User Manual

Launch the program and click on the down arrow in the lower-left corner. Select 'Add empty tunnel... [⌘+N]'.

A connection setup window will open where you need to enter the Wireguard client settings for macOS [Interface] and the remote Wireguard server Keenetic [Peer].

Initial setup:

In the Name field, enter the connection name wg-client (you can specify another name).

Opposite to On-Demand, select the network interface for the Wireguard client to work through.

Configuring the client [Interface]:

The PrivateKey field of the interface contains the macOS Wireguard client key generated by the program.

Set the IP address in the 'Address' field of the WireGuard client in IP/bitmask format — 172.16.82.10/24 (internal tunnel address). It is possible to use a different subnet, choosing it from the private address range and avoiding overlapping with other subnets configured on these devices.

In our example, the Google DNS server address is set to 8.8.8.8:

[Interface]
PrivateKey =
Address = 172.16.82.10/24
DNS = 8.8.8.8

[Peer]
PublicKey =
AllowedIPs = 172.16.82.1/32, 192.168.22.0/24
Endpoint = enpwgwrkserver.dynns.com:16631
PersistentKeepalive = 5

Configuring the server [Peer]:

In the PublicKey field, insert the public key of the server, which can be copied to the clipboard from WireGuard settings in the web interface of the router:

In the Allowed IPs field, enter the allowed IP addresses in IP/bitmask format — 172.16.82.1/32 (internal server address) and 192.168.22.0/24 (local segment address of the Keenetic router).

In the Endpoint field, enter the public IP address or domain name of the WireGuard server and the listening port on which the WireGuard client will set the connection.

In the PersistentKeepalive field, specify the frequency of the attempts to verify the availability of the connection's remote side. Usually, a 10-15 second interval between checks is sufficient.

Click Save.

Setting up a remote connection on the WireGuard server side.

Connect to the web interface of the Keenetic router and go to the Internet → Other connections menu. Click on the previously created WireGuard connection (WG-S) and add Peer settings. Clicking on Add Peer will open the Peer Settings form, where you will enter the name of the tunnel wg-mac-client.

In the Public Key field, insert the key generated earlier in step 2 of this article.

In the Allowed v4 IPs field, specify the address from which traffic will be allowed to the server in IP/bitmask format — 172.16.82.10/32.

In the Persistent keepalive field, specify the frequency of attempts to check the remote connection side's availability. Usually, a 10-15 second interval between checks is sufficient. By default, the Persistent keepalive value in peer settings is 30 seconds.

Click Save.

Return to the Wireguard program settings; the configured connection will appear in the list.

Click Activate.

If the setting is correct, you will see a green indicator in front of the Status line.

To verify server availability, you can send ICMP packets to an IP address in Terminal.

Check the availability of the server web interface (in our example, it is a Keenetic with IP address 192.168.22.1).

The setup is complete.