This configuration guide shows you how to configure a WireGuard connection established by the remote station.
Situation
An encrypted WireGuard connection is to be established to a remote peer (remote station) that is connected to the Internet. The parameters required for the connection are defined by a WireGuard configuration file. The router should not establish a connection to the remote station, i.e. it should not act as the initiator, but as the responder. The public key of the remote station is known. The router can be reached via a public IP address or domain on the internet.
Router as Initiator!
See this Configuration Guide for a WireGuard connection with the router acting as Initiator.
Solution
It is assumed that you have access to the router's user interface and that the router has been configured for a WAN connection using the Startup Wizard from the basic settings. The following figure shows the network topology used for this example:
.png)
Please note for the addresses used!
All addresses are exemplary for the present example and must be adjusted to your application.
Configuration of the router
For a WireGuard connection, you must first configure your own endpoint and then the remote stations (peers) to which connections are to be established.
Open the user interface of the router: https://insys.icom
Add a new WireGuard interface.
Click on the Network → Interfaces page under WireGuard on and configure as follows:Description: Local WireGuard Peer
Private key: click on Generate new key pair; a new key pair is generated and entered
Please note the following regarding the keys!
A key pair consists of a private key and an associated public key. The public key must be communicated to the peer (remote station) of the WireGuard connection. The peer uses this public key to mark the WireGuard packets that are addressed to the router.
Local tunnel address / Netmask: 10.0.0.1/24
Accept incoming connections on port: 51820
Please note regarding the port!
The port must be the same as the one entered at the peer so that the router can listen for WireGuard packets from this peer that contain its public key. 51820 is a standard port for WireGuard, but another port can also be used. If no port is specified, it will be assigned randomly and the peer will not be able to establish a WireGuard connection without knowing this port.
Add a new WireGuard peer-
Click under Add WireGuard in the Add WireGuard peers section on and configure as follows:Description: Remote WireGuard Peer
Public key: enter the public key of the peer here
Allowed IP addresses: 0.0.0.0/0
Please note regarding the allowed IP addresses!
Enter all addresses in CIDR format that are permitted to send and receive data via this WireGuard tunnel. Multiple addresses must be separated by commas. The catch-all addresses 0.0.0.0/0 for all IPv4 addresses and ::/0 for all IPv6 addresses permit all addresses via the respective protocol.
Endpoint / Port: can be entered optionally to establish a connection to the peer; the endpoint port must be identical to the port configured as the listen port for the peer
Pre-shared key: can be entered optionally in base64 format for an additional layer of symmetric encryption; in this case, it must also be configured at the peer end
Keep-alive interval: can be entered optionally in seconds; authenticated empty packets are then sent to the peer to maintain the connection for a stateful firewall or NAT mapping; if this value is empty or configured to 0 (zero), this function is disabled
.png)
Click on SUBMIT.
Add a new Firewall rule that permits packets through the WireGuard tunnel to the router.
Click on the Network → Firewall / NAT page under IP filter on and configure as follows:Description: Traffic through the WireGuard tunnel to the router - in
Packet direction: INPUT
IP version: All
Protocol: All
Incoming interface: wg1
Sender IP address / Netmask:
Bitte beachten Sie für die Firewall-Regeln!
Die Regeln in diesem Beispiel erlauben mehr als nötig unter Aufrechterhaltung einer hohen Sicherheit. Sie können diese auch weiter auf für ihre Anwendung unbedingt erforderlichen Datenverkehr einschränken und damit die Sicherheit weiter erhöhen.
.png)
Click on SUBMIT.
Add a new Firewall rule that permits packets through the WireGuard tunnel from the router.
Click on the Network → Firewall / NAT page under IP filter on and configure as follows:Description: Traffic through the WireGuard tunnel sent by the router - out
Packet direction: OUTPUT
IP version: All
Protocol: All
Outgoing interface: wg1
Sender IP address / Netmask:
Click on SUBMIT.
Add a new Firewall rule that permits packets from the local network through the WireGuard tunnel.
Click on the Network → Firewall / NAT page under IP filter on and configure as follows:Description: Traffic from the local net through the WireGuard tunnel
Packet direction: FORWARD
IP version: All
Protocol: All
Incoming interface: net1, net2
Outgoing interface: wg1
Sender IP address / Netmask:
Destination IP address / Netmask:
Click on SUBMIT.
Add a new Firewall rule that permits packets through the WireGuard tunnel into the local network.
Click on the Network → Firewall / NAT page under IP filter on and configure as follows:Description: Traffic through the WireGuard tunnel to the local net
Packet direction: FORWARD
IP version: All
Protocol: All
Incoming interface: wg1
Outgoing interface: net1, net2
Sender IP address / Netmask:
Destination IP address / Netmask:
Click on SUBMIT.
Add a new Firewall rule that permits the establishment of the WireGuard tunnel.
Click on the Network → Firewall / NAT page under IP filter on and configure as follows:Description: WireGuard (tunnel establishment)
Packet direction: INPUT
IP version: All
Protocol: UDP
Incoming interface: lte2 (or another interface that is used to establish Internet connection)
Sender port:
Destination port: 51820
Click on SUBMIT.
Add the WireGuard interface to the active WAN chain.
Click on the Network → WAN / Internet page on of the WAN chain wan1 - Primary Internet connection to edit this.Click on to and select the WireGuard interface wg1 as Interface.
.png)
Click on SUBMIT.
Activate the profile with a click on ACTIVATE PROFILE .
Configuration of the peer
In addition to the router, the peer must also be configured so that it can establish a connection to the router. The procedure for this varies depending on the peer. The following configurations are generally required.
Configure in the Interface section:
the ListenPort that must be identical with the one of the router.
under Address the local tunnel address of the peer that just be in the same IP network as the tunnel address of the router.
Configure in the Peer section:
the PublicKey of the router.
under AllowedIPs the address range of the tunnel IP network.
under Endpoint the address or domain under which the router is accessible in the internet.
.png)
Result testing
Once the router and peer have been configured for a shared WireGuard connection, the peer should establish a connection to the router.
Open the Status → Dashboard page and click in the Network configuration section on the WireGuard interface at the end of the WAN chain in the VPN column.
.png)
The confirmed handshake and the transferred data show that the WireGuard connection has been successfully established.
Troubleshooting
Disable the IP filters for IPv4 in the Network → Firewall / NAT menu under Settings IP filter to check whether incorrect filter settings are the reason for connection problems.
If the WireGuard connection is established, but a communication into the network behind the router is still not possible, you can open the Administration → Debugging page and use the Tool TCP-Dump and enter the Parameter -i net2 to perform a TCP dump in the local network of the router or enter -i wg1 in the tunnel. The results may provide an indication of where the packets end up.
Check whether the peer station is possibly located behind a firewall (e.g. Windows Firewall on a PC) and whether this is preventing data traffic.