Wireguard - Setup Remote Access VPN (2024)

¶ How to Setup a Wireguard Remote Access VPN

Here are instructions on how to set up a Remote Access VPN using the Built-In Wireguard capabilities of VergeOS. More information can be found in the Help section of the VergeOS User Interface.

¶ Create the Wireguard Setup on your Internal Network

You can use an existing Internal Network or create a new Internal Network.

In the Verge OS UI, Navigate to Networks->Internals and View or double-click on the Internal Network that you want to use.
In the left menu, Click on Wireguard (VPN)
Click on Add New Interface
Enter the Information below:
- Enter a unique Name for this Interface
- Enter a Description (optional)
- Check Enabled
- Enter the IP Address to be used for this Wireguard Internal Network. This must be separate from your existing Internal network IP scheme. For example: If your Internal Network is using 192.168.0.1/24, you must choose a different unique IP scheme like 192.168.255.1/24.
- Enter the Listen Port to be used when connecting to the VPN (Default: 51820). This is the port that you will use on your External network to send VPN traffic into your Internal Network.
- Enter a Private Key or leave it blank to Auto-generate a key.
- Enter an Endpoint IP or leave it blank and the system will attempt to auto-detect the IP. We highly recommend you enter the IP manually to ensure the correct config. This IP is the External IP of your environment, Usually, it is the same IP as your UI. You can find your External IP by going to Networks->Externals and viewing your External network. In the Network Router section, it should be the IP address as seen below:
Click Submit to add the new interface
See Also
Create an AWS Remote Access VPN Gateway with WireGuard and Netmaker Access your home network from anywhere with WireGuard VPN - David's Homelab Merkzettel: VPN Installation mit Wireguard How to Configure an EdgeRouter Wireguard Remote Access VPN
After adding the interface, it will take you to the dashboard where you will see your new interface.
Click Apply Rules on the left menu bar to apply the firewall rules. Here are the rules that it adds:

It automatically creates two firewall rules to accept inbound UDP traffic on port 51820 to both the Router IP and the DMZ IP of the Internal Network.

¶ External Network PAT Rule

In order for the internal network to be connected, we need an external PAT (Port Address Translation) rule to translate the port (default 51820) to the internal network.

Add External PAT Rule

From the External network Dashboard, Click Rules on the left menu.
Click New on the left menu.
Enter a Name that will be helpful to future administration.
Optionally, a Description can be entered to record additional administration information.
In the Action dropdown, select Translate.
In the Protocol dropdown, select UDP.
In the Direction dropdown, select Incoming.

Source:
8. In the Type dropdown, select Any/None. Optionally you can source-lock the VPN traffic here if you have that requirement.

Destination:
9. In the Type dropdown, select My Router IP. If you are inside of a Tenant, change this to My IP Addresses and choose the IP of the Tenant UI. This should be the same as the Endpoint IP used above. If you plan to use a different IP than the UI IP, we recommend that you to create a SNAT rule on the External network. See below for instructions.
10. In the Destination Ports/Ranges field, enter the Port (Default Port is 51820)

Target:
11. In the Type dropdown, select Other Network DMZ IP.
12. In the Target Network dropdown, select the Target Network.
13. In the Target Ports/Ranges field, leave this blank.
14. Click Submit.
15. Click Apply Rules on the left menu to put the new rule into effect.

¶ SNAT rule recommended if not using the UI IP

If you are adding Wireguard and you are not using the IP address of the UI, we recommend creating an SNAT rule on the External network.

¶ Adding a Remote User Peer

You will set up a Peer for each User connecting to the VPN

From the Wireguard Interface screen, Click Add new peer.
Assign a Name to the peer, such as the remote user's name.
Optionally, a Description can be entered to store additional information about this peer.
Check the Auto-Generate Peer Configuration checkbox to automate settings and create a configuration file that can be used on the client.
Enter the Endpoint for the Peer (the external-facing IP address, hostname, or URL this system will use to communicate with the peer). This can be left blank if the internal network will never be initiating traffic across the VPN (i.e. roaming client).
For Allowed IPs, Enter the /32 IP for this peer.
In the Configure Firewall dropdown, select Remote User
Click Submit to save the new peer entry.

This will create a Firewall rule to allow the Peer to connect through UDP on port 51820 to the Router IP on the Internal Network.

¶ Download the Configuration File:

Click the Download Config button on the peer record and select a location for the file; download to a location that will be accessible to the client computer or from which can otherwise be transferred to the client.

¶ Install WireGuard Software on Client:

WireGuard Client software can be downloaded from: https://wireguard.com/install . (In this example, we download and install WireGuard for Windows-64bit to use on a Windows 10 Pro machine.)

Click Add Tunnel.
Navigate to and select the generated configuration file.
The configuration file is used to automatically create interface and peer on the client machine. Click the Activate button to open the tunnel, if it was not automatically activated.

Need more Help? Email support@verge.io or call us at (855) 855-8300