WireGuard VPN

Configure secure remote access to your Rockettec Overseer using WireGuard VPN. Supports multiple VPN profiles and site-to-site routing.

Overview

WireGuard is a modern VPN protocol that provides:

  • State-of-the-art cryptography
  • Minimal attack surface
  • High performance
  • Simple configuration

The Overseer supports multiple VPN profiles, allowing you to connect to different VPN servers simultaneously or switch between configurations.

VPN Modes

Client Mode

Standard VPN client connection to a remote server. Use this to:

  • Access the Overseer remotely via VPN
  • Route Overseer traffic through a VPN server
  • Connect to corporate networks

Site-to-Site Mode

Bi-directional routing between two networks. Use this to:

  • Connect two locations (e.g., home and office)
  • Share local network resources with remote site
  • Enable IP forwarding and firewall rules automatically

Creating a VPN Profile

Step 1: Open Add Profile Dialog

Navigate to WireGuard in the sidebar and click Add Profile.

Step 2: Enter Profile Details

Setting Description Example
Profile Name Friendly name for this connection Office VPN
Mode Client or Site-to-Site Client
Server Endpoint VPN server address and port vpn.example.com:51820
Server Public Key The VPN server's public key abc123...=
Client Address IP address assigned to this device 10.0.0.5/32
Allowed IPs Networks routed through VPN 0.0.0.0/0 or 10.0.0.0/24
DNS (optional) DNS server to use via VPN 1.1.1.1

Site-to-Site Settings (if applicable)

Setting Description Example
Local Subnets Networks on this side to share 192.168.1.0/24
Block Incoming Prevent remote site from initiating connections to local network (security) Enabled

Step 3: Copy Your Public Key

After clicking Create Profile, a green banner appears with your device's public key:

Your Public Key
Add this public key to your WireGuard server:
┌────────────────────────────────────────────────┐
│ aB1cD2eF3gH4iJ5kL6mN7oP8qR9sT0uV1wX2yZ3A4B= │ 📋
└────────────────────────────────────────────────┘

Click the copy button to copy the key to your clipboard.

Step 4: Add Key to Your VPN Server

On your WireGuard server (e.g., MikroTik, Linux, etc.), add the Overseer as a peer:

[Peer]
# Rockettec Overseer
PublicKey = <paste the copied public key>
AllowedIPs = 10.0.0.5/32

MikroTik example:

/interface wireguard peers
add interface=wg0 public-key="<paste key>" allowed-address=10.0.0.5/32

Managing Profiles

Profile Cards

Each profile displays as a card showing:

  • Status: Connected (green) or Disconnected (grey)
  • Mode: Client or Site-to-Site badge
  • Last Handshake: Time since last successful connection
  • Transfer: Data sent/received
  • Public Key: Click to copy (for adding to other servers)

Enable/Disable

Use the toggle switch on each profile card to enable or disable the VPN connection.

Delete Profile

Click the delete icon to remove a profile. This stops the VPN and removes all configuration.

Status Indicators

Status Meaning
Connected VPN tunnel is active with recent handshake
Enabled Profile is enabled but no recent handshake
Disabled Profile exists but VPN is not running

Site-to-Site Details

When using Site-to-Site mode, the Overseer automatically:

  • Enables IP forwarding (net.ipv4.ip_forward=1)
  • Configures iptables FORWARD rules
  • Optionally blocks incoming connections to local subnets

You can adjust these settings after profile creation by clicking Site-to-Site Settings on the profile card.

Security Considerations

  • Private keys are generated and stored securely on the device - never shared
  • Public keys are safe to share - they're used for authentication only
  • Use unique profiles for different VPN servers
  • Enable Block Incoming in Site-to-Site mode unless you need remote-initiated connections
  • Restrict Allowed IPs to only necessary networks

Troubleshooting

No Handshake

  • Verify the server endpoint is reachable from the Overseer's network
  • Check that UDP port (usually 51820) is open on the server
  • Confirm the public key was correctly added to the server
  • Check the server's AllowedIPs includes this device's address

Handshake but No Traffic

  • Verify AllowedIPs on both client and server match the expected routes
  • Check routing tables on both ends
  • For Site-to-Site: ensure IP forwarding is enabled on both sides

Connection Drops When Toggling

If you're connected through the VPN you're disabling, you'll lose connection. Access the Overseer via local network or a different VPN to manage.

See Troubleshooting for more solutions.

Rejoining the server...

Rejoin failed... trying again in seconds.

Failed to rejoin.
Please retry or reload the page.

The session has been paused by the server.

Failed to resume the session.
Please reload the page.