How to Configure WireGuard VPN Server and Client Settings in QVPN Service 3 (2024)

Tutorial
Internet

Last modified date: 2022-04-19

How to Configure WireGuard VPN Server and Client Settings in QVPN Service 3
- WireGuard
- Enabling a WireGuard VPN Server
- Configuring the DNS Quick Wizard Settings
- Creating a WireGuard VPN Client Connection
- Connecting to WireGuard on Windows 10
- Connecting to WireGuard on macOS 10.13
- Connecting to WireGuard on iOS
- Connecting to WireGuard on Android 7.0

This tutorial explains how to configure WireGuard on your QNAP device using QVPN Service 3.

WireGuard

WireGuard is an open-source VPN protocol that uses User Datagram Protocol (UDP) for network communication. The protocol uses several cryptography tools to implement secure VPN tunneling.

Enabling a WireGuard VPN Server

Open QVPN Service.
Go to VPN Server > WireGuard.
Click Enable WireGuard VPN Server.

Configure the WireGuard settings.

Setting	User Action
Server name	Specify a name for the VPN server. Note: Requirements: Valid characters: A–Z, a–z, 0–9
Private key	Click Generate Keypairs to automatically populate a unique 32-byte private key.
IP address	Enter a fixed IP subnet for the VPN server. Important: By default, this server reserves the use of IP addresses from 10.8.0.0/24. If another connection is configured to use this range, an IP conflict error will occur. Before adding this server, ensure a VPN client isn't configured to use this range as well.
Listen port	Specify a UDP port number between 1 and 65535. Note: The default WireGuard port number is 51820.
Network interface (next hop)	Specify an available network interface to use when connecting to the VPN server. Available options include: All (Auto Detect) None Manually assign
DNS Server	Specify a DNS server for the WireGuard server. Note: The DNS Quick Wizard can help configure this setting. For more information, please see Configuring the DNS Quick Wizard Settings.

Click Add Peer.
The Add Peer window appears.

Configure the peer settings.

Setting	User Action
Peer name	Specify a name for the peer. Note: Requirements: Valid characters: A–Z, a–z, 0–9 Valid special characters: Hyphen (-)
Public key	Enter the public key generated in the WireGuard application in the VPN client device.
Advanced Settings
Pre-shared key	Specify an optional pre-shared key only if the VPN client device supports the pre-shared key function. Important: As a security best practice, QNAP recommends specifying a strong preshared key. Ensure that the pre-shared key is specified in both the VPN server and client configuration page to connect to the VPN tunnel.
Endpoint	Specify an optional endpoint IP address in the `IP address:listen port` format. Example: `192.168.10.1:51820`.
Persistent keepalive	Specify the interval in seconds to send keepalive packets if the peer is behind a firewall.

Click Apply.
QVPN Service adds the peer.
Click Apply.

QVPN Service applies the WireGuard VPN server settings.

Configuring the DNS Quick Wizard Settings

Domain Name System (DNS) is a service that translates a website’s name to its IP address. DNS makes it easier for users to access websites and services with an easy-to-remember URL (such aswww.qnap.com) instead of a difficult and long IP address. The DNS Quick Wizard helps users choose the DNS service that best meets their needs. The default options in this wizard work best in most cases, but advanced users can also manually configure additional DNS services.

Note: This wizard is accessible after enabling any of the VPN servers in QVPN Service.

Open QVPN Service.
Select a VPN server.
Enable the VPN server.
Click DNS Quick Wizard.
The Setting DNS window opens.
Click Next.

Select a DNS option.

Option	User Action
Public DNS	Select a DNS from a list of public sources.
NAS default	Use the default DNS server. Tip: This option can increase the security of VPN connections. Note: This option is not applicable to WireGuard VPN settings.
Manually assign	Manually enter the IP address for a DNS service.

Click Apply.

QVPN Service applies the DNS settings to the VPN server or client.

Creating a WireGuard VPN Client Connection

You can configure your device as a WireGuard VPN client in QVPN Service only to connect to a WireGuard server configured on a different device.

Open QVPN Service.
Go to VPN Client > VPN Connection Profiles.
Click Add.

See Also
WireGuard vs OpenVPN: A Comparative Analysis Wireguard VPN Works on iPhone but Not Windows 11 PC Chapter 8. Setting up a WireGuard VPN Red Hat Enterprise Linux 9 | Red Hat Customer Portal MikroTik WireGuard VPN Setup: A Step-by-Step Configuration Guide - GadgetMates
Select WireGuard.
The Create VPN Connection (WireGuard) window opens.

Configure the VPN connection settings.

