Previously, we covered how to install and configure Wireguard on a UDM-Pro, or other UniFi OSconsole. This guide covers Ubiquiti's EdgeRouters, and the commands you'll need to configure a remote access VPN.
EdgeRouters feature built-in support for OpenVPN, IPsec, GRE, L2TP, and some other VPNand tunneling protocols. If you want to use any of those, refer to Ubiquiti's EdgeRouter VPNhelp articles. Those cover a lot of the basics of VPNs and some advanced route-based or policy-based site-to-site setups.
While the built-in options will work for most, Wireguard is more modern alternative. Wireguard is a free and open-source VPN, designed to be easy to use, fast, and secure. It outperforms IPsec and OpenVPN, and it can make a good site-to-site or remote access VPN, depending on how you configure it. It's not built into EdgeOS, but with a few commands you can install the Wireguard package from Github.
This guide assumes a few things, including that the EdgeRouter has a public IP on the WAN port, and isn't behind CGNAT. If you don't have a static public IP address, you'll want to use a dynamic DNSservice, and point your clients to that hostname.
For our example, I'm going to be using an EdgeRouter 4 and the following topology. Our goal is to provide remote users access to the internal LAN networks and devices in the 10.200.0.0/16 range.
Step 1:Install Wireguard
To install Wireguard on an EdgeRouter, first you need to find the proper installation package for your model. The following commands assume you are on a version 2 firmware, ideally one of the latest v2.0.9 builds. If you are still running a version 1.x firmware, either update your EdgeRouter first or find the correct package and URL on the Wireguard GitHub page.
EdgeRouter X and EdgeRouter X SFP (ER-X, ER-X-SFP)
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20220627-1/e50-v2-v1.0.20220627-v1.0.20210914.debsudo dpkg -i e50-v2-v1.0.20220627-v1.0.20210914.deb
EdgeRouter Lite and EdgeRouter PoE (ER-Lite, ER-PoE)
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20220627-1/e100-v2-v1.0.20220627-v1.0.20210914.debsudo dpkg -i e100-v2-v1.0.20220627-v1.0.20210914.deb
EdgeRouter 8 and EdgeRouter Pro (ER-8, ER-8-Pro)
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20220627-1/e200-v2-v1.0.20220627-v1.0.20210914.debsudo dpkg -i e200-v2-v1.0.20220627-v1.0.20210914.deb
EdgeRouter 4, EdgeRouter 6P and EdgeRouter 12 (ER-4, ER-6P, ER-12, ER-12P)
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20220627-1/e300-v2-v1.0.20220627-v1.0.20210914.debsudo dpkg -i e300-v2-v1.0.20220627-v1.0.20210914.deb
EdgeRouter Infinity (ER-8-XG)
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20220627-1/e1000-v2-v1.0.20220627-v1.0.20210914.debsudo dpkg -i e1000-v2-v1.0.20220627-v1.0.20210914.deb
Step 2:Key Creation
Now that Wireguard is installed, we need to generate folders and keys. The number of keys and their names are up to you, but this is the basic process you will need to go through. In these commands we're also assuming the use of the default ubnt account for administration, hopefully with a long, unique password. If you are logging in as another user, the paths shown will need to be adjusted to match the user and directories you wish to use.
First, confirm your current working directory. The rest of the command examples assume /home/ubnt
pwd
Create a folder for the server's keys and navigate to it
mkdir server_keys; cd server_keys
Generate a key pair for the Wireguard server
wg genkey | tee privatekey | wg pubkey > publickey
Display keys and copy or document them as needed
more privatekey
more publickey
Navigate back to the home directory
cd /home/ubnt
If you need to generate user keys, you can follow these steps to make subdirectories for each key pair you want to generate. You can also have the users generate their keys and then add them manually later. In this example we'll generate one key pair to use in our basic remote access configuration.
Create a user keys folder and navigate to it
mkdir peer_keys; cd user_keys
Create a subdirectory for the user you wish to create and navigate to it
mkdir hostifi_user; cd hostifi_user
Generate a key pair for the user
wg genkey | tee privatekey | wg pubkey > publickey
Display keys and copy or document them as needed
more privatekey
more publickey
Navigate back to the home directory
cd /home/ubnt
Step 3: Configure Wireguard Interface and Users
Now that the keys have been made, we need to configure the Wireguard interface and make the other needed configuration changes to allow remote access.
Enter configure mode
configure
Set the EdgeRouter's private key, using the previously generated key
set interfaces wireguard wg0 private-key /home/ubnt/server_keys/privatekey
Create the subnet and gateway IP for the Wireguard VPN subnet. This subnet can be any private IP range, but check for conflicts
set interfaces wireguard wg0 address 10.200.254.1/24
Create entry in the routing table for the VPN subnet
set interfaces wireguard wg0 route-allowed-ips true
Set the UDP port number that peers will use, default is 51820
set interfaces wireguard wg0 listen-port 51820
Add the public key and IP for your remote user peer
set interfaces wireguard wg0 peer Ilv0Iau0lqRzGGQk9OsLjmIiXXMz8ivDdB9muL4WGUo= allowed-ips 10.200.254.10/32
set interfaces wireguard wg0 peer Ilv0Iau0lqRzGGQk9OsLjmIiXXMz8ivDdB9muL4WGUo= description HostiFi_Peer
Lastly, we have to create an allow rule for UDP traffic landing on our WAN port, using the port number we defined earlier. The specifics of this command and the rule name and number will vary. If you are using the default WAN_LOCAL rule, these commands will work. If not, adjust as needed.
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 protocol udp
set firewall name WAN_LOCAL rule 30 destination port 51820
set firewall name WAN_LOCAL rule 30 description 'WireGuard'
Commit and save your changes
commit ; save
Step 4: Connect and Test
At this point the tunnel is ready to test. You will need to download and install the Wireguard client application, and create a new tunnel. In this configuration file, you would define the user's Wireguard interface, using the user's private key you generated earlier. Then, you'd define the EdgeRouter side under the peer section, where you place the EdgeRouter's public key and public IPor DNSrecord.
For our example user, the configuration would look like this:
[Interface]
PrivateKey = <private key of user>
ListenPort = 51820
Address = <IP of user within the the Wireguard subnet, matching the IP set on the server>
DNS = <DNSserver foruser touse>[Peer]
PublicKey = <public key of EdgeRouter>
AllowedIPs = <IP range that will route through Wireguard tunnel>
Endpoint = <public IP or DNSrecord of EdgeRouter>:51820
In our example, our client's config file would be this:
[Interface]
PrivateKey = qPmvaboI4Rh6H33ptha4Wr/zo9dW55c7j0CC06GjPEg=
ListenPort = 51820
Address = 10.200.254.10/32
DNS = 1.1.1.1
[Peer]
PublicKey = e1gvI+LQeGQdDlTKwt6BAWqPltGioB+p+cNLWXTTBvVY=
AllowedIPs = 10.200.0.0/16
Endpoint = 100.64.0.1:51820
The best way to view status on the EdgeRouter is to use the "wg0" or "sudo wg0" commands, which show connected clients, their public keys, their IP address, when they last connected, and how much data they have sent and received.
Step 5:Additional Users and Firewall Rules
After creating the tunnel file and connecting to it, the remote user should be able to reach any internal IP in the 10.200.0.0/16 range. The allowed-ips argument can be modified to send all traffic over the tunnel (0.0.0.0/0) or only a specific subnet (10.200.11.0/24). Firewall rules can also be applied on the wg0 interface to restrict or allow access as well.
First, we'll create additional user folders, generate keys, and document them as needed:
cd /home/ubnt/user_keys
mkdir admin2; cd admin2
wg genkey | tee privatekey | wg pubkey > publickey
more privatekey
more publickey
Repeat that process for any additional users you wish to create. Then, enter configuration mode and add the new peers to the EdgeRouter configuration.
In this example Imade one more admin-level user, and two basic users. We'll use these users to configure some basic access restrictions with firewall groups and rules.
set interfaces wireguard wg0 peer <publickey-here> description admin2
set interfaces wireguard wg0 peer <publickey-here> allowed-ips 10.200.254.11/32
set interfaces wireguard wg0 peer <publickey-here> description user1
set interfaces wireguard wg0 peer <publickey-here> allowed-ips 10.200.254.100/32
set interfaces wireguard wg0 peer <publickey-here> description user2
set interfaces wireguard wg0 peer <publickey-here> allowed-ips 10.200.254.101/32
Next, create any needed firewall groups. These are some example groups that may be useful, but the specifics will vary with what the VPN is being used for. We are making address groups for admins and user, and network groups for all LANs, and a smaller set of LANs that basic users should have access to.
