Hello!
Is it possible to set up Wireguard and necessary firewall rules via CLI?
If yes, where can I find more details about it?
Thank you!
Hello,
There are a few ways on how to approach this configuration via SSH/CLI:
- Using RutOS API
- Using UCI
If you’d like to automate Wireguard configuration deployment, I’d suggest using RutOS API, as it greatly simplifies the configuration. It will automatically create the necessary firewall zones.
RutOS API documentation can be found here: https://developers.teltonika-networks.com/
The API can be used in SSH/CLI without HTTP or authentication:
root@RUTX50:~# api -h
This script allows calling api endpoint locally without using HTTP
Usage: /sbin/api <http_method> <request_path> [<request_body>...]
Example: /sbin/api PUT /interfaces/config '{"data":[{"id":"lan","netmask":"255.255.255.0"}]}'
To start, I’d suggest generating new keys using /wireguard/actions/generate_keys endpoint. Then these keys should be stored into a variable, and later used to create a new WireGuard instance with /wireguard/config. After that, new peers can be added with /wireguard/{id}/peers/config endpoint.
If you’re unsure about a certain argument, you can always use the developer tools on Chrome (also available on other browsers), and check what call is made when configuring certain sections of the WebUI:
To configure using UCI, please refer to our Wiki article about UCI: https://wiki.teltonika-networks.com/view/UCI_command_usage
Keep in mind, that you’ll also have to manually create a firewall zone and assign WireGuard interface to it.
Let me know if any additional information is needed!
Best regards,
1 Like
That is interesting - and also a bit overwhelming for me. 
How about using an ash script? I just want to have a script that I can execute locally (via CLI) on my RUTX11. The script should ask me a few questions, e.g.:
read -p "Enter the local WireGuard interface name (e.g. wg0): " interface_name
read -p "Enter the local private IP address (e.g. 192.168.1.1/24): " local_ip
read -p "Enter the peer public address of the FritzBox (e.g. hfhfjd84ggh3pgl7.myfritz.net): " peer_ip
read -p "Enter the peer WireGuard port (default 51820): " peer_port
read -p "Enter the public key of the FritzBox WireGuard peer: " peer_pubkey
read -p "Enter the local WireGuard port (default 51820): " local_port
read -p "Enter the WireGuard listen address (default 192.168.100.1:51820): " listen_addr
Something like this?
Then the script should set up the WG interface on the RUTX11 and the peer and should at the end show what I need to insert on the other side, i.e. the Fritzbox, as peer keys etc.
Do I really need the API or other complex things for such an “easy” task?
This is not for deployment to many peers, but I have difficulties - without some guidance - to set up a peer-to-peer WG network between my RUTX11 and my Fritzbox 7590AX, also because of things getting complicated (for me) with regard to necessary firewall rules.
Some years ago I had a simple WG tunnel running between both routers, but after a necessary switch to another Fritzbox and firmware updates on the RUTX11 side, things no longer seem to be so easy/out-of-the-box to use.
I am very willing to learn and would like to create and further expand on such a script to take into consideration also other users’ use cases, e.g. do they want to tunnel everthing, also DNS, or just several devices, etc. But I am really at the beginning and would be happy to get some help on this.
Thanks to all - both Teltonika people and other users - for your help! 
PS: I already had lengthy ChatGPT sessions to help me with the script, but that led me to not being able connecting to my RUTX11 anymore. So I had to reset, upload a backup, and now I am back at square zero. 
Maybe somebody can explain what I need to do here? Years ago (when WG was still functioning for my setup), I never had to bother or change anything with regard to firewall rules - it just worked. Now I am redirected there:
.
.
… when I go to the QR code tab (which is also new to me) in the WG peers settings:
.
.
I have no idea what to do. 
I understand that the RUTX11 is no router for beginners, and I am really willing to read, try and learn, but the learning curve is now very steep for me. Wondering, how I was able to get it running back then, but I cannot retrieve the (working) settings from back then, as they are gone for good.
Any support is very much appreciated! 
