on client)
     Public key: G4x3ZMaj4X2qp7yiBJaIZgCZaQJJx6fM6nFGY9fqGhY=  (stored on server)
  6. On the wireguard server, configure this peer that is allowed to connect. To do this, we specify a unique client name (justin, in this case), the IP it should use on the wireguard subnet (one that is not already assigned), the client’s public key, and save the configuration.

     # set interfaces wireguard wg01 peer justin allowed-ips ''
     # set interfaces wireguard wg01 peer justin public-key 'G4x3ZMaj4X2qp7yiBJaIZgCZaQJJx6fM6nFGY9fqGhY='
     # commit
     # save
  7. On the wireguard client, create the .conf file with the client’s private key, the address it should use on the wireguard subnet, which DNS server should be used while connected to the tunnel, along with the server’s public key, and hostname where the server can be found. Finally, we specify the IP range of the network on the other side of the VPN (the internal network subnet, in this case).

     PrivateKey = qOs9mxFSLpBxeM7t8bx7EbDVrJj5DLxCN1HXiUQH8Vc=
     Address =
     DNS =
     PublicKey = dAH7uVduQHnV6bAl7TVMEEdYT4xIzL8TubZScK+X/TM=
     Endpoint =
     AllowedIPs =
  8. Repeat steps 5-7 as needed, for additional clients.