Firewall Groups
Address groups can be made to specify specific peer IPs, to selectively apply policies to them as a group:
set firewall group address-group Wireguard-Admin-IPs address 10.200.254.10
set firewall group address-group Wireguard-Admin-IPs address 10.200.254.11
set firewall group address-group Wireguard-Admin-IPs description 'All Wireguard Admin IPs'
set firewall group address-group Wireguard-User-IPs address 10.200.254.100
set firewall group address-group Wireguard-User-IPs address 10.200.254.101
set firewall group address-group Wireguard-User-IPs description 'All Wireguard User IPs'
Network groups can be made to specify source and destination IPaddresses in your firewall policies:
set firewall group network-group All-LANs description 'All LANs'
set firewall group network-group All-LANs network 10.200.1.0/24
set firewall group network-group All-LANs network 10.200.4.0/24
set firewall group network-group All-LANs network 10.200.10.0/24
set firewall group network-group All-LANs network 10.200.11.0/24
set firewall group network-group All-LANs network 10.200.254.0/24set firewall group network-group RFC1918 network 10.0.0.0/8
set firewall group network-group RFC1918 network 172.16.0.0/12
set firewall group network-group RFC1918 network 192.168.0.0/16
set firewall group network-group All-Wireguard-IPs description 'Wireguard IP Range'
set firewall group network-group All-Wireguard-IPs network 10.200.254.0/24
set firewall group network-group User-LANs description 'All User LANs'
set firewall group network-group User-LANs network 10.200.10.0/24
Port groups can be made to selectively allow specific ports and services in your rules:
set firewall group port-group Router-Services description 'DNS and other Router Services'
set firewall group port-group Router-Services port 53
set firewall group port-group Router-Services port 67
set firewall group port-group Router-Services port 853
set firewall group port-group Admin-Services description 'SSH, HTTP, and other Admin Services'
set firewall group port-group Admin-Services port 22
set firewall group port-group Admin-Services port 53
set firewall group port-group Admin-Services port 67
set firewall group port-group Admin-Services port 80
set firewall group port-group Admin-Services port 443
set firewall group port-group Admin-Services port 853
Firewall Rules
After any needed groups are made, you can create your Wireguard In and Wireguard Local rules.
The WG_INrules are for traffic coming from the wg0 interface, and headed for other networks. This would be a remote access user attempting to reach a LANnetwork, or the Internet if they are routing all of their traffic through the tunnel. Here, we are going to allow our admin users to access everything, and our regular users will be able to access our 10.200.10.0/24 LANnetwork, as well as an internal web server.
set firewall name WG_IN default-action drop
set firewall name WG_IN description 'Wireguard to LAN'
set firewall name WG_IN rule 10 action accept
set firewall name WG_IN rule 10 description 'Allow Admins to All'
set firewall name WG_IN rule 10 destination group network-group All-LANs
set firewall name WG_IN rule 10 log disable
set firewall name WG_IN rule 10 protocol all
set firewall name WG_IN rule 10 source group address-group Wireguard-Admin-IPs
set firewall name WG_IN rule 20 action accept
set firewall name WG_IN rule 20 description 'Allow Wireguard-Users to LAN'
set firewall name WG_IN rule 20 destination group network-group User-LANs
set firewall name WG_IN rule 20 log disable
set firewall name WG_IN rule 20 protocol all
set firewall name WG_IN rule 20 source group address-group Wireguard-User-IPs
set firewall name WG_IN rule 30 action accept
set firewall name WG_IN rule 30 description 'Allow Wireguard-Users to web server'
set firewall name WG_IN rule 30 destination address 10.200.11.154
set firewall name WG_IN rule 30 destination port 443
set firewall name WG_IN rule 30 log disable
set firewall name WG_IN rule 30 protocol tcp
set firewall name WG_IN rule 30 source group address-group Wireguard-User-IPsset firewall name WG_IN rule 40 action drop
set firewall name WG_IN rule 40 description 'Drop all others'
set firewall name WG_IN rule 40 log disable
set firewall name WG_IN rule 40 protocol all
The Wireguard local rules are for users attempting to access the Wireguard interface on the EdgeRouter. For typical users, they would just need DNS and other essential services. You could also specifically block them from HTTPS, SSH, and other ports they should not have access to, if needed.