Hi,
Just to clarify - API is the easiest way to configure this, and it does not require making any CURL requests or authenticating. Here’s an example:
Generate private and public keys:
root@RUTX50:~# api post /wireguard/actions/generate_keys
{"http_body":{"success":true,"data":{"private":"2FjixsnJd3cUmPgRh6EoVxN6fBNZcUiumqC5swHeK00=","public":"cTeY3+w2F6qcorhyYmVsxiV1lyYDv0UV3qfzv6iq7Uo="}},"http_code":200}
Then place the keys in their respective variables:
KEYS_JSON=$(api post /wireguard/actions/generate_keys)
PRIVATE=$(echo "$KEYS_JSON" | jsonfilter -e @.http_body.data.private)
PUBLIC=$(echo "$KEYS_JSON" | jsonfilter -e @.http_body.data.public)
Then after user input for other values, send the request to create a WireGuard instance:
root@RUTX50:~# api post /wireguard/config "{\"data\":{\"enabled\":\"1\",\"private_key\":\"$PRIVATE\",\"public_key\":\"$PUBLIC\",\"id\":\"123456\"}}"
{"http_body":{"success":true,"data":{"enabled":"1","private_key":"2FjixsnJd3cUmPgRh6EoVxN6fBNZcUiumqC5swHeK00=","id":"123456",".type":"interface","listen_port":"51820","public_key":"cTeY3+w2F6qcorhyYmVsxiV1lyYDv0UV3qfzv6iq7Uo="}},"http_code":201}
It should be noted, that not all values in API call must be filled. Technically the only mandatory value is private_key.
While it might seem difficult at first, it’s actually much easier than using UCI. Of course, the easiest configuration is always via the WebUI.
As for your firewall - everything looks correct, you may just need to change the Intra zone forward setting to Accept.
If it still doesn’t work, could you share screenshots of your configuration on both RUT and FritzBox side?
Best regards,
1 Like
Thank you so much! I will try and show screenshots if I need some more help.
Just out of curiosity: Instead of using the API, why not creating the keys etc. like shown below? Not tested yet:
#!/bin/sh
echo "Welcome to the WireGuard setup script!"
# Ask user for WireGuard configuration details
echo "Enter the local WireGuard interface name (e.g., wg0):"
read interface_name
echo "Enter the local private IP address (e.g. 192.168.10.1/24):"
read local_ip
echo "Enter the peer public IP of the FritzBox (e.g. abcdefgh12345678.myfritz.net):"
read peer_ip
echo "Enter the peer WireGuard port (default 51820):"
read peer_port
peer_port=${peer_port:-51820} # Default to 51820 if not provided
echo "Enter the public key of the FritzBox WireGuard peer:"
read peer_public_key
echo "Enter the local WireGuard port (default 51820):"
read local_port
local_port=${local_port:-51820} # Default to 51820 if not provided
echo "Enter the WireGuard listen address (leave empty for default):"
read listen_address
listen_address=${listen_address:-"0.0.0.0:$local_port"} # Default listen address if empty
# Generate WireGuard keys
echo "Generating WireGuard keys..."
wg genkey | tee privatekey | wg pubkey > publickey
# Read the generated keys into variables
local_private_key=$(cat privatekey)
local_public_key=$(cat publickey)
# Output the keys to the user
echo "Local private key: $local_private_key"
echo "Local public key: $local_public_key"
# Create the WireGuard interface configuration
echo "Setting up WireGuard interface..."
cat <<EOL > /etc/config/network
config interface '$interface_name'
option proto 'wireguard'
option private_key '$local_private_key'
option listen_port '$local_port'
list addresses '$local_ip'
config wireguard_$interface_name
option public_key '$peer_public_key'
option endpoint_host '$peer_ip'
option endpoint_port '$peer_port'
list allowed_ips '0.0.0.0/0'
option persistent_keepalive '25'
EOL
# Output WireGuard interface configuration
echo "WireGuard configuration created at /etc/config/network"
# Optionally restart network or WireGuard service
echo "Restarting WireGuard interface..."
/etc/init.d/network restart
echo "WireGuard interface setup completed!"
Explanation from ChatGPT:
- Key Generation:
The script generates the local private and public keys using wg genkey and wg pubkey, then reads them into variables local_private_key and local_public_key.
These keys are properly quoted when being used in the configuration to prevent errors from special characters.
- Dynamic Configuration File:
The script creates a WireGuard interface configuration using cat <<EOL … EOL and includes the user input (IP address, port, keys, etc.).
