WireGuard VPN from Windows to Vigor Router

WireGuard is a secure, fast, and modern VPN Protocol. A WireGuard VPN connection is made by exchanging public keys and intends to be considerably more performant than OpenVPN. We support the new VPN protocol on Vigor2962/3910 routers since firmware version 4.3.1. This article will show how to establish a WireGuard VPN tunnel between Vigor3910 and Smart VPN Client.

Vigor Router Setup :

1. Go to VPN and Remote Access >> WireGuard

  • Click Generate a Key Pair.
  • Enter WireGuard Interface IP.(We can use Vigor Router’s LAN IP as the WireGuard Interface IP)
  • Click OK to save.

2. Go to VPN and Remote Access >> Remote Dial-in User to create a profile.

  • Check Enable this account.
  • Check WireGuard as Dial-In Type.
  • Enter Username.
  • Assign a Static IP Address.
  • Click Client Config Generator.
  • Click Generate a key pair.
  • Click Generate for Pre-Shared Key(Optional).
  • Enter a Persistent Keepalive value. (By default, Persistent Keepalive is set 60 seconds on Vigor Router. We recommend remaining in this setting when your peer is behind a NAT or a firewall.)
  • Enter VPN server's IP or Domain Name.
  • Check Set VPN as Default Gateway(Optional).
  • Click Download Client Config to download the .conf file.
  • Click Apply to Profile & Close.
  • Click OK to save the profile.
VPN Client Setup(SmartVPN Client v5.6.3) :

0. Click here to download WireGuard client, then install it. Wireguard VPN would not work on SmartVPN Client if we did not install primeval Windows Wirguard Client on the PC.

1. Open the SmartVPN Client.

  • Click Add to create a new profile.
  • Select WireGuard for the Type.
  • Paste the correct file path and click Import.
  • Click OK to save.

2. Select the profile created on step1. Then click Connect to activate the tunnel.

3. Ping a remote network IP(e.g.,Vigor3910’s LAN IP) to establish the VPN connection and check if the VPN works correctly.

VPN Client Setup(WireGuard Client) :

0. Click here to download WireGuard client, then install it.

1. Open WireGuard Client.

  • Click Add Tunnel.
  • Choose the .conf file downloaded from the VPN server.
  • Choose this profile and click Activate.

Now the status shows "Active".

Ping a remote network IP(e.g.,Vigor3910’s LAN IP) to establish the VPN connection and check if the VPN works correctly.

We can also check the VPN connection status in Router’s VPN Connection Status page.

WireGuard VPN from Windows to Vigor2136
Vigor Router Setup

1.Activate WireGuard VPN service via VPN/ General Setup/Wireguard

  • Switch on the Enabled tab.
  • Listen Port 51820; can change to a different port if needed
  • Default Key Pairs

  • Click Generate to generate the Private Key.
  • The Key Pairs in the General Setup are for the Vigor Router. The peer WireGuard VPN clients need the Vigor Router’s Public Key to create the WireGuard VPN profile.

    Listen on Interface Settings

    This setting specifies which WAN will accept VPN connections. Options are All Interfaces or Specified Interface.

  • Click +Add to select the required WAN interface.
  • Select Wireguard for Allowed VPN Protocol
  • VPN Access List Setting

    Select the required VPN access control mode. By default, the Vigor router allows all IP connections. To allow or disallow specific IP addresses, use the Block List mode or Allow List mode.

    Brute Force Protection Settings

    Specify the maximum number of failed VPN login attempts and the period for blocking access after reaching the threshold.

    2. Teleworker VPN Settings

    Go to VPN / Teleworker VPN to create the Teleworker VPN profile for the VPN client.

    Click on +Add to add a new profile,

  • Enter the username
  • Select IAM User for Usage
  • Enter the password
  • In the Teleworker VPN tab:

  • Switch On Enable Teleworker VPN
  • Modify the Idle Timeout to 0 to avoid VPN disconnection due to idle
  • Select the VPN Schedule
  • Under Allowed VPN Protocols, Switch on Enable WireGuard

    WireGuard VPN Settings

  • Public Key: The Public Key here is the WireGuard VPN Client’s Public Key. The admin needs to ask the client user to provide the Public Key by the WireGuard VPN client >> Add Tunnel >> Add empty tunnel and enter the Public here.
  • Pre-Shared Key: Click Generate to generate the Pre-Shared Key.
  • Persistent Keepalive: 60 seconds
  • Local IP Assignment Setting

    WireGuard VPN protocol doesn’t contain the IP assignment function. Enter the Static IP for the WireGuard VPN client manually.

  • Apply to save the Teleworker VPN profile.
  • WireGuard VPN Client Setup

    1. Download and install the WireGuard VPN client.

    2. Click Add Tunnel >> Add empty tunnel. The client will generate a Public Key and a Private Key for this VPN profile.

    3. Edit the other settings to the profile manually, then save it.

    [Interface] means the WireGuard VPN client settings.

    Address is the static IP the VPN server configured for the client.

    DNS is the specified DNS server IP

    MTU is the MTU of this Wireguard VPN connection.

    [Peer] means the WireGuard VPN server.

    Peer Public Key is the Public Key of the Vigor2136. It can be found in VPN General Setup page, VPN Server Setup step 1.

    Peer PresharedKey is the PresharedKey setting in the Teleworker VPN profile, VPN server Setup step 2.

    AllowedIPs is the network the WireGuard VPN client can access. Add 0.0.0.0/1, 128.0.0.0/1 if the user wants to use the WireGuard VPN as default gateway.

    Endpoint is the WireGuard VPN server’s IP or Domain name.

    4. Activate the WireGuard VPN.

    Ping an IP in the remote VPN netwok to ensure the WireGuard connection work.

    5. Export the VPN profile from the WireGuard VPN client as a Backup.

    6. We can import the WireGuard VPN profile to Smart VPN Client if needed.

    Published On: 2022-01-17 

    Was this helpful?