WireGuard VPN on an EdgeRouter


For a long time, I relied on a PPTP VPN tunnel to connect my Android 11 phone to my local network over the internet effortlessly. This built-in feature in Android proved to be handy, especially since it seamlessly operated behind the NAT of my cell phone carrier. However, my experience took a turn when I upgraded to Android 13; suddenly, the support for PPTP and L2TP vanished, a change introduced since Android 12. This left me in search of an alternative VPN solution, and that’s when I discovered WireGuard VPN. In this guide, I’ll walk you through the steps of configuring my EdgeRouter and various client devices to work smoothly with WireGuard VPN.


Let me outline my existing setup for clarity. The EdgeRouter is directly linked to the internet via port eth0, while my Local Area Network (LAN) is accessible through eth1, operating within the IP range of Notably, all peers, whether on 4G, 5G, DSL, or any other network, are positioned behind Network Address Translation (NAT).

Download/Install WireGuard

To get started, access your EdgeRouter through SSH. Once logged in, download the appropriate WireGuard installation file tailored for your specific EdgeRouter model. In my case, the EdgeRouter 4P, i’ll be using the E300 (v2) installation package. Since EdgeRouters vary in architecture, it’s important to find the correct package to ensure compatibility.

curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20220627-1/e300-v2-v1.0.20220627-v1.0.20210914.deb

Install the package

sudo dpkg -i e300-v2-v1.0.20220627-v1.0.20210914.deb

Configure WireGuard

The initial step in configuring WireGuard involves generating private and public keys.

It’s essential to understand the fundamental principle: your private key must be kept confidential. From this private key, the corresponding public key is derived. This public key is then shared exclusively with client peers intending to establish a connection with the WireGuard server. It is paramount never to disclose your private key, as it has the capability to generate new public keys.

wg genkey | tee /config/auth/private_key | wg pubkey >  public_key

Following key generation, the next step involves entering configuration mode. Here, you create the WireGuard wg0 interface and specify your private key. For this setup, I’ve opted for the IP address for my wg0 interface. However, you have the flexibility to modify it according to your preferences.


set interfaces wireguard wg0 address
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips true
set interfaces wireguard wg0 private-key /config/auth/private_key

In the configuration process, the IP address and listening port of the wg0 interface are initially assigned. Following this, routing over the wg0 interface is permitted, allowing communication from your LAN or other peers. Additionally, the location of your private key is specified to ensure secure connections.

Subsequently, firewall rules are created to allow WireGuard traffic, ensuring communication from the internet.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 protocol udp
set firewall name WAN_LOCAL rule 30 description 'WireGuard'
set firewall name WAN_LOCAL rule 30 destination port 51820

Here we create a new rule (30 in this instance) designed to accept UDP traffic to WAN_LOCAL. This rule specifically targets traffic destined for the EdgeRouter itself on port 51820, allowing communication destined to the EdgeRouter from the internet.

Upon completion of these configurations, the final step involves committing the changes and saving the settings. This action solidifies the setup, making certain that all adjustments are applied and your WireGuard VPN operates securely and efficiently.


With the EdgeRouter now successfully configured, the next step is setting up various clients to connect to the WireGuard server.

Android Client

To set up the Android client, begin by downloading the WireGuard application from the Google Play Store. Once installed, launch the WireGuard app and locate the plus sign (+) situated in the bottom right corner. From there, choose the Create from scratch option to proceed with the configuration.

This step involves creating the WireGuard interface on your Android device. Certain fields need to be populated, although not all of them are mandatory for the process to proceed.

