Several months ago I posted setting up TorGuard’s WireGuard and the following post adding a policy base routing. You can view the posts here:
TorGuard has phased out the WireGuard Network and got moved under Tools > Config Generator. To generate a new WireGuard config, you must change the Tunnel Type from OpenVPN to WireGuard and fill out the form as shown in Figure 1.

You 15 minutes to write down following key information and get the WireGuard working; otherwise, TorGuard will deactivate the generated config file:
- PrivateKey
- Address
- PublicKey
- Endpoint
In VyOS CLI, enter the following to update the TorGuard private key.
echo "<PrivateKey>" > /config/auth/wireguard/torguard/private.key
Now the old private key has been replaced by the new PrivateKey. We need to delete the current WireGuard interface that is related to TorGuard. In my case, it is wg1000
. If we don’t delete the current wg interface and just modify the config change, the pubkey will get prepended. It is cleaner to just delete the current wg interface than modifying it.
Once the wg interface has been deleted, commit and create a the same interface again. The set wg interface port number to something does not overlap with your other WireGuard interface. Leaving it blank does not work anymore with VyOS if the default port 51820 is being used on the other WireGuard interfaces. In my case, I set wg interface to 51920
.
# Delete the current wg interface delete interfaces wireguard wg1000 commit # Re-create the same wg interface with the new information set interfaces wireguard wg1000 address '10.13.38.225/24' set interfaces wireguard wg1000 description 'test wireguard' set interfaces wireguard wg1000 peer torguard_test address '<peer-public-ip>' set interfaces wireguard wg1000 peer torguard_test allowed-ips '0.0.0.0/0' set interfaces wireguard wg1000 peer torguard_test persistent-keepalive '25' set interfaces wireguard wg1000 peer torguard_test port '1443' set interfaces wireguard wg1000 peer torguard_test pubkey '23esdrxBVqrxGbLskWeqwe5yWB0n5PS9ihrndjERD0g=' set interfaces wireguard wg1000 port '51920' set interfaces wireguard wg1000 private-key 'torguard' commit
If you do not use the TorGuard for policy base routing, then you are done. However, if you are utilizing the TorGuard with policy base routing, then PBR is broken at this point. It will not policy route any existing route related to the wg interface that we are working on somehow. To remedy this, I have to reboot the VyOS, unfortunately. Delete the interface policy route
then commit
. Re-add the same policy route
to the interface then commit
.
Hope you will find this useful. If you found a way to get the pbr working without rebooting the VyOS, please let know.
Cheers!