Hello F Spear, Thank you for the feedback, and we would like to provide more QHora-301W product information. For WireGuard service deployment, QHora-301W will store WireGuard client profiles once created. To ensure information and data security, QHora-301W will ONLY allow admin to log in and download/review WireGuard client profiles. Other users cannot retrieve WireGuard client information. We'll continually improve product features and keep focusing on network secuirty. Thank you, and please let us know if any further assistance required.

@@qnapsys This cannot be a convicing reason why the router keeps the private key. Talking about the ssh tunnel, I don't think users will register their public key and private key on the server.

​@@guo235 The WireGuard client here was generated by QHora-301W. In my opinion, QHora-301W actually doesn't keeps the private key from user if the user create the WireGuard profile by themselves. It's also can't be done. Just as you mentioned, the private key is kept from user side, it doesn't register to server.

@Frank Liao If user lost the private key, they should generate a new key pair and send the public key to the administrator. The administrator will delete the expired public key and register the new public key. The administrator will inform the user the public key of the server, the global ip address of the server, and the vpn address that the user can use to access the server. Your solution seems convenient, but I don't think this is a standard way for a business situation.