Required fields:

  • Name
    • Give the interface (tunnel) a name. Can be whatever you like
  • Private key
    • This is where we generate our private and public key.
    • Click the refresh icon the right of the Private key field
    • Now both the private and public fields are populated
    • Copy the public key (or write it down). We’re going to need that on the EdgeRouter
  • Addresses
    • This is where we enter our assigned IP address
    • I have selected to use as my IP address
    • With a mask of /32 because i just need one IP address (not a range)

Some optional fields that are worth mentioning include:

  • DNS servers
    • Add your DNS server of the EdgeRouter (eg to be able to resolve local domain names (have left that empty)
  • All Application
    • Here you can select which Android apps can use the WireGuard tunnel (have left that empty)

At this stage, we need to configure the EdgeRouter to recognize the newly created client peer. Recall the public key you were instructed to write down earlier. We will utilize this key to establish a WireGuard client peer on the EdgeRouter. To initiate this process, log in to the EdgeRouter via SSH and execute the following commands.


set interfaces wireguard wg0 peer VMz6Go/hGoO6t8YGlBI7t+7FIgYbFxY98lpNuELYQUQ= description Android
set interfaces wireguard wg0 peer VMz6Go/hGoO6t8YGlBI7t+7FIgYbFxY98lpNuELYQUQ= allowed-ips


Allow me to provide some context for these instructions. Initially, a peer is established on the existing wg0 interface. This peer is identified and authorized via its unique public key, such as VMz6Go/hGoO6t8YGlBI7t+7FIgYbFxY98lpNuELYQUQ= in the example above. It’s important to replace it with your own public key, which you obtained from your Android phone. Furthermore, the WireGuard server is configured to permit traffic destined for the specific IP address to traverse this tunnel (peer).

With the interface created and the EdgeRouter configured, the next step is to add the peer on your Android device. This step involves clicking on the Add peer option, where you will input all the necessary information about the WireGuard server you intend to connect to.

Here, you’ll enter the information previously configured on the EdgeRouter. Certain fields need to be filled out, although not all of them are mandatory for the setup to progress.

Required fields:

  • Public key
    • This is the public key we’ve generated on the EdgeRouter
    • Just do a “cat public_key” on the EdgeRouter if you haven’t written it down yet
  • Persistent keepalive
    • I wanted the tunnel to always be active, so i added 25 here (optional)
  • Endpoint
    • This is the public IP address or domain name of your EdgeRouter
    • Followed by :51820 as the port number
  • Allowed IPs
    • Here we define which IP addresses are allowed to transverse the tunnel
    • for the whole (WireGuard) network
    • for my local LAN network
    • Add more IP addresses if you’d like, separated by a comma

Following the configuration steps, your setup on the Android device should resemble something similar to this.

Once you have entered the necessary details, click the save icon, and your WireGuard tunnel should be operational and ready for use.

Ubuntu/Debian Client

On Ubuntu/Debian systems, the installation process aligns closely with the steps outlined for Android. After installing the WireGuard package, open the WireGuard configuration, add a new peer, and input the EdgeRouter configuration details.

Apt update and upgrade

sudo apt update && sudo apt upgrade -y

Install WireGuard

sudo apt install wireguard

Generate private and public key

wg genkey | tee private_key | wg pubkey > public_key

Show the public key

cat public_key

Copy the public key and utilize it to create an additional WireGuard peer on the EdgeRouter. Proceed by logging into the EdgeRouter via SSH and input the following commands to establish the new peer.


set interfaces wireguard wg0 peer 7ef0Kcmay2u6hkxzzHJKCjvKdZ4wA5gt4nnCYM00R08= description Ubuntu
set interfaces wireguard wg0 peer 7ef0Kcmay2u6hkxzzHJKCjvKdZ4wA5gt4nnCYM00R08= allowed-ips


Once again, a new peer is created on the existing wg0 interface. This peer is recognized and authenticated by its public key, for instance, 7ef0Kcmay2u6hkxzzHJKCjvKdZ4wA5gt4nnCYM00R08= in the example above. Replace that with your own public key, previously copied from your Ubuntu/Debian PC and specify a description for this peer. (Ubuntu or whatever you like to name it)

The second line inform the WireGuard server that traffic directed to should pass through this tunnel. The /32 mask is used because the peer (client) is utilizing only one IP address. If you plan to set up a site-to-site tunnel (although not covered in this tutorial), a larger mask, like /24, would be more appropriate. (254 IP addresses available)

To continue the configuration of the WireGuard client peer on Ubuntu/Debian, you’ll require your private key.

cat private_key

Copy the private key and create configuration file

sudo nano /etc/wireguard/wg0.conf

Paste this

Address =
PrivateKey = <client private_key>

PublicKey = <server public_key>
Endpoint = your.domain.com:51820
AllowedIPs =,
PersistentKeepalive = 25

Let me explain further. In the configuration file, the Address field designates the IP address assigned to the wg0 interface, and <client private_key> represents the private key you have just copied.