The local interface name ($interface_name) and other parameters are inserted dynamically.
- Restart Network:
The script includes a command to restart the network service and apply the new WireGuard configuration (/etc/init.d/network restart), which can be adjusted depending on how your system is set up.
What to Do:
Save this script on your RUTX11 router as setup_wireguard.sh.
Make sure the script is executable:
chmod +x setup_wireguard.sh
- Run the script:
./setup_wireguard.sh
Does this make sense?
Is I am still unable to get it working, please see screenshots from my RUTX11 below. Thanks a lot for your patience! 
.
WG Interface:
.
.
.
Peers:
.
.
.
WIFI1 (102.168.178.64) as Server IP in the screenshot below is the Wifi interface of my RUTX11 as it is connected as client to my Fritzbox at home. The Fritzbox DHCP assigns in its home network this IP to the RUTX11 (which itself has a fixed IP 192.168.11.1). Is this ok?
.
See screenshot below with Server IP field expanded:
Am I correct assuming the following?
The Server IP should be WIFI1, when my RUTX11 is connected to my Fritzbox at home via Wifi (=WIFI1), as they are connected now for testing purposes. But it should be MOB1S1A1, when the RUTX11 is in my car away from home and conneted to the Internet via mobile (and via WG with my Fritzbox).
But what if my RUTX11 is in my car awy from home and connected to the Internet via public Wifi? I do not want to manually toggle the WG settings depending on whether the RUTX11 is connected to mobile or to public Wifi. What can I do about this? Is there a “one-fits-all” setting?
.
And I do not know if the Tunnel address (10.10.10.2/32) is correct (no extra screenshot shown)
.
Same with the Peer allowed IPs (see screenshot below):
I have only selected “All IPv4”. I do not use IPv6 anywhere, but I am not sure what the 3rd entry is for: LAN (192.168.11.0/24) - This is the local network of my RUTX11? Must this be selected or not?
.
Furthermore, on this screen, do I only have to click “Save & Apply”, or do I have to also click before “Generate” (QR code)? Well I tried it. After I generated the QR code and scanned it with my mobile phone, it recognized a configuration, but I am unsure how to apply it on the Fritzbox - some of the below config is redacted. The PrivateKey and the PublicKey now start with different letters. Maybe these keys on some screenshots look therefore differently.
[Interface]
PrivateKey = YHM----------------------------------------=
Address = 10.10.10.2/32
DNS = 10.10.10.0
[Peer]
PublicKey = zdQ----------------------------------------=
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = 192.168.178.64:51820
PersistentKeepalive = 25
PresharedKey = -------------------------------------------=
Finally, on this screen, there is this note (and link) about firewall/zone settings, which brings me back to my previous post and the question if the setting is correct. I updated it based on your recent reply. Is it now as you meant?
I will show screenshots from my Fritzbox in a separate post.
Here are the WG-related settings on my Fritzbox:
.
.
.
.
Complete config (also redacted):
[Interface]
PrivateKey = -------------------------------------------=
ListenPort = -----
Address = 192.168.178.1/24
DNS = 192.168.178.1
DNS = fritz.box
[Peer]
PublicKey = UF0----------------------------------------=
PresharedKey = -------------------------------------------=
AllowedIPs = 192.168.178.191/32
PersistentKeepalive = 25
This config seem to be read-only, i.e. the Fritzbox sets them when (first time?) creating a WG setting. The “AllowedIPs” value of 192.168.178.191/32 is because the Fritzbox assigns IPs for (any) VPN (incl. WG) starting with the next free IP that follows the IP range that is already occupied by the Fritzbox’s DHCP. I meantion it for completeness, and this cannot be changed.
If there is anything else that I should mention, please let me know.
I am really sorry to bother you or other readers about this topic which might be easy to resolve for pros/experts.
If I manage to set this up correctly and better understand how things work together, like exchanging the key pairs between the devices, setting up the firewall zones (I cannot do this on the Fritzbox’s side, by the way, i.e. firewall rules on the Fritzbox are set automatically, I assume), then I shall further investigate how this can be supported by some script.
This might help future users to set up a WG connection between their Teltonika router and their Fritzbox router with less problems - hopefully. 