Embracing the Messiness in Search of Epic Solutions

NordVPN: Extracting WireGuard Configuration




This article shows how to extract the WireGuard configuration from NordVPN without additional tools and test it by configuring WireGuard on a GL.iNet travel router (ex: Beryl AX).

Why WireGuard?

While most modern routers support OpenVPN and WireGuard protocols, the latter is faster and more efficient when traveling through the encrypted tunnels, providing a superior VPN experience.

Why This Extra Step When Using NordVPN?

Unlike other VPN providers, NordVPN builds its proprietary solution, NordLynx, on WireGuard. Thus, it is not possible to configure it directly on your router unless you want to rely on the slower OpenVPN.


  • A NordVPN customer.
  • A router that supports WireGuard VPN protocol.
  • An environment to run Linux commands. Install jq if it doesn’t exist.
  • Expert in CMD/CTRL+C and CMD/CTRL+V.

Step 1: Generate Access Token in NordVPN

  • After completing the email verification, you will land on a page that allows you to generate an access token. Click on the Generate new token button.
  • Leave the token expiration as is. Click on the Generate token button.
  • Copy the access token to a text file and close the pop-up dialog.

Step 2: Use NordVPN APIs to Extract WireGuard Configuration

Fortunately, NordVPN provides a helpful Rest API that returns a list of recommended servers based on your current location. We can use this to query for a list of WireGuard-compatible servers.

#!/usr/bin/env bash



PRIVATE_KEY=$(curl -s -u token:"$ACCESS_TOKEN" "$CREDENTIALS_URL" | jq -r .nordlynx_private_key)

  jq -r --arg private_key "$PRIVATE_KEY" --arg dns "$DNS" '
    .[] |
      filename: (.locations[0].country.name + " - " + .locations[0].country.city.name + " - " + .hostname + ".conf"),
      ip: .station,
      publicKey: (.technologies | .[] | select(.identifier == "wireguard_udp") | .metadata | .[] | .value)
    } |
      filename: .filename,
      config: [
        "# " + .filename,
        "PrivateKey = \($private_key)",
        "Address =",
        "DNS = \($dns)",
        "PublicKey = " + .publicKey,
        "AllowedIPs =, ::/0",
        "Endpoint = " + .ip + ":51820"
      ] | join("\n")
    } |
    "echo \"" + .config + "\" > \"" + .filename + "\""
  ' | sh

Required Changes:

  • Line 3: Replace [YOUR-ACCESS-TOKEN] with the access token you have just copied.

Optional Changes:

  • Line 4: By default, this script generates 3 different WireGuard config files based on your location. If one of the servers is oversaturated, you can point to a different server next time without rerunning the script.
  • Line 5: Currently, I use CloudFlare DNS ( since it has the fastest response time. However, you can update it to point to your favorite DNS server, for example, Google’s

Other Helpful Explanations:

  • Line 10: Retrieve your private key.
  • Line 12: Retrieve the recommended WireGuard-compatible servers based on your current location and generate the WireGuard config files.

Suppose you plan to travel to a different location with your travel router. In that case, typically, you want to pre-configure your travel router with the nearest WireGuard servers based on your destinations before departing. To do this, you can choose a desired location in the NordVPN software installed on your current machine before rerunning this script. For example, you might pick Finland because you fancy eating the delicious Kaalikääryleet that you can’t pronounce. Still, you want to do it safely before Instagramming it in real-time during your long weekend.

After running the script, you should see 3 WireGuard configuration files created.

$ ls -a | cat                                                                                ✔ 
Finland - Helsinki - fi183.nordvpn.com.conf
Finland - Helsinki - fi195.nordvpn.com.conf
Finland - Helsinki - fi198.nordvpn.com.conf

Step 3: Configure WireGuard on Router

The following instructions apply to the GL.iNet travel routers, in my case, Beryl AX (GL-MT3000). Follow your router’s instructions as needed.

IMPORTANT: Before proceeding, ensure you have disabled the VPN from your machine so that it relies on the VPN configured on the travel router based on the steps below.

  • Change your SSID to point to your travel router.
  • Go to
  • Log into the Admin Panel.
  • Go to VPN > WireGuard Client.
  • Upload the WireGuard configuration files. Rename the New Provider group to NordVPN to make it more meaningful.
  • Pick a server and click Start.
  • After a few seconds, the icon should change from orange to green.


Leave a Reply