Apr 072022
 April 7, 2022  Posted by at 9:48 am Uncategorized Tagged with: , ,  No Responses »

The commands vary depending on the version of VyOS. These instructions are for the rolling release 1.3.0

ssh to your router and start from the run terminal vyos@myGW:~$

and begin with generating keys

generate wireguard default-keypair

This creates the public and private keys that will automatically be used by wireguard /config/auth/wireguard/default/private.key and public.key

You can create the peer pub/priv keys on vyos or someplace else. If you do it on vyos follow these steps

sudo su -

wg genkey | tee /config/auth/wireguard/jason.privatekey | wg pubkey > /config/auth/wireguard/jason.publickey


Now enter the configuration mode of Vyos to setup a wireguard interface

vyos@myGW:~$ configure

set interfaces wireguard wg0 address
set interfaces wireguard wg0 port 51820
cat /config/auth/wireguard/jason.publickey


set interfaces wireguard wg0 peer jason pubkey G8w+5qjq0hZVfoYOfgdmLp584oJ8UZFGRBMHQjPrqyA=

set interfaces wireguard wg0 peer jason allowed-ips

set interfaces wireguard wg0 peer jason persistent-keepalive 15

commit; save

This is what the wireguard config should look like:

vyos@myGW# show interfaces wireguard

wireguard wg0 {
     peer jason {
         persistent-keepalive 15
         pubkey G8w+5qjq0hZVfoYOfgdmLp584oJ8UZFGRBMHQjPrqyA=
     port 51820

Open the port on the firewall
to allow wireguard traffic to reach the router.
modify the rule number so you don’t overwrite an existing rule.

set firewall name wan-local rule 60 description "allow wireguard"
set firewall name wan-local rule 60 action accept
set firewall name wan-local rule 60 destination port 51820
set firewall name wan-local rule 60 protocol udp

Now lets setup the client peer

run show wireguard keypairs pubkey default


cat /config/auth/wireguard/jason.privatekey

Create a text file on your peer like so:

Address =
PrivateKey = QE8L380rji7YQRAFUbcpD2qmKWiQsJ5Z0DntJHkSC1s=

PublicKey = UkG68hbH7IrXCYkJsyH+gQotttwlpggXL9PoQda7qxg=
Endpoint = [wireguard-server-ip-or-hostname]:51820
#AllowedIPs =, ::/0
AllowedIPs =,

PersistentKeepalive = 25

Save this file as something.conf
Connect to your new wireguard VPN with wg-quick (or whichever client you need)
sudo wg-quick /path/to/something.conf


Apr 242013
 April 24, 2013  Posted by at 1:37 pm security, Tutorial, Uncategorized 2 Responses »

UPDATE: The easiest way to do this is through the web interface (LuCI). System -> Administration -> SSH-Keys. Paste your public key (~/.ssh/id_rsa.pub) and click “Add key”

I’ve been using so many openwrt devices lately I wanted to setup my public ssh key on each device so I can auto login. Also, I can setup a really unfriendly password for the root account that is very secure and use my public key to authenticate. Convenient and secure? What a concept!!
Since this is dropbear and not openssh the typical ~/.ssh/authorized_keys file doesn’t work. Instead you need the authorized_keys file to be in /etc/dropbear/

This is how I do it quickly and efficiently.

Using the ssh-copy-id command to copy your public key to the remote devices authorized_keys. This is the same you would do to copy your public key to your server or such. Thanks to Sam for turning me onto this most valuable tool.

From your local user account (must have a public/private key, see ssh-keygen if you need to generate keys)

$ ssh-copy-id root@

enter current password, the following will display if you entered password correctly

Now try logging into the machine, with "ssh 'root@'", and check in:


to make sure we haven't added extra keys that you weren't expecting.

now ssh to the device and move the authorized_keys to dropbear directory

$ ssh root@
root@'s password:
root@MyOpenWrt:~# mv /root/.ssh/authorized_keys /etc/dropbear/

verify the permissions are 600

root@MyOpenWrt:~# ls -l /etc/dropbear/
-rw-------    1 root     root          394 Apr 24 20:09 authorized_keys

logout and ssh back to This time it will ask for your ssh key passphrase instead of the root password. $ ssh root@
Enter passphrase for key ‘/home/jason/.ssh/id_rsa’:

If you would like to login without ssh asking for your passphrase you can use ssh-agent to store your identity. Use ssh-add to add to ssh-agent.

$ ssh-add
Enter passphrase for /home/jason/.ssh/id_rsa:

Now ssh to again, this time it doesn’t ask for a password!

$ ssh root@
BusyBox v1.15.3 (2011-11-24 00:44:20 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

_______                     ________        __
|       |.-----.-----.-----.|  |  |  |.----.|  |_
|   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
|_______||   __|_____|__|__||________||__|  |____|
|__| W I R E L E S S   F R E E D O M
Backfire (10.03.1, r29592) ------------------------
* 1/3 shot Kahlua    In a shot glass, layer Kahlua
* 1/3 shot Bailey's  on the bottom, then Bailey's,
* 1/3 shot Vodka     then Vodka.


You can also do this via the luci web interface. Its actually very easy. Copy your ~/.ssh/id_rsa.pub and paste it into “System” -> “Administration” -> “SSH-Keys” and then “Save & Apply”. Done