Setting	User Action
Server name	Specify a name for the VPN server. Note: Requirements: Valid characters: A–Z, a–z, 0–9
Private key	Click Generate Keypairs to automatically populate a unique 32-byte private and public key.
Public key	Copy the public key to the clipboard. Important: Ensure that you specify the copied public key in the QVPN Service WireGuard peer settings page.
IP address	Enter a IP subnet specified in the WireGuard VPN server page.
Listen port	Specify an optional UDP port number between 1 and 65535.
DNS Server	Specify a dedicated DNS server IP address that the WireGuard VPN server can access through the VPN tunnel. Note: The DNS Quick Wizard can help configure this setting. For more information, please see Configuring the DNS Quick Wizard Settings.

Configure the peer settings.

Setting	User Action
Public key	Copy and paste the public key from the WireGuard VPN server page. Note: The base64-encoded public key generated in the QVPN Service WireGuard VPN server page is required to authenticate both server and client.
Endpoint	Specify the IP address of the WireGuard server using the `IP address:listen port` format. Example: `192.168.10.1:51820`.
Advanced Settings
Pre-shared key	Specify the key only if the pre-shared key setting has been configured on the VPN server device. Important: Ensure that the pre-shared key is specified in both the VPN server and client configuration page to connect to the VPN tunnel.
Allowed IPs	Specify the list of addresses that are routed to the peer. Note: Enter at least one IP subnet containing the internal IP addresses of the WireGuard connection. To allow packets from any IP subnet, enter `0.0.0.0/0` .
Persistent keepalive	Specify the interval in seconds to send keepalive packets if the peer is behind a firewall.

Click Create.

Note:
By default, the QVPN QBelt server reserves the use of IP addresses from 10.2.0.0/24. If another connection is configured to use this range, an IP conflict error will occur. Before adding this connection, ensure an IP conflict does not exist.

QVPN Service creates the WireGuard VPN client connection profile.

Connecting to WireGuard on Windows 10

Download and install WireGuard from the WireGuard website.

Open WireGuard.
Click Add Empty Tunnel.

The Create new tunnel window appears.

Configure the tunnel settings.

Setting	User Action
Name	Specify a name for the tunnel.
Public key	Copy the public key to the clipboard. Important: Ensure that you paste the copied public key in the QVPN Service WireGuard VPN server peer settings page.
Interface
Private key	The private key is automatically generated when creating a new tunnel.
Address	Enter a IP subnet specified in the WireGuard VPN server page.
DNS Server	Specify a dedicated DNS server IP address that the WireGuard VPN client can access through the VPN tunnel.
Peer
Public key	Copy and paste the public key from the WireGuard VPN server page. Note: The base64-encoded public key generated in the QVPN Service WireGuard VPN server page is required to authenticate both server and client.
Allowed IPs	Specify a list of addresses that are routed to the peer. Enter at least one IP subnet containing the internal IP addresses of the WireGuard connection. To allow packets from any IP subnet, enter 0.0.0.0/0 .
Endpoint	Specify the IP address of the WireGuard server using the `IP address:listen port` format. Example: `192.168.10.1:51820`.

Optional: Enable Block untunneled traffic (kill-switch).
Enable to ensure that your IP address is not leaked, and block traffic that is not part of the VPN tunnel.
Click Save.
The WireGuard application adds the tunnel profile.
Click Activate.

The WireGuard application establishes a VPN tunnel with the VPN server.

Connecting to WireGuard on macOS 10.13

Download and install WireGuard from the WireGuard website.

Open WireGuard.
Click + in the bottom left.
Click Add Empty Tunnel.

See Also
Install WireGuard VPN on OPNsense Firewall

The tunnel creation window appears.

Configure the tunnel settings.

Setting	User Action
Name	Specify a name for the tunnel.
Public key	Copy the public key to the clipboard. Important: Ensure that you specify the copied public key in the QVPN Service WireGuard peer settings page.
On-Demand	Specify the network interface for the WireGuard connection.
Interface
Private key	The private key is automatically generated when creating a new tunnel.
Address	Enter a IP subnet specified in the WireGuard VPN server page.
DNS server	Specify a dedicated DNS server IP address that the WireGuard VPN server can access through the VPN tunnel.
Peer
Public key	Copy and paste the public key from the WireGuard VPN server page. Note: The base64-encoded public key generated in the QVPN Service WireGuard VPN server page is required to authenticate both server and client.
Allowed IPs	Specify a list of addresses that are routed to the peer. Enter at least one IP subnet containing the internal IP addresses of the WireGuard connection. To allow packets from any IP subnet, enter 0.0.0.0/0 .
Endpoint	Specify the IP address of the WireGuard server using the `IP address:listen port` format. Example: `192.168.10.1:51820`.
Persistent keepalive	Specify an optional interval in seconds to send keepalive packets if the peer is behind a firewall.

