- Tutorial
- Internet
Last modified date: 2022-04-19
- How to Configure WireGuard VPN Server and Client Settings in QVPN Service 3
-
- WireGuard
-
- Enabling a WireGuard VPN Server
-
- Configuring the DNS Quick Wizard Settings
-
- Creating a WireGuard VPN Client Connection
-
- Connecting to WireGuard on Windows 10
-
- Connecting to WireGuard on macOS 10.13
-
- Connecting to WireGuard on iOS
-
- Connecting to WireGuard on Android 7.0
This tutorial explains how to configure WireGuard on your QNAP device using QVPN Service 3.
WireGuard
WireGuard is an open-source VPN protocol that uses User Datagram Protocol (UDP) for network communication. The protocol uses several cryptography tools to implement secure VPN tunneling.
Enabling a WireGuard VPN Server
- Open QVPN Service.
- Go to VPN Server > WireGuard.
- Click Enable WireGuard VPN Server.
- Configure the WireGuard settings.
Setting
User Action
Server name
Specify a name for the VPN server.
Note:
Requirements:
Valid characters: A–Z, a–z, 0–9
Private key
Click Generate Keypairs to automatically populate a unique 32-byte private key.
IP address
Enter a fixed IP subnet for the VPN server.
Important:
By default, this server reserves the use of IP addresses from 10.8.0.0/24. If another connection is configured to use this range, an IP conflict error will occur. Before adding this server, ensure a VPN client isn't configured to use this range as well.
Listen port
Specify a UDP port number between 1 and 65535.
Note:
The default WireGuard port number is 51820.
Network interface (next hop)
Specify an available network interface to use when connecting to the VPN server. Available options include:
-
All (Auto Detect)
-
None
-
Manually assign
DNS Server
Specify a DNS server for the WireGuard server.
Note: The DNS Quick Wizard can help configure this setting. For more information, please see Configuring the DNS Quick Wizard Settings.
-
- Click Add Peer.
The Add Peer window appears.
- Configure the peer settings.
Setting
User Action
Peer name
Specify a name for the peer.
Note:
Requirements:
-
Valid characters: A–Z, a–z, 0–9
-
Valid special characters: Hyphen (-)
Public key
Enter the public key generated in the WireGuard application in the VPN client device.
Advanced Settings
Pre-shared key
Specify an optional pre-shared key only if the VPN client device supports the pre-shared key function.
Important:
-
As a security best practice, QNAP recommends specifying a strong preshared key.
-
Ensure that the pre-shared key is specified in both the VPN server and client configuration page to connect to the VPN tunnel.
Endpoint
Specify an optional endpoint IP address in the IP address:listen port format.
Example: 192.168.10.1:51820.
Persistent keepalive
Specify the interval in seconds to send keepalive packets if the peer is behind a firewall.
-
- Click Apply.
QVPN Service adds the peer.
- Click Apply.
QVPN Service applies the WireGuard VPN server settings.
Configuring the DNS Quick Wizard Settings
Domain Name System (DNS) is a service that translates a website’s name to its IP address. DNS makes it easier for users to access websites and services with an easy-to-remember URL (such aswww.qnap.com) instead of a difficult and long IP address. The DNS Quick Wizard helps users choose the DNS service that best meets their needs. The default options in this wizard work best in most cases, but advanced users can also manually configure additional DNS services.
Note: This wizard is accessible after enabling any of the VPN servers in QVPN Service.
- Open QVPN Service.
- Select a VPN server.
- Enable the VPN server.
- Click DNS Quick Wizard.
The Setting DNS window opens.
- Click Next.
- Select a DNS option.
Option
User Action
Public DNS
Select a DNS from a list of public sources.
NAS default
Use the default DNS server.
Tip:
This option can increase the security of VPN connections.
Note:
This option is not applicable to WireGuard VPN settings.
Manually assign
Manually enter the IP address for a DNS service.
- Click Apply.
QVPN Service applies the DNS settings to the VPN server or client.
Creating a WireGuard VPN Client Connection
You can configure your device as a WireGuard VPN client in QVPN Service only to connect to a WireGuard server configured on a different device.
- Open QVPN Service.
- Go to VPN Client > VPN Connection Profiles.
- Click Add.
- Select WireGuard.
The Create VPN Connection (WireGuard) window opens.
- Configure the VPN connection settings.
Setting
User Action
Server name
Specify a name for the VPN server.
Note:
Requirements:
Valid characters: A–Z, a–z, 0–9
Private key
Click Generate Keypairs to automatically populate a unique 32-byte private and public key.
Public key
Copy the public key to the clipboard.
Important:
Ensure that you specify the copied public key in the QVPN Service WireGuard peer settings page.
