---
title: "Wireguard Connector Tunnel"
slug: "configuring-a-wireguard-connector"
updated: 2026-04-16T21:59:35Z
published: 2026-04-16T21:59:35Z
canonical: "support.perimeter81.com/configuring-a-wireguard-connector"
stale: true
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Wireguard Connector Tunnel

This guide describes how to establish a WireGuard VPN connection with a network using Linux.

## Prerequisites

- A Linux machine with these specifications:
- Kernel: Any of these packages installed:
  - Ubuntu (Server/Desktop) 22.04 LTS or higher
  - CentOS 9 or CentOS 10
  - RHEL 9 or RHEL 10
- Packages installed:
  - Ubuntu - curl; dig; software-properties-common
  - CentOS - curl, bind-utils
  - For RHEL 9 or RHEL 10, install the *iptables-nft-services* package.
    1. To verify that the iptables service is enabled and active, run: `systemctl status iptables`

Output:

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-CQO03SKR.png)
    2. To activate iptables, if not enabled and active, run:

`systemctl enable iptables`

`systemctl start iptables`
- 20 GB free disk space
- 2 GB RAM
- Static internal IP address
- Network adapter that supports bridge connection

> **Note** - For Linux deployed on a Windows host, enable virtualization on Windows BIOS.

## For High Availability (Optional)

To configure High Availability, you need:

- Two Linux computers on the same local network (same LAN segment).
- Both computers must reach each other through IP.
- VRRP protocol (IP protocol 112) must not be blocked between the two computers.
- The keepalived package (the script installs this automatically if it is missing).
- A unique Virtual Router ID (VRID) on the LAN. The default is 81 and the valid range is 1–255.

## Configuring a WireGuard Connector Tunnel

### Configuring the Connector in the Check Point SASE Administrator Portal

1. Access the Check Point SASE Administrator Portal and click **Networks**.
2. Select the network.
3. For the gateway to which you want to add the WireGuard Connector tunnel, click and click **Add Tunnel**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-8PMFFXZG.png)

The **Choose Tunnel Protocol**window appears.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-B52AJ1X1.png)
4. Select **WireGuard Connector** and click **Continue**.

The **Check Point SASE Connector** window appears.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-RV4VX6VG.png)
5. In the **Requirements**section, read the requirements and make sure they are met. Click **Next**.
6. In the **Configuration**section, enter these:
  1. **Name**- Name for the connector.
  2. **Endpoint** - IP address of the Linux server that has the WireGuard Connector installed.

If you are using a dynamic public IP address, enter 0.0.0.0

> **Note** - If you do not know the IP address, query the server by running this command in your Linux terminal:` dig +short myip.opendns.com @resolver1.opendns.com`
  3. **Subnets** - Subnets of your local network.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-VP5UZRA7.png)
  4. Click **Next**.
7. In the **Confirm**section, click **Apply**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-PEI5ZOLY.png)

After deployment, the connector appears in the **Networks**page.

### Installing the WireGuard Connector on a Linux Server

1. Access the Check Point SASE Administrator Portal and click **Networks**.
2. Click for the WireGuard Connector tunnel that you just configured and then click **Configuration**. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-A5VZLRZL.png)

The **Linux Connector** window appears.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1SVT9AX4.png)
3. Click **Copy Command**.

> Note - The command is unique to each connector.
4. Open the Linux terminal and connect as Root user.
5. Run the copied command.
6. Select **Yes**at Stage 4 for access or mode - **Remote Access only** and follow the instructions to install the connector.

### Configuring High Availability (Optional)

#### Overview

WireGuard Connector supports active-passive High Availability using *keepalived* (VRRP). Two computers are configured on the same network one actively runs the tunnel, and the other is on standby. If the active computer fails, the standby automatically takes over the tunnel within seconds. When the failed computer recovers, it becomes the new standby with no pre-emption, ensuring seamless failover without manual intervention.

#### Setup Flow

Run the same installation script on two computers, one after the other.

**Machine 1 (First):**

1. Run the installation script (same command from the portal).
2. When prompted "Do you want to enable High Availability (HA) mode?", select **Yes**.
3. Select **1** (first computer).
4. Enter the IP address of the second computer.
5. Note the Virtual Router ID displayed (default: 81). You need this for Machine 2.
6. The script installs and configures *keepalived*, adds firewall rules for VRRP, and starts the tunnel.

**Machine 2 (Second):**

1. Run the installation script on the second computer.
2. Enable HA and select **2** (second computer).
3. Enter the IP address of the first computer.
4. Enter the Virtual Router ID from Machine 1 (default: 81).
5. The script verifies connectivity to Machine 1, configures *keepalived*, and enters standby mode.

#### How Failover Works

- Both computers run *keepalived*, which exchanges VRRP heartbeats every second (unicast).
- If the active computer stops responding after 3 missed heartbeats, the standby takes over and starts the WireGuard tunnel.
- When the failed computer recovers, it becomes the new standby. No disruptive switchback occurs.
- Failover completes in approximately 3 seconds.

> [!WARNING]
> **Important** - The WireGuard service is managed by *keepalived*in HA mode. Do not start or stop WireGuard manually with systemctl. *keepalived*handles this automatically.

> Notes -
> 
> - The Virtual Router ID (VRID) must be unique on the LAN. If another keepalived instance uses 81, the script detects the conflict and prompts for an alternative.
> - Firewall rules for VRRP (protocol 112) are added automatically by the script (iptables or firewalld).

### Verifying the Setup

1. Connect to your network using the Check Point SASE Agent on a device.
2. Open the command line and run:

`ping &lt;Internal resource IP address&gt;`
3. Make sure that outbound port UDP/8000 is not blocked in your firewall/router, and that you have followed all the steps.
4. If the issue persists, on the Linux server, collect these logs and contact [Check Point Support](https://www.checkpoint.com/support-services/contact-support/). The logs are available in:

```plaintext
##Configuration file
/etc/wireguard/wg0.conf

##Connection logs
/tmp/p81-wg-connector.log
```

#### For HA deployments

1. On both computers, run this command to verify that *keepalived*is running: `systemctl status keepalived`
2. Check the VRRP state by running: `journalctl -u keepalived`

One computer shows **MASTER**and the other shows **BACKUP**.

## Removing the WireGuard Connector

Connect to the command line of Linux server where you have installed the WireGuard Connector and run:

```plaintext
# Locate the WireGuard packages # (the output of this command will show you all wireguard packages installed on the machine)
dpkg -l | grep wireguard

# Delete all packages found that are associated with WireGuard
# (Run this command for each package found, replace  with the output from the previous command)
apt-get remove --purge # Locate the WireGuard packages # (the output of this command will show you all wireguard packages installed on the machine)
dpkg -l | grep wireguard
```

```plaintext
# Locate the WireGuard packages # (the output of this command will show you all wireguard packages installed on the machine)
yum list installed | grep wireguard

# Delete all packages found that are associated with WireGuard# (Run this command for each package found, replace  with the output from the previous command)
yum remove # Locate the WireGuard packages # (the output of this command will show you all wireguard packages installed on the machine)
yum list installed | grep wireguard
```

### For HA deployments

1. Before removing WireGuard, stop and disable *keepalived*:
  1. systemctl stop keepalived
  2. systemctl disable keepalived
2. Remove the keepalived configuration and helper scripts:
  1. `rm /etc/keepalived/keepalived.conf`
  2. `rm /usr/libexec/keepalived/p81-wg-*`