QNAP QTS v5 OpenVPN to Wireguard server migration
QNAP's QTS version 5 has now Wireguard as a protocol in QVPN. There is however - as opposed to to OpenVPN - no option to download an easy-to setup config file to quickly connect a client to your NAS.
It seems that users need to create their own Wireguard config file to get this running. As I do not know the syntax of these files, what do I need to do to switch from OpenVPN to Wireguard?
In order to switch from OpenVPN to WireGuard, there are a few main differences one has to know:
- Wireguard is not a "server with users that login" but rather a set of computers that connect to each other by knowing their peers by a public key that is exchanged beforehand. So, while OpenVPN is using the "Privilege Settings" to create users that are allowed to connect. Wireguard however is not using those VPN users and instead is maintaining it's own list of "peers" (as opposed to users) directly in the Wireguard setup page.
- As mentioned in the question, Wireguard does not allow you (as of now) to download a config file, you have to edit that manually. Luckily, the clients do a syntax check for you.
So while we do not deal literally with clients and servers but rather equal peers here, I will use the term "server" for the NAS and "client" for the computers connecting to it, just to make it easier.
So first of all, just like with OpenVPN, you need to make sure that your NAS can be reached, so you need to add the "Listen Port" from your Wireguard setup page to your Router's port forwarding. Pick an "network interface" setting in the Wireguard setup on QVPN and then add the respective IP address you chose as well as the listen port to your router setup.
Then, press the "Generate Keypairs" button and copy the "Public Key" to a text file that you need to send to your client computer.
On your Client computer, you open the WireGuard app that you downloaded from wireguard.com and select to "add an empty tunnel" (Windows) or "Create from scratch" (Android). You will there see a "public key" and "private key" field. If it's empty on Android, look for a "reload" button that will fill the respective lines. Again here, copy out the Public key and in this case send it to the computer that you use to manage your QNAP.
Now, on your QNAP QPVN Wireguard setup, press the "Add Peer" button. Add a meaningful "Peer name" and paste the Public Key that you just created in the last step into the respective "public key" field . Before pressing "Apply", click the down-arrow next to "advanced settings" and note the "Allowed IPs" down. This should be something like 198.18.7.2/32. This information is needed on the client and will be different for each peer that you add. You can leave the other fields in the "advanced" section blank.
Now we setup the client computer. On Windows, you have to manually add text into the white space below the PrivateKey =
.. line, on Android you have ready made fields for everything.
On your client, add the "Allowed IP" from your "add peer" window on the QNAP as Address = 198.18.7.2/32
below the [Interface]
in the editor.
Then add a [Peer]
section in Windows or press the "Add Peer" link on Android. Then insert the public key from your NAS with a PublicKey = ...
line. Below there, add the line AllowedIPs = 0.0.0.0/0
to make sure that all data will pass through the VPN.
Lastly, add the Endpoint line where you add the Dynamic DNS and port info of your QNAP NAS with Endpoint = whateverisyours.myqnapcloud.com:51820
(likely the myqnapcloud.com domain that you chose. This is the same info as for your OpenVPN setup, just a different port.
You can see a sample how the screens for Windows and Android look like. Once you save this, and you entered the connection data correctly, it should work.