IP address
Enter a IP subnet specified in the WireGuard VPN server page.
Listen port
Specify an optional UDP port number between 1 and 65535.
DNS Server
Specify a dedicated DNS server IP address that the WireGuard VPN server can access through the VPN tunnel.
Note: The DNS Quick Wizard can help configure this setting. For more information, please see Configuring the DNS Quick Wizard Settings.
- Configure the peer settings.
Setting
User Action
Public key
Copy and paste the public key from the WireGuard VPN server page.
Note:
The base64-encoded public key generated in the QVPN Service WireGuard VPN server page is required to authenticate both server and client.
Endpoint
Specify the IP address of the WireGuard server using the IP address:listen port format.
Example: 192.168.10.1:51820.
Advanced Settings
Pre-shared key
Specify the key only if the pre-shared key setting has been configured on the VPN server device.
Important:
Ensure that the pre-shared key is specified in both the VPN server and client configuration page to connect to the VPN tunnel.
Allowed IPs
Specify the list of addresses that are routed to the peer.
Note:
-
Enter at least one IP subnet containing the internal IP addresses of the WireGuard connection.
-
To allow packets from any IP subnet, enter 0.0.0.0/0 .
Persistent keepalive
Specify the interval in seconds to send keepalive packets if the peer is behind a firewall.
-
- Click Create.
Note:
By default, the QVPN QBelt server reserves the use of IP addresses from 10.2.0.0/24. If another connection is configured to use this range, an IP conflict error will occur. Before adding this connection, ensure an IP conflict does not exist.
QVPN Service creates the WireGuard VPN client connection profile.
Connecting to WireGuard on Windows 10
Download and install WireGuard from the WireGuard website.
- Open WireGuard.
- Click Add Empty Tunnel.
The Create new tunnel window appears.
- Configure the tunnel settings.
Setting
User Action
Name
Specify a name for the tunnel.
Public key
Copy the public key to the clipboard.
Important:
Ensure that you paste the copied public key in the QVPN Service WireGuard VPN server peer settings page.
Interface
Private key
The private key is automatically generated when creating a new tunnel.
Address
Enter a IP subnet specified in the WireGuard VPN server page.
DNS Server
Specify a dedicated DNS server IP address that the WireGuard VPN client can access through the VPN tunnel.
Peer
Public key
Copy and paste the public key from the WireGuard VPN server page.
Note:
The base64-encoded public key generated in the QVPN Service WireGuard VPN server page is required to authenticate both server and client.
Allowed IPs
Specify a list of addresses that are routed to the peer. Enter at least one IP subnet containing the internal IP addresses of the WireGuard connection. To allow packets from any IP subnet, enter 0.0.0.0/0 .
Endpoint
Specify the IP address of the WireGuard server using the IP address:listen port format.
Example: 192.168.10.1:51820.
- Optional: Enable Block untunneled traffic (kill-switch).
Enable to ensure that your IP address is not leaked, and block traffic that is not part of the VPN tunnel.
- Click Save.
The WireGuard application adds the tunnel profile.
- Click Activate.
The WireGuard application establishes a VPN tunnel with the VPN server.
Connecting to WireGuard on macOS 10.13
Download and install WireGuard from the WireGuard website.
- Open WireGuard.
- Click + in the bottom left.
- Click Add Empty Tunnel.
The tunnel creation window appears.
- Configure the tunnel settings.
Setting
User Action
Name
Specify a name for the tunnel.
Public key
Copy the public key to the clipboard.
Important:
Ensure that you specify the copied public key in the QVPN Service WireGuard peer settings page.
On-Demand
Specify the network interface for the WireGuard connection.
Interface
Private key
The private key is automatically generated when creating a new tunnel.
Address
Enter a IP subnet specified in the WireGuard VPN server page.
DNS server
Specify a dedicated DNS server IP address that the WireGuard VPN server can access through the VPN tunnel.
Peer
Public key
Copy and paste the public key from the WireGuard VPN server page.
Note:
The base64-encoded public key generated in the QVPN Service WireGuard VPN server page is required to authenticate both server and client.
Allowed IPs
Specify a list of addresses that are routed to the peer. Enter at least one IP subnet containing the internal IP addresses of the WireGuard connection. To allow packets from any IP subnet, enter 0.0.0.0/0 .
Endpoint
Specify the IP address of the WireGuard server using the IP address:listen port format.
Example: 192.168.10.1:51820.
Persistent keepalive
Specify an optional interval in seconds to send keepalive packets if the peer is behind a firewall.
- Optional: Click Exclude private IPs to exclude private IP addresses.
- Click Save.
The WireGuard application adds the tunnel profile.
- Click Activate.