With the local rules, we are allowing all Wireguard peers to DNS, and allowing our admin group to SSH, HTTP, and HTTPS with our Admin-Services port group
set firewall name WG_LOCAL default-action drop
set firewall name WG_LOCAL description 'Wireguard to Router'
set firewall name WG_LOCAL rule 10 action accept
set firewall name WG_LOCAL rule 10 description 'Allow Admins to Router'
set firewall name WG_LOCAL rule 10 destination address 10.200.254.1
set firewall name WG_LOCAL rule 10 log disable
set firewall name WG_LOCAL rule 10 protocol all
set firewall name WG_LOCAL rule 10 source group address-group Wireguard-Admin-IPs
set firewall name WG_LOCAL rule 20 action accept
set firewall name WG_LOCAL rule 20 description 'Allow Users to Router Services'
set firewall name WG_LOCAL rule 20 destination address 10.200.254.1
set firewall name WG_LOCAL rule 20 destination group port-group Router-Services
set firewall name WG_LOCAL rule 20 log disable
set firewall name WG_LOCAL rule 20 protocol tcp_udp
set firewall name WG_LOCAL rule 20 source group address-group Wireguard-User-IPs
set firewall name WG_LOCAL rule 30 action drop
set firewall name WG_LOCAL rule 30 description 'Drop all others'
Next, apply rules to your wg0 interface, and commit and save your changes:
set interfaces wireguard wg0 firewall in name WG_IN
set interfaces wireguard wg0 firewall local name WG_LOCAL
commit; save
Review and Test
To review, let's look at our topology again.
Admins will have the following policies applied:
- Able to resolve DNSvia the EdgeRouter
- Able to SSHto the EdgeRouter and view the web interface at 10.200.254.1.
- Access all LAN networks, including the management network where the Wi-Fi access point and managed switch are.
- Access the internal server at 10.200.11.154.
Users will have the following policies applied:
- Able to resolve DNSvia the EdgeRouter
- Blocked from SSH,HTTP, and HTTPSto the EdgeRouter
- Access the 10.200.10.0/24 LANnetwork
- Blocked from 10.200.4.0/24 management network
- Blocked from 10.200.11.0/24 server network
HostiFi
Contact HostiFi for all your UniFi and UISP hosting needs at support@hostifi.com, or by using the live chat on our website. HostiFi Pro offers professional network services, specializing in Ubiquiti hardware and software.
Insights, advice, suggestions, feedback and comments from experts
Based on the user's request, it seems that they are looking for information related to the concepts mentioned in the article about configuring Wireguard on Ubiquiti's EdgeRouters. The user is likely interested in setting up a remote access VPN using Wireguard and wants guidance on the installation process and configuration steps.
To provide a comprehensive response, I will explain the concepts mentioned in the article and provide instructions for each step. Let's dive into it!
Wireguard
Wireguard is a free and open-source VPN protocol designed to be easy to use, fast, and secure. It outperforms traditional VPN protocols like IPsec and OpenVPN. Wireguard can be used to create site-to-site or remote access VPNs, depending on the configuration.
EdgeRouters
Ubiquiti's EdgeRouters are network routers that provide advanced routing, security, and management features. They support various VPN and tunneling protocols, including OpenVPN, IPsec, GRE, L2TP, and Wireguard. In this guide, we will focus on configuring Wireguard on EdgeRouters.
Step 1: Install Wireguard
To install Wireguard on an EdgeRouter, you need to find the proper installation package for your specific model. The article provides commands for different EdgeRouter models to download and install the Wireguard package from GitHub. Make sure you are using the appropriate commands for your model.
Step 2: Key Creation
After installing Wireguard, you need to generate folders and keys. The article explains the process of creating keys for the Wireguard server and users. It involves generating key pairs, saving the private and public keys, and organizing them in folders. The article provides detailed commands for each step.
Step 3: Configure Wireguard Interface and Users
Once the keys are generated, you need to configure the Wireguard interface and set up users. The article explains how to enter the configuration mode and perform the necessary configuration changes. It covers setting the EdgeRouter's private key, creating the Wireguard VPN subnet, adding peers (users) with their public keys and IP addresses, and configuring firewall rules to allow traffic.
Step 4: Connect and Test
After configuring the Wireguard interface and users, you can test the VPN tunnel. The article suggests downloading and installing the Wireguard client application on the remote user's device. It provides an example configuration file for the client, where you need to define the user's Wireguard interface, the EdgeRouter's public key and IP/DNS record. The article also mentions using the "wg0" command on the EdgeRouter to view the status of connected clients.
Step 5: Additional Users and Firewall Rules
If you want to add more users or apply additional firewall rules, the article provides instructions for creating user folders, generating keys, and adding peers to the EdgeRouter configuration. It also explains how to create firewall groups for address, network, and port filtering, and how to define firewall rules for the Wireguard interface.
That covers the main concepts and steps mentioned in the article about configuring Wireguard on Ubiquiti's EdgeRouters. If you have any specific questions or need further assistance with any of the steps, feel free to ask!
