DAL router as WireGuard Server Windows Client

Since DAL OS firmware 24.3.28.88 Support for WireGuard (WG) VPNs has been added.

WireGuard is a VPN protocol that operates at the network layer to provide communication between devices over a public network (more info on WireGuard website: https://www.wireguard.com/).

A DAL router can be configured in two WireGuard modes:

Client mode: the DAL router establishes an outbound WireGuard VPN tunnel to a remote server
Server mode: one or more remote devices can establish an inbound WireGuard VPN tunnel to the DAL router

In this article, is shown how to configure a DAL router as a WireGuard server with a Windows WireGuard client.

DAL WG Server Configuration (1^st part)

1 - Browse to System > Device Configuration > VPN > WireGuard and add a WG Tunnel:

Enable the “Device managed private key” option, to allow the DAL Router to generate its own public and private keys.

If this setting is enabled, it triggers the DAL router to automatically generate a private key and corresponding public key. This private and public key is used to establish the encrypted communication between the client and peer via the Wireguard tunnel.

2 - After clicking Apply, go to Status > VPN > WireGuard to see the WireGuard Server Public Key, which will be needed later to configure the Windows WireGuard Client.

NOTE: If the WireGuard Server Public Key is not shown here, it may be obtained by issuing the following Admin CLI command:

> show wireguard name WG_Tunnel verbose

3 - Create a WireGuard Interface (System > Device Configuration > Network > Interfaces):

Note which subnet is chosen for this interface, this will be need to be configured accordingly also on the Client side.

Click Apply.

In the WG Tunnel status is shown that it is now linked to the WG Interface:

Also, within Status > Network Interfaces, within the WG_Interface section, the Server Public Key will be displayed.

NOTE: If the WireGuard Server Public Key is not shown here, it may be obtained by issuing the following Admin CLI command:

> show wireguard name WG_Tunnel verbose

Check the Public WAN IP address of the DAL router, that will be needed in next steps to configure the Windows WG Client (Note: when acting as a server, the DAL router must be reachable from the remote peers, so it will need a Public IP on the WAN interface).

In this example, the WAN used is the DAL device’s cellular modem, so navigate to Status > Networking > Interfaces to see the mobile IP address (in the applicable section of the interface in question). Depending on the DAL device type, the cellular modem may be named Modem, WWAN, WWAN1, etc.

Windows WG Client Configuration:

Download and Install WG software for Windows: https://download.wireguard.com/windows-client/wireguard-installer.exe.
Once installed, open the WG Software, click on the Add Tunnel arrow and select “Add empty tunnel”

The “Create new tunnel” window will be shown:

Add the following config (leaving the Interface PrivateKey as is) and click on Save:

Enable the tunnel by clicking on Activate:

NOTE: In modern DAL firmware, a feature exists to export the Client configuration to a file (to then import to the WireGuard Client). At the time of this writing (September 2025), DAL firmware 25.5.52.21 and newer has a WireGuard issue, preventing the Client from successfully connecting to the Server. Once this is fixed, this KB article will be updated to include instructions on how to export then import the Client configuration.

DAL WG Server Configuration (2^nd part)

Browse back in the WG Tunnel configuration on DAL router and add a peer under the Peers section (System > Device configuration > VPN > WireGuard > WG_Tunnel > Peers)