Skip to content

Instantly share code, notes, and snippets.

@mikepage

mikepage/edgerouter-x-wireguard-home.md

Last active August 1, 2025 22:52
Show Gist options
  • Save mikepage/a1c16a5874aa3ae54c3d5a63f7e0bfa7 to your computer and use it in GitHub Desktop.
Save mikepage/a1c16a5874aa3ae54c3d5a63f7e0bfa7 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
edgerouter-x-wireguard-home.md

Reset Edgerouter X to factory defaults and connect to LAN network with IPv4 address range 192.168.1.1/24 configured. When the EdgeRouter X is reset to factory defaults, it is in a minimal, unconfigured state:

  • IP address: The router itself is accessible via 192.168.1.1 on eth0 only.
  • DHCP: Disabled. No devices will receive an IP address automatically.
  • Interfaces: Only eth0 has a static IP (192.168.1.1), all other interfaces are not configured.

SSH into Edgerouter X (use port 2222 for SSH) and update config, replace 192.168.1.254 with main router IP

ssh -p 2222 [email protected]

configure
delete interfaces ethernet eth0 address
set interfaces ethernet eth0 address 192.168.1.1/24
set system gateway-address 192.168.1.254
set system name-server 1.1.1.1
set system name-server 1.0.0.1
commit
save
exit

reboot

Install WireGuard

curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20220627-1/e50-v2-v1.0.20220627-v1.0.20210914.deb
sudo dpkg -i e50-v2-v1.0.20220627-v1.0.20210914.deb

Generate key

wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public
cat wg.public

Generate empty tunnel in WireGuard on Mac, replace PUBKEY with Edgerouter X public key and replace HOST with WAN IP or DDNS

[Interface]
PrivateKey = SECRET
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = PUBKEY
Endpoint = HOST:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Confiure, replace PEER_PUBKEY with peer public key, replace HOST with WAN IP or DDNS

configure

set interfaces wireguard wg0 address 10.0.0.1/24
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips true

set interfaces wireguard wg0 peer PEER_PUBKEY endpoint HOST:51820
set interfaces wireguard wg0 peer PEER_PUBKEY allowed-ips 10.0.0.2/32

set interfaces wireguard wg0 private-key /config/auth/wg.key

set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 protocol udp
set firewall name WAN_LOCAL rule 20 description 'WireGuard'
set firewall name WAN_LOCAL rule 20 destination port 51820

commit
save
exit

Login to the main router and add port forward WAN port UDP 51820 to 192.168.1.1, make sure the EdgeRouter X is behind the main router and main router is connected to WAN.

Connect Wireguard tunnel from 5G network and ssh into EdgeRouter X, show status.

sudo wg show
interface: wg0
  public key: PUBKEY
  private key: (hidden)
  listening port: 51820

peer: PEER_PUBKEY
  endpoint: 62.45.55.7:64336
  allowed ips: 10.0.0.2/32
  transfer: 148 B received, 92 B sent

Add MASQUERADE NAT rule on WAN (eth0) and add firewall rule to allow forwarding to WAN.

configure

set service nat rule 7000 description 'MASQUERADE WireGuard peers to WAN'
set service nat rule 7000 outbound-interface eth0
set service nat rule 7000 type masquerade
set service nat rule 7000 source address 10.0.0.1/24

set firewall name WAN_IN default-action drop
set firewall name WAN_IN rule 20 action accept
set firewall name WAN_IN rule 20 state new enable
set firewall name WAN_IN rule 20 protocol all
set firewall name WAN_IN rule 20 source address 10.0.0.1/24

commit
save
exit

All done, reboot just to be sure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment