Description:

WireGuard is a simple and lean VPN protocol. Unlike IKEv2/IPSec, WireGuard focuses on simplicity, speed and ease of operation. IKEv2/IPSec, on the other hand, is an IETF-standardized protocol with many extensions and high flexibility, which is accompanied by high complexity. While IKEv2/IPSec has crypto agility (the encryption methods are exchangeable and can be negotiated between the endpoints), WireGuard has a fixed key exchange with Curve25519 and the ChaCha20-Poly1305 encryption protocol. In the case of WireGuard, only authentication via public/private key is possible, whereas authentication with IKEv2/IPSec is flexible, e.g. via preshared key, certificate or EAP. IKEv2/IPSec also supports various extensions such as RADIUS or two-factor authentication, which is not possible with WireGuard. In addition, WireGuard only supports transmission via UDP.

Due to the large number of configuration and deployment scenarios in LCOS, LANCOM Systems recommends continuing to use IKEv2/IPSec as the standard protocol for branch networking or SD-WAN. In addition, LANCOM router platforms do not have hardware acceleration for ChaCha20-Poly1305, so encryption for WireGuard connections must be performed in software. This results in lower data throughput compared to connections with IKEv2/IPSec. For scenarios with high VPN throughput, LANCOM Systems therefore recommends continuing to use IKEv2/IPSec.

WireGuard is an ideal addition for simple scenarios where only basic encrypted connections are needed. Another application purpose for WireGuard are scenarios where the VPN protocol is specified by a service provider or VPN provider.

This article describes, how a WireGuard connection between two LANCOM routers can be set up.

Information regarding licensing:


WireGuard counts as a VPN tunnel and is therefore included in the router's license count. The license pool is shared with other VPN tunnels such as IKEv2/IPSec or PPTP-MPPE. A WireGuard license is included in the license count as soon as data is transmitted via the WireGuard tunnel. Any number of WireGuard tunnels can be configured. Additional WireGuard licenses can be upgraded via the VPN option.

Example:
If a router has a license for five VPN tunnels and three IPSec tunnels have already been set up, two WireGuard tunnels can be used.


Requirements:

Scenario:

  • A company wants its employees in the office to have access to the corporate network via a WireGuard site-to-site connection.
  • The headquarter has a LANCOM router as a gateway and an Internet connection with the public IP address 81.81.81.1.
  • The office also has a LANCOM router as a gateway and an Internet connection with the public IP address 81.81.81.2.
  • The local network at the headquarter has the IP address range 192.168.1.0/24.
  • The local network at the office has the IP address range 192.168.2.0/24.

Scenario graphic for a WireGuard connection between to LANCOM routers

Procedure:

Configuring the WireGuard connections on the two routers must be carried out in parallel (steps 1.3 - 1.6 as well as 2.3 - 2.6), since the Public Key must be stored on the opposite router in each case. Also the Preshared Key must be the same on both routers. For the sake of clarity, however, the setup is described separately.

1) Configuration on the LANCOM router in the headquarter:

1.1) Connect to the router in the headquarter via LANconfig and go to the menu VPN → WireGuard. Activate WireGuard and the Cookie challenge.

The WireGuard handshake is very computationally intensive. Attackers could therefore try to overload the router by making many simultaneous handshake requests and thereby slow down or crash the router (so-called "CPU-exhaustion attack"). 

A protective measure for such attacks is the Cookie challenge. As a result, an attacker must perform an additional network round trip for each handshake request and respond to the cookie. This significantly increases the cost of the attack and makes it less effective.

LANCOM Systems therefore recommends to always activate the Cookie challenge.

Activate WireGuard and the Cookie challenge in the router in the headquarter

.1.2) Switch to the menu Connection list.

Open the WireGuard connection list

1.3) Create a new entry and modify the following parameters:

  • Connection: Enter a descriptive name for the WireGuard connection (in this example WG-OFFICE).
  • Remote gateway: Enter the public IP address or the DynDNS address of the router in the office (in this example 82.81.81.2).
  • Local private key: Click on Generate key, so that the router generates a private key for itself.
  • Preshared key: Click on Generate key, so that the router generates a preshared key. It is optional and adds additional security. The Preshared key must be entered on the router in the office in step 2.3.

The Peer private key only has to be created in the LANCOM router if the router should create a WireGuard profile for the peer and provide it as a configuration or as a QR code. It is not required for the function in LCOS and is only stored in the configuration so that the configuration for the other side can be displayed or generated again at a later time if necessary.

