Description:

This article describes how a WireGuard connection can be set up between a LANCOM R&S®Unified Firewall and the WireGuard client for Windows.

Connection monitoring is not implemented in WireGuard. As a result, a connection is always shown as active, even if it was not established at all.

The WireGuard standard currently does not support multiple WAN connections. Therefore it is not possible to select a specific WAN connection for a WireGuard connection. Due to this reason, no data can be transmitted via the WireGuard connection on a Unified Firewall with more than one Internet connection, as the Unified Firewall sends the response packets via another Internet connection than incoming packets.


Requirements:

  • LANCOM R&S®Unified Firewall as of LCOS FX 10.12
  • WireGuard Windows client
  • A configured and functional Internet connection with local network on the Unified Firewall
  • Web browser for configuring the Unified Firewall

    The following browsers are supported:
    • Google Chrome
    • Chromium
    • Mozilla Firefox


Scenario:

1) The Unified Firewall is connected directly to the Internet and has a public IPv4 address:

  • A company wants its sales representatives to have access to the corporate network via a WireGuard client-to-site connection.
  • The notebooks used by the sales representatives have the WireGuard client installed on them.
  • The company headquarters has a Unified Firewall as a gateway with an Internet connection with the fixed public IP address 81.81.81.1.
  • The local network at the headquarters has the IP address range 192.168.1.0/24.
  • The Unified Firewall uses the virtual IP adress 10.0.5.1 for the WireGuard connection, whereas the WireGuard client uses the virtual IP address 10.0.5.40.

Diagram showing the configuration interface for a Unified Firewall using a WireGuard connection with a virtual WireGuard IP address for internet and LAN headquarters.


2) The Unified Firewall is connected to the Internet via an upstream router:

  • A company wants its sales representatives to have access to the corporate network via an WireGuard client-to-site connection.
  • The notebooks used by the sales representatives have the WireGuard client installed on them.
  • The company headquarters has a Unified Firewall as the gateway and an upstream router for the Internet connection. The router has the fixed public IP address 81.81.81.1.
  • The local network at the headquarters has the IP address range 192.168.1.0/24.
  • The Unified Firewall uses the virtual IP adress 10.0.5.1 for the WireGuard connection, whereas the WireGuard client uses the virtual IP address 10.0.5.40.

Screenshot of a network configuration interface showing options for Unified Firewall, WireGuard connection, and LAN Headquarters settings.


Procedure:

The setup for scenarios 1 and 2 is basically the same. Scenario 2 additionally requires port forwarding to be set up on the upstream router (the default port for WireGuard is 51820, for additional WireGuard connections the port is incremented).

Configuring the WireGuard connections must be carried out in parallel on the Unified Firewall and on the software client (steps 1.1 and 1.2 as well as 2), since the public key must be stored on the Unified Firewall and in the software client. For the sake of clarity, however, the setup is described in separate parts of this document.

1) Configuring WireGuard on the Unified Firewall:

1.1) Configuring the WireGuard interface on the Unified Firewall:

A separate WireGuard interface has to be used for each WireGuard configuration (called WireGuard Connection). It is possible however, to enter several Peers in a WireGuard configuration.

1.1.1) Connect to the web interface of the Unified Firewall and navigate to the menu Network → WireGuard Interfaces. Click the “+” icon to create a new WireGuard interface.

Screenshot of a network configuration interface showing options for WireGuard, DHCP, DNS, DynDNS accounts, and various network interfaces including Ethernet, PPP, VLAN, and Bond.

1.1.2) Click Create to generate the interface.

Screenshot of a WireGuard VPN configuration interface displaying options to name a new interface, view its status, and set MTU, with a notification that changes are preserved until the dialog is canceled or the user logs out.


1.2) Configuring the WireGuard connection on the Unified Firewall:

1.2.1) Go to the menu VPN →  WireGuard and click the “+” icon to create a WireGuard connection.

A screenshot of a technical configuration menu displaying options for Firewall, WireGuard, Monitoring Statistics, Desktop, User Authentication, IPsec, VPN SSL, and Certificate Management.

1.2.2) Modify the following parameters:

  • Name : Enter a descriptive name for the WireGuard connection (in this example WG-Firewall).
  • Interface : From the drop-down menu, select the WireGuard interface created in step 1.1.
  • Address : Enter an IP address from an as yet unused IP address range (in this example 10.0.5.1).

The port automatically increments when multiple WireGuard connections are created.

Screenshot of a WireGuard VPN configuration interface showing options for naming the connection, setting the interface, IP address, port details, and peer authentication parameters, with a notification that changes will be preserved unless canceled or logged out.

1.2.3) Go to the tab Authentication and click the button Generate Key Pair. This automatically generates the private key and the public key.

Screenshot of a WireGuard VPN configuration interface showing settings for the WGFirewall connection, including options for the interface name, address, port, peers, and keys with options to generate and copy the public key.

1.2.4) Click Copy Public Key and save it in a text file.

Screenshot of a WireGuard VPN configuration interface showing fields for name, address, port, and peers authentication with options to generate, copy, or cancel public keys.