Within the [Peer] section, you provide the details necessary to establish a connection with the WireGuard server. <server public_key> corresponds to the public key of the WireGuard server, which can be obtained by using the cat public_key command on the EdgeRouter if you haven’t saved it. The Endpoint field specifies the domain name or IP address to which the client will connect. AllowedIPs enumerates the IP addresses permitted to traverse the tunnel. The inclusion of PersistentKeepalive ensures the tunnel remains active continuously, although it is an optional parameter.

Once the configuration file is complete, save and exit the file. Proceed to test the connection to confirm the tunnel is working.

# Bring up the WireGuard tunnel
wg-quick up wg0

# Show active connections
sudo wg show

# Ping the WireGuard server

# Bring down the WireGuard tunnel
wg-quick down wg0

If you receive a ping response, it indicates the successful operation of the tunnel. Additionally, you can test the routing functionality by pinging the client’s IP from your LAN. Once you are satisfied with the configuration and both tests are successful, you can enable the WireGuard service to start automatically during system startup. This ensures your WireGuard VPN connection is enabled at startup.

sudo systemctl enable wg-quick@wg0

Alternative Configuration Methods

While the previous configuration steps mandated manual entry of CLI commands, Christoph Loesch developed a WireGuard GUI specifically tailored for the EdgeRouter.

WireGuard GUI

The WireGuard GUI, accessible via the EdgeRouter’s web interface, functions as a wizard to configure WireGuard and its peers. While my preference lies in manual CLI configuration, this GUI proves valuable, especially for tasks like scanning peer QR codes and querying connected WireGuard peers. Its convenience becomes apparent in scenarios requiring quick and visual management of WireGuard setups.

Git clone the latest WireGuard ER Wizard on your PC

git clone https://github.com/vchrizz/ER-wizard-WireGuard.git

And tar archive three files

cd ER-wizard-WireGuard.git
tar -cvf wireguard.tar validator.json wizard.html wizard-run

Access the EdgeRouter’s web interface and navigate to the Wizards tab. Within the Feature Wizards section on the left, click the plus sign (+) to install the WireGuard GUI. Enter WireGuard as the Wizard Name and select the previously created wireguard.tar file under Wizard Files and click on Save.

Upon successful installation, you’ll notice that many WireGuard server configuration options are automatically populated based on the CLI commands we previously entered. However, a few useful common options are missing and can be found under the Peer common options header.

  • Peer allowed ips
    • These are the IP’s that are allowed to transverse the tunnel
  • Peers remote endpoint
    • This is the common endpoint for you peers (eg your.domain.com:51820)

As the name suggests, these settings are universal and apply to all peers, eliminating the need for individual specifications for each peer.

For demonstration purposes, in the example below no peers have been configured yet. If you wish to add a peer, click on Add Peer. In this step, you’ll need to fill in a few obligatory fields:

  • Description
    • Give your peer a name (eg Android)
  • Under Allowed IPs click Add IP
    • Enter the IP address you want to manually assign to the peer (eg
  • Keepalive
    • Set keepalive to 25 (seconds) to keep the tunnel alive
  • Then under Client config QR click on Generate config
    • This will generate the private and public key

For Android users using the WireGuard app, simply scan the QR code to import the tunnel configuration. If you’re using a different client on a PC, whether Linux, Windows or Mac, you can click Download Client Configuration. This file contains all the necessary details to establish a connection with the WireGuard server.


If you like my work, please consider supporting.