A separate Local port must be used for each WireGuard connection, e.g. 51821 for the second connection, 51822 for the third and so on.

Enter the parameters and generate the Private Key and Preshared Key for the WireGuard connection to the router in the office

1.4) Click on Create peer config to read out the Public Key.

Open the menu for ceating the WireGuard peer configuration in the WireGuard connection list on the router in the headquarter

1.5) Copy the Public Key (Local). It must be entered on the router in the office in step 2.6.

Copy the Public Key of the router in the headquarter

1.6) Paste the Public Key of the router in the office copied in step 2.5 in the field Peer public key.

Enter the Public Key of the router in the office in the WireGuard connection on the router in the headquarter

1.7) Go to the menu IP Router → Routing → IPv4 routing table.

Open the menu IPv4 routing table on the router in the headquarter

1.8) Click Add to create a new routing entry.

Create a new routing entry

1.9) Modify the following parameters:

  • IP address: Enter the network address of the IP address range from the local network in the office (in this example 192.168.2.0).
  • Netmask: Enter the subnetmask of the local network in the office (in this example 255.255.255.0).
  • Router: Select the WireGuard connection created in steps 1.3 - 1.6 from the dropdown menu (in this example WG-OFFICE).
  • IP masquerading: Select the option IP Masquerading switched off.

Enter the parameters for the routing entry for the WireGuard connection to the office

1.10) This concludes the configuration steps on the router in the headquarter. Write the configuration back to the device.



2) Configuration on the LANCOM router in the office:

2.1) Connect to the router in the office via LANconfig and go to the menu VPN → WireGuard. Activate WireGuard and the Cookie challenge.

The WireGuard handshake is very computationally intensive. Attackers could therefore try to overload the router by making many simultaneous handshake requests and thereby slow down or crash the router (so-called "CPU-exhaustion attack"). 

A protective measure for such attacks is the Cookie challenge. As a result, an attacker must perform an additional network round trip for each handshake request and respond to the cookie. This significantly increases the cost of the attack and makes it less effective.

LANCOM Systems therefore recommends to always activate the Cookie challenge.

Activate WireGuard and the Cookie challenge in the router in the office

2.2) Switch to the menu Connection list.

Open the WireGuard connection list

2.3) Create a new entry and modify the following parameters:

  • Connection: Enter a descriptive name for the WireGuard connection (in this example WG-HEADQUARTER).
  • Remote gateway: Enter the public IP address or the DynDNS address of the router in the headquarter (in this example 82.81.81.1).
  • Local private key: Click on Generate key, so that the router generates a private key for itself.
  • Preshared key: Copy the Preshared key created in step 1.3 and paste it in this field.

The Peer private key only has to be created in the LANCOM router if the router should create a WireGuard profile for the peer and provide it as a configuration or as a QR code. It is not required for the function in LCOS and is only stored in the configuration so that the configuration for the other side can be displayed or generated again at a later time if necessary.

A separate Local port must be used for each WireGuard connection, e.g. 51821 for the second connection, 51822 for the third and so on.

Enter the parameters and generate the Private Key and enter the Preshared Key for the WireGuard connection to the router in the headquarter

2.4) Click on Create peer config to read out the Public Key.

Open the menu for ceating the WireGuard peer configuration in the WireGuard connection list on the router in the office

2.5) Copy the Public Key (Local). It must be entered on the router in the headquarter in step 1.6.

Copy the Public Key of the router in the office

2.6 Paste the Public Key of the router in the headquarter copied in step 1.5 in the field Peer public key.

Enter the Public Key of the router in the headquarter in the WireGuard connection on the router in the office

2.7) Go to the menu IP Router → Routing → IPv4 routing table.

Open the menu IPv4 routing table on the router in the office

2.8) Click Add to create a new routing entry.

Create a new routing entry

2.9) Modify the following parameters:

  • IP address: Enter the network address of the IP address range from the local network in the headquarter (in this example 192.168.1.0).
  • Netmask: Enter the subnetmask of the local network in the office (in this example 255.255.255.0).
  • Router: Select the WireGuard connection created in steps 2.3 - 2.6 from the dropdown menu (in this example WG-HEADQUARTER).
  • IP masquerading: Select the option IP Masquerading switched off.

Enter the parameters for the routing entry for the WireGuard connection to the headquarter

2.10) This concludes the configuration steps on the router in the office. Write the configuration back to the device.


More articles on this topic:

 

 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH