The commands vary depending on the version of VyOS. These instructions are for the rolling release 1.3.0
ssh to your router and start from the run terminal vyos@myGW:~$
and begin with generating keys
generate wireguard default-keypair
This creates the public and private keys that will automatically be used by wireguard /config/auth/wireguard/default/private.key and public.key
You can create the peer pub/priv keys on vyos or someplace else. If you do it on vyos follow these steps
sudo su -
wg genkey | tee /config/auth/wireguard/jason.privatekey | wg pubkey > /config/auth/wireguard/jason.publickey
exit
Now enter the configuration mode of Vyos to setup a wireguard interface
vyos@myGW:~$ configure
vyos@myGW#
set interfaces wireguard wg0 address 10.22.211.1/24
set interfaces wireguard wg0 port 51820
cat /config/auth/wireguard/jason.publickey
G8w+5qjq0hZVfoYOfgdmLp584oJ8UZFGRBMHQjPrqyA=
set interfaces wireguard wg0 peer jason pubkey G8w+5qjq0hZVfoYOfgdmLp584oJ8UZFGRBMHQjPrqyA=
set interfaces wireguard wg0 peer jason allowed-ips 10.22.211.10/32
set interfaces wireguard wg0 peer jason persistent-keepalive 15
commit; save
This is what the wireguard config should look like:
vyos@myGW# show interfaces wireguard
wireguard wg0 { address 10.22.211.1/24 peer jason { allowed-ips 10.22.211.10/32 persistent-keepalive 15 pubkey G8w+5qjq0hZVfoYOfgdmLp584oJ8UZFGRBMHQjPrqyA= } port 51820 }
Open the port on the firewall to allow wireguard traffic to reach the router.
modify the rule number so you don’t overwrite an existing rule.
set firewall name wan-local rule 60 description "allow wireguard" set firewall name wan-local rule 60 action accept set firewall name wan-local rule 60 destination port 51820 set firewall name wan-local rule 60 protocol udp
Now lets setup the client peer
run show wireguard keypairs pubkey default
UkG68hbH7IrXCYkJsyH+gQotttwlpggXL9PoQda7qxg=
cat /config/auth/wireguard/jason.privatekey
QE8L380rji7YQRAFUbcpD2qmKWiQsJ5Z0DntJHkSC1s=
Create a text file on your peer like so:
[Interface] Address = 10.22.211.10/32 PrivateKey = QE8L380rji7YQRAFUbcpD2qmKWiQsJ5Z0DntJHkSC1s= [Peer] PublicKey = UkG68hbH7IrXCYkJsyH+gQotttwlpggXL9PoQda7qxg= Endpoint = [wireguard-server-ip-or-hostname]:51820 #AllowedIPs = 0.0.0.0/0, ::/0 AllowedIPs = 10.9.8.0/24, 10.254.245.0/24 PersistentKeepalive = 25
Save this file as something.conf
Connect to your new wireguard VPN with wg-quick (or whichever client you need)
sudo wg-quick /path/to/something.conf
done;