Setting up WireGuard VPN on roaming devices


NG Firewall version 16 and above supports WireGuard® VPN for secure remote access. WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. This article describes how to connect roaming devices including Micro Edge, mobile devices, and desktop systems to NG Firewall using the WireGuard app. For site-to-site tunnel configuration see Setting up WireGuard VPN Site-to-Site Connections in NG Firewall.

Server Configuration

As a first step, configure a new tunnel profile in the WireGuard app of NG Firewall. 

  1. Navigate to the WireGuard app in NG Firewall
  2. In the Tunnels tab, click Add
  3. Enter a Description to help you identify the tunnel
  4. Choose Roaming tunnel type
  5. Leave all other fields empty and click Done.


Copy the profile

After you create the tunnel, copy the profile configuration.

  1. Click the gear icon in the Remote Client column associated with the tunnel. 
  2. In the Remote Configuration screen, switch the Type to Configuration File.
  3. Click the copy icon to copy the contents of the configuration.


Setting up the WireGuard App on a device

  1. Download and install the WireGuard app for your specific device using the following link:
  2. Launch the WireGuard app and click Add Empty Tunnel
  3. Give the tunnel a name and paste the contents of profile.
  4. If you want the tunnel to connect automatically when necessary, enable the On-Demand option and specify one or more network interfaces to manage the connection.


Alternatively, if you are configuring the WireGuard mobile app for iOS and Android you can take a picture of the QR code from the app. Choose "Create from QR code" and point the camera at the QR image provided by the tunnel profile in the NG Firewall administration.QR-Code.jpg


To connect the tunnel, click Activate. To disconnect the tunnel, click Deactivate. If you use the On-demand option and noted previously, the tunnel activates automatically when WireGuard identifies a connection to an address specified by the Allowed IPs definition.


Configuring Full Tunnel

WireGuard supports Full Tunnel VPN routing. This means that when the client connects, all Internet traffic routes over the tunnel. This is useful to ensure that the device is fully protected by all security layers of NG Firewall. 

To configure full tunnel VPN, modify the AllowedIPs part of the configuration by removing all values and replacing them with "". 


Note regarding full tunnel for Windows systems

On Windows based systems, the designation of in allowedIPs blocks traffic to local networks. To maintain connectivity to local network resources, disable the option Block untunneled traffic (kill-switch). This option modifies the allowedIPs to allow access to local networks.


Configuring client DNS and network access

In some environments you may prefer to direct DNS requests from VPN clients to a specific host. You may also prefer to restrict what traffic gets routed over the VPN tunnel. These parameters are located in the Settings tab of the the WireGuard App in NG Firewall. By modifying these settings, the roaming profile adjusts to reflect the preferred DNS and AllowedIPs variables.


Was this article helpful?
18 out of 29 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Powered by Zendesk