Key type x25519 on both sides of the WireGuard connection
Public x25519 key of the respective remote terminal is available
Add key
Open key management under → Authentication →Key and with Button Add key
Assign a unique name and select X25519 as type
Close dialog with Save button
Export key
PEM
Export key in .pem format
Key management
new as of v12.2.3
Use clipboard On PEM
Copies the key in .pem format to the clipboard
Import key
Import key
Opens the key import dialog
Datei
Import key from .pem file
Clipboard
Imports a key from the clipboard. A name for the key must be assigned here.
Create WireGuard connection
A WireGuard connection provides access for multiple peers if necessary
Each connection is secured with its own key pair
All peers of a connection use its public key
Each peer needs its own key pair for authentication In addition, each peer should be secured with a strong PSK.
Given may the following configuration:
Location A
location B
Transfer net
FQDN
a.vpn.anyideas.de
b.vpn.anyideas.de
–
Local network IPv4
10.1.0.0/16
10.2.0.0/16
10.0.1.0/24
Local tunnel IPv4
10.0.1.1/24
10.0.1.2/24
–
Local network IPv6
fd00:a:0:0::0/64
fd00:b:0:0::0/64
fd00:0:0:0::0/64
Local tunnel IPv6
fd00:0:0:0::1/64
fd00:0:0:0::2/64
–
UTM
Roadwarrior
Transfer net
FQDN
a.vpn.anyideas.de
–
–
Local network IPv4
10.1.0.0/16
–
10.0.1.0/24
Local tunnel IPv4
10.0.1.1/24
10.0.1.201/24
–
Local network IPv6
fd00:a:0:0::0/64
–
fd00:0:0:0::0/64
Local tunnel IPv6
fd00:0:0:0::1/64
fd00:0:0:0::C9/64
–
Configuration at location A
Start assistant with the button Add WireGuard Connection
Step 1 - Interface
Location A Step 1 - Interface
Caption
Value
Description
WireGuard assistant - Step 1
Interface:
wg0
Name of the interface that will be created for the connection (automatic default, cannot be changed)
Name:
wg_server
Unique name for the connection
IPv4 address:
10.0.1.1/24
IPv4 address for the network interface of the transfer network at location A This determines the network IP of the transfer net (here: 10.0.1.1/24)
IPv6 address:
fd00:0:0:0::1/64
IPv6 address for the network interface of the transfer network at location A (optional) This determines the network IP of the transfer net (here: fd00:0:0:0::1/64)
Listening Port:
51820
Default-Port for WireGuard connections
Private key:
x25519_a.vpn
Private key in x25519 format. Only those keys that also have a private key part can be selected.
If there is no local key in x25519 format yet, this button can be used to generate one.
Step 2 - Peer
Location A Step 2 - Peer
Name:
peer-b
Description of remote terminal
WireGuard assistant - Step 2
Allowed IPs:
» ✕10.2.0.0/16» ✕ffd00:b:0:0::/64
Local network IP of the remote terminal
Endpoint:
b.vpn.anyideas.de:51820
Public IP or within the public DNS resolvable FQDN with listening-port of the remote terminal
Is not required, if only the remote terminal initiates the connection
Public key:
x25519_b_vpn
Public key of the roadwarrior in x25519 format. Only keys that have 'no private key can be selected.
Public key present but not selectable?
Only keys for which there is not yet a connection on this interface can be selected. The PublicKey must be unique within a connection, as the routing of incoming packets is carried out via it. If the same PublicKey is to be used for a peer, e.g. for a fallback, another WireGuard connection must be created for this.
If the public key of the remote terminal is not yet known, this button can be used to open the import of the key management.
new as of v12.2.3:
Export and import of the keys is also possible via the clipboard
Pre-Shared Key:
…8DmBioPyPNqZ7Rk=
Pre-shared key for further securing the connection (optional)
Generates a very strong pre-shared key
The pre-shared key must be identical at both ends of the VPN connection!
v12.2.5
Copies the PSK to the clipboard
Keepalive:
Off
Regularly sends a signal. This keeps connections open on NAT routers. On Activation is recommended.
25
Interval in seconds at which a signal is sent
Step 3 - General
Location A Step 3 - General
Create routes to the peer's networks:
No
Activation On is recommended. Routes are created to the networks / hosts that were entered in step 2 under Allowed IPs with the interface as gateway that was displayed in step 1.
WireGuard assistant - Step 3
Generate zones:
No
Generates a new zone for the WireGuard port
Generate network objects for peer:
No » ✕net-wg-peer-b
Creates Yes button when enabled for network objects (IPv4 and if necessary IPv6) of the remote terminal. Automatic suggestion can also be changed.
Generate rules between peer and internal-networks:
No
Generates autogenerated rules that facilitate implementation.
It is essential to replace these rules with your own rules that allow only necessary services with necessary network objects.
Configuration at location B
Configuration at location B
Start assistant with the button Add WireGuard Connection
Step 1 - Interface
location B Step 1 - Interface
Interface:
wg0
Name of the interface that will be created for the connection (automatic default, cannot be changed)
WireGuard assistant - Step 1
Name:
wg_server
Unique name for the connection
IPv4 address:
10.0.1.2/24
Correction 06,2022
IPv4 address for the network interface of the transfer network at location B Here you have to select an IP from the network that was set at location A (here: 10.0.1.2/24)
IPv6 address:
fd00:0:0:0::2/64
Correction 06,2022
IPv6 address for the network interface of the transfer network at location A (optional) Here you have to choose an IP from the network that has been defined at location A(here: fd00:0:0::2/64)
Listening Port:
51820
Default-Port for WireGuard connections
Private key:
x25519_a.vpn
Private key in x25519 format. Only those keys that also have a private key part can be selected.
The public key was already needed in location A, hence there should already be a private key. If necessary, it can also be imported via the clipboard
neu
.
Step 2 - Peer
location B Step 2 - Peer
Name:
peer-a
Description of remote terminal (here: Location A)
WireGuard assistant - Step 2
Allowed IPs:
» ✕10.1.0.0/16» ✕fd00:a:0:0::/64
Correction 06,2022
Site to Site - S2S Local network IP of remote terminal (here: Location A)
Endpoint:
a.vpn.anyideas.de:51820
Public IP or within the public DNS resolvable FQDN with listening-port of the remote terminal (here: Location A)
Is not required, if only the remote terminal (here: Location A) initiates the connection
Public key:
x25519_a_vpn
Public key of the remote terminal (here: Location A) in x25519 format. Only keys that have noprivate key are selectable.
If the public key of the remote terminal is not yet known, this button can be used to open the import of the key management.
Pre-Shared Key:
…R0Z0DWUs+iCDFYzpP4=
Pre-shared key for further securing the connection (optional)
Generates a very strong pre-shared key
The pre-shared key must be identical at both ends of the VPN connection!
v12.2.5
Copies the PSK to the clipboard
Keepalive:
Off
Regularly sends a signal. This keeps connections open on NAT routers. On Activation is recommended.
25
Interval in seconds at which a signal is sent
Step 3 - General
location B Step 3 - General
Create routes to the peer's networks:
No
Activation On is recommended. Routes are created to the networks / hosts that were entered in step 2 under Allowed IPs with the interface as gateway that was displayed in step 1.
WireGuard assistant - Step 3
Generate zones:
No
Generates a new zone for the WireGuard port
Generate network objects for peer:
No » ✕net-wg-peer-a
Creates Yes button when enabled for network objects (IPv4 and if necessary IPv6) of the remote terminal. Automatic suggestion can also be changed.
Generate rules between peer and internal-networks:
No
Generates autogenerated rules that facilitate implementation.
It is essential to replace these rules with your own rules that allow only necessary services with necessary network objects.
Fritzbox as remote terminal
If a third-party hardware is used as remote station, the following approach is recommended:
Create key pair for the Fritzbox (→ Authentication →Key)
Export public and private part of the key in .raw format
Delete the key pair for the Fritzbox and reimport only the public part
Add WireGuard connection as described above
Export public key of UTM in .raw-format
Complete the template below and add it to the Fritzbox under Internet / Shares / Tab VPN / Button Add VPN connection / Import a WireGuard connection option