Optional: Click Exclude private IPs to exclude private IP addresses.
Click Save.
The WireGuard application adds the tunnel profile.
Click Activate.

The WireGuard application establishes a VPN tunnel with the VPN server.

Connecting to WireGuard on iOS

Download and install WireGuard from the WireGuard website.

Open WireGuard.
Click + in the upper right.
Click Create from scratch.

The Create WireGuard Tunnel page appears.

Configure the tunnel settings.

Setting	User Action
Name	Specify a name for the tunnel.
Private key	Click Generate Keypairs to automatically populate a unique 32-byte private and public key.
Public key	Copy the public key to the clipboard. Important: Ensure that you specify the copied public key in the QVPN Service WireGuard peer settings page.
Addresses	Enter a IP subnet specified in the WireGuard VPN server page.
Listen port	Specify an optional UDP port number between 1 and 65535. Tip: To allow the application to select the listen port, leave the field blank.
MTU	Specify an optional MTU value. Note: The recommended value is 1420. Tip: To allow the application to select the MTU value, leave the field blank.
DNS servers	Specify a dedicated DNS server IP address that the WireGuard VPN client can access through the VPN tunnel.

Configure the peer settings.

Setting	User Action
Public key	Copy and paste the public key from the WireGuard VPN server page. Note: The base64-encoded public key generated in the QVPN Service WireGuard VPN server page is required to authenticate both server and client.
Pre-shared key	Specify an optional key only if the pre-shared key setting has been configured on the VPN server device. Important: Ensure that the pre-shared key is specified in both the VPN server and client configuration page to connect to the VPN tunnel.
Endpoint	Specify the IP address of the WireGuard server using the `IP address:listen port` format. Example: `192.168.10.1:51820`.
Allowed IPs	Specify the list of addresses that are routed to the peer. Note: Enter at least one IP subnet containing the internal IP addresses of the WireGuard connection. To allow packets from any IP subnet, enter `0.0.0.0/0` . Tip: To exclude private IP addresses, select Exclude private IPs.
Persistent keepalive	Specify an optional interval in seconds to send keepalive packets if the peer is behind a firewall.

Click Save.
WireGuard creates and saves the VPN tunnel settings.
Beside Active, click .

The WireGuard app establishes a VPN tunnel with the VPN server.

Connecting to WireGuard on Android 7.0

Download and install WireGuard from the WireGuard website.

Open WireGuard.
Click +.
Click CREATE FROM SCRATCH.

The Create WireGuard Tunnel page appears.

Configure the tunnel settings.

Setting	User Action
Name	Specify a name for the tunnel.
Private key	Click to generate the private key for the VPN connection.
Public key	Copy the public key to the clipboard. Important: Ensure that you specify the copied public key in the QVPN Service WireGuard peer settings page.
Addresses	Enter a IP subnet specified in the WireGuard VPN server page.
Listen port	Specify an optional UDP port number between 1 and 65535. Tip: To allow the application to select the listen port, leave the field blank.
DNS servers	Specify a dedicated DNS server IP address that the WireGuard VPN client can access through the VPN tunnel.
MTU	Specify an optional MTU value. Note: The recommended value is 1420. Tip: To allow the application to select the MTU value, leave the field blank.

Optional: Click ALL APPLICATIONS.

The applications page appears.
Optional: Select the applications to exclude from the VPN tunnel connection.
Click ADD PEER.

Configure the peer settings.

Setting	User Action
Public key	Copy and paste the public key from the WireGuard VPN server page. Note: The base64-encoded public key generated in the QVPN Service WireGuard VPN server page is required to authenticate both server and client.
Pre-shared key	Specify an optional key only if the pre-shared key setting has been configured on the VPN server device. Important: Ensure that the pre-shared key is specified in both the VPN server and client configuration page to connect to the VPN tunnel.
Persistent keepalive	Specify an optional interval in seconds to send keepalive packets if the peer is behind a firewall.
Endpoint	Specify the IP address of the WireGuard server using the `IP address:listen port` format. Example: `192.168.10.1:51820`.
Allowed IPs	Specify the list of addresses that are routed to the peer. Note: Enter at least one IP subnet containing the internal IP addresses of the WireGuard connection. To allow packets from any IP subnet, enter `0.0.0.0/0` . Tip: To exclude private IP addresses, select Exclude private IPs.

Click .
WireGuard creates and saves the VPN tunnel settings.
Click .
The Connection request window appears.
Click OK.

The WireGuard app establishes a VPN tunnel with the VPN server.

Was this article helpful?

Yes. No.

29% of people think it helps.

Thank you for your feedback.

Please tell us how this article can be improved:

If you want to provide additional feedback, please include it below.