The WireGuard application establishes a VPN tunnel with the VPN server.
Connecting to WireGuard on iOS
Download and install WireGuard from the WireGuard website.
- Open WireGuard.
- Click + in the upper right.
- Click Create from scratch.
The Create WireGuard Tunnel page appears.
- Configure the tunnel settings.
Setting
User Action
Name
Specify a name for the tunnel.
Private key
Click Generate Keypairs to automatically populate a unique 32-byte private and public key.
Public key
Copy the public key to the clipboard.
Important:
Ensure that you specify the copied public key in the QVPN Service WireGuard peer settings page.
Addresses
Enter a IP subnet specified in the WireGuard VPN server page.
Listen port
Specify an optional UDP port number between 1 and 65535.
Tip:
To allow the application to select the listen port, leave the field blank.
MTU
Specify an optional MTU value.
Note:
The recommended value is 1420.
Tip:
To allow the application to select the MTU value, leave the field blank.
DNS servers
Specify a dedicated DNS server IP address that the WireGuard VPN client can access through the VPN tunnel.
- Configure the peer settings.
Setting
User Action
Public key
Copy and paste the public key from the WireGuard VPN server page.
Note:
The base64-encoded public key generated in the QVPN Service WireGuard VPN server page is required to authenticate both server and client.
Pre-shared key
Specify an optional key only if the pre-shared key setting has been configured on the VPN server device.
Important:
Ensure that the pre-shared key is specified in both the VPN server and client configuration page to connect to the VPN tunnel.
Endpoint
Specify the IP address of the WireGuard server using the IP address:listen port format.
Example: 192.168.10.1:51820.
Allowed IPs
Specify the list of addresses that are routed to the peer.
Note:
-
Enter at least one IP subnet containing the internal IP addresses of the WireGuard connection.
-
To allow packets from any IP subnet, enter 0.0.0.0/0 .
Tip:
To exclude private IP addresses, select Exclude private IPs.
Persistent keepalive
Specify an optional interval in seconds to send keepalive packets if the peer is behind a firewall.
-
- Click Save.
WireGuard creates and saves the VPN tunnel settings.
- Beside Active, click .
The WireGuard app establishes a VPN tunnel with the VPN server.
Connecting to WireGuard on Android 7.0
Download and install WireGuard from the WireGuard website.
- Open WireGuard.
- Click +.
- Click CREATE FROM SCRATCH.
The Create WireGuard Tunnel page appears.
- Configure the tunnel settings.
Setting
User Action
Name
Specify a name for the tunnel.
Private key
Click to generate the private key for the VPN connection.
Public key
Copy the public key to the clipboard.
Important:
Ensure that you specify the copied public key in the QVPN Service WireGuard peer settings page.
Addresses
Enter a IP subnet specified in the WireGuard VPN server page.
Listen port
Specify an optional UDP port number between 1 and 65535.
Tip:
To allow the application to select the listen port, leave the field blank.
DNS servers
Specify a dedicated DNS server IP address that the WireGuard VPN client can access through the VPN tunnel.
MTU
Specify an optional MTU value.
Note:
The recommended value is 1420.
Tip:
To allow the application to select the MTU value, leave the field blank.
- Optional: Click ALL APPLICATIONS.
The applications page appears.
- Optional: Select the applications to exclude from the VPN tunnel connection.
- Click ADD PEER.
- Configure the peer settings.
Setting
User Action
Public key
Copy and paste the public key from the WireGuard VPN server page.
Note:
The base64-encoded public key generated in the QVPN Service WireGuard VPN server page is required to authenticate both server and client.
Pre-shared key
Specify an optional key only if the pre-shared key setting has been configured on the VPN server device.
Important:
Ensure that the pre-shared key is specified in both the VPN server and client configuration page to connect to the VPN tunnel.
Persistent keepalive
Specify an optional interval in seconds to send keepalive packets if the peer is behind a firewall.
Endpoint
Specify the IP address of the WireGuard server using the IP address:listen port format.
Example: 192.168.10.1:51820.
Allowed IPs
Specify the list of addresses that are routed to the peer.
Note:
-
Enter at least one IP subnet containing the internal IP addresses of the WireGuard connection.
-
To allow packets from any IP subnet, enter 0.0.0.0/0 .
Tip:
To exclude private IP addresses, select Exclude private IPs.
-
- Click .
WireGuard creates and saves the VPN tunnel settings.
- Click .
The Connection request window appears.
- Click OK.
The WireGuard app establishes a VPN tunnel with the VPN server.
Was this article helpful?
Yes. No.
29% of people think it helps.
Thank you for your feedback.
Please tell us how this article can be improved:
If you want to provide additional feedback, please include it below.