1.2.5) Go back to the tab Peers and click the “+” sign to specify the connection parameters for the remote site.

Screenshot of a WireGuard firewall configuration interface showing settings for the WGFirewall, including interface name, internal IP address, port details, remote address, remote port, public key, keep-alive settings, allowed IP addresses, and options to generate or copy keys.

1.2.6) Modify the following parameters and click OK:

  • Name : Enter a descriptive name for the connection to the remote site (in this example WG-C2S-Windows).
  • Public Key : Enter the public key for the WireGuard Windows client copied in step 2.2.
  • Allowed IP addresses : Enter the IP address of the WireGuard Windows client in CIDR notation (Classless Inter Domain Routing), which is to communicate with the local networks via the WireGuard connection (in this example 10.0.5.40/32).

It is possible to enter several Peers in a WireGuard configuration (they can be established at the same time). In doing so, multiple WireGuard clients can be connected without needing to set up a new configuration for each client.

Screenshot of a network configuration interface displaying options for peer name, Windows Remote Address, Remote Port, Public Key, keep-alive settings, and options to create routes for allowed IP addresses.

1.2.7) Then click Create.

Screenshot of the WireGuard VPN configuration interface with fields such as Name, Interface, Address, Port, and Peers Authentication details including Name, Remote Address, Remote Port, Public Key, Keep Alive, and Allowed IP Addresses, with options to generate and copy public keys.


1.3) Allow data traffic between the local network and the WireGuard client:

Repeat the following steps for any other local or remote network that is to communicate via the WireGuard tunnel.

1.3.1) Click the icon to create a new host.

Screenshot of a technical user interface displaying firewall configuration settings.

1.3.2) Modify the following parameters and then click Create:

  • Name : Enter a descriptive name for the host (in this example WG-Windows).
  • Interface : From the drop-down menu, select the WireGuard interface created in step 1.1.
  • Host : Click in the box to display the IP address entered under Allowed IP addresses in step 1.2.6, and select it (in this example 10.0.5.40).

A screenshot of a technical configuration dialog box for 'WGWindowsHost', featuring various settings including login permissions, interface details, and exemptions from IPS and antivirus scanning.

1.3.3) Click the object for the local network on the desktop (in this example INTRANET), select the connection tool, and click the object for the WireGuard host created in step 1.3.2.

Image displaying a partial view of a technical user interface labeled 'Our BB INTRANET'.

1.3.4) Add the protocols required for communication.

Screenshot of a configuration interface for network settings, showing options for NAT, URL Content Filter, Application Filter, Application Based Routing, and Traffic Shaping, with an option to add new items. Image of a blurred or partial view of a technical configuration menu with various indiscernible text options.

1.3.5) Click Create to generate the connection rules.

Screenshot of a computer interface displaying network settings, including options for URL Content Filter, Application Filter, Application Based Routing, Traffic Shaping, and Connection Sets with actions and schedules for HTTPS and ROP protocols.

1.3.6) Finally, implement the changes by clicking Activate.

Screenshot of a technical user interface with text focused on firewall settings.



2) Configuring the WireGuard Windows client:

2.1) Start the WireGuard client in Windows and click Add Tunnel → Add empty tunnel.

Screenshot of a WireGuard VPN interface showing the option to import a tunnel from a file.

2.2) Enter a descriptive name for the tunnel (in this example WireGuard-Client-UF) and save the public key in a text file.

The private key and public key are generated automatically. 

Image displaying a technical configuration interface with options to create a new tunnel, featuring a section for entering a private key.

2.3) Complete the configuration file by inserting the template (see below) and adjusting the parameters. Then click Save:

  • Address : Using CIDR notation, enter the IP address you specified for the WireGuard client in step 1.2.6 (in this example 10.0.5.40/32).
  • PublicKey : Enter the public key for the Unified Firewall copied in step 1.2.4.
  • AllowedIPs : Using CIDR notation, enter an IP network of the Unified Firewall that the WireGuard client communicates with (in this example 192.168.1.0/24). Multiple networks can also be entered by separating them with a comma (e.g. 192.168.1.0/24, 192.168.2.0/24).
  • Endpoint : Enter the IP address or the DNS name of the Unified Firewall on the Internet along with the port used in the syntax <IP address or DNS name of the Unified Firewall on the Internet>:<WireGuard port> (in this example 81.81.81.1:51820).
  • PersistentKeepalive : Enter the value 25 so that the WireGuard client maintains the connection for 25 seconds without data traffic.

Schablone zum Ergänzen der Konfigurations-Datei:

Address = <IP address>


[Peer]

PublicKey = <Public key>

AllowedIPs = <IP network>

Endpoint = <IP address>:<port>

PersistentKeepalive = 25

Image of a technical configuration interface displaying options for creating a new tunnel with fields for public keys, private keys, peer details, allowed IPs, and endpoint configurations.

2.4) Finally, establish the connection by clicking Activate.

Screenshot of a WireGuard VPN client interface showing inactive status, with fields for public keys, addresses, peers, and configuration settings visible.

 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH