Previously, we covered how to install and configure Wireguard on a UDM-Pro, or other UniFi OS console. This guide covers Ubiquiti's EdgeRouters, and the commands you'll need to configure a remote access VPN.

EdgeRouters feature built-in support for OpenVPN, IPsec, GRE, L2TP, and some other VPN and tunneling protocols. If you want to use any of those, refer to Ubiquiti's EdgeRouter VPN help articles. Those cover a lot of the basics of VPNs and some advanced route-based or policy-based site-to-site setups.

While the built-in options will work for most, Wireguard is more modern alternative. Wireguard is a free and open-source VPN, designed to be easy to use, fast, and secure. It outperforms IPsec and OpenVPN, and it can make a good site-to-site or remote access VPN, depending on how you configure it. It's not built into EdgeOS, but with a few commands you can install the Wireguard package from Github.

This guide assumes a few things, including that the EdgeRouter has a public IP on the WAN port, and isn't behind CGNAT. If you don't have a static public IP address, you'll want to use a dynamic DNS service, and point your clients to that hostname.

For our example, I'm going to be using an EdgeRouter 4 and the following topology. Our goal is to provide remote users access to the internal LAN networks and devices in the 10.200.0.0/16 range.

Step 1: Install Wireguard

To install Wireguard on an EdgeRouter, first you need to find the proper installation package for your model. The following commands assume you are on a version 2 firmware, ideally one of the latest v2.0.9 builds. If you are still running a version 1.x firmware, either update your EdgeRouter first or find the correct package and URL on the Wireguard GitHub page.

EdgeRouter X and EdgeRouter X SFP (ER-X, ER-X-SFP)

curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20220627-1/e50-v2-v1.0.20220627-v1.0.20210914.deb

sudo dpkg -i e50-v2-v1.0.20220627-v1.0.20210914.deb

EdgeRouter Lite and EdgeRouter PoE (ER-Lite, ER-PoE)

curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20220627-1/e100-v2-v1.0.20220627-v1.0.20210914.deb

sudo dpkg -i e100-v2-v1.0.20220627-v1.0.20210914.deb

EdgeRouter 8 and EdgeRouter Pro (ER-8, ER-8-Pro)

curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20220627-1/e200-v2-v1.0.20220627-v1.0.20210914.deb

sudo dpkg -i e200-v2-v1.0.20220627-v1.0.20210914.deb

EdgeRouter 4, EdgeRouter 6P and EdgeRouter 12 (ER-4, ER-6P, ER-12, ER-12P)

curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20220627-1/e300-v2-v1.0.20220627-v1.0.20210914.deb

sudo dpkg -i e300-v2-v1.0.20220627-v1.0.20210914.deb

EdgeRouter Infinity (ER-8-XG)

curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20220627-1/e1000-v2-v1.0.20220627-v1.0.20210914.deb

sudo dpkg -i e1000-v2-v1.0.20220627-v1.0.20210914.deb

Step 2: Key Creation

Now that Wireguard is installed, we need to generate folders and keys. The number of keys and their names are up to you, but this is the basic process you will need to go through. In these commands we're also assuming the use of the default ubnt account for administration, hopefully with a long, unique password. If you are logging in as another user, the paths shown will need to be adjusted to match the user and directories you wish to use.

First, confirm your current working directory. The rest of the command examples assume /home/ubnt

pwd

Create a folder for the server's keys and navigate to it

mkdir server_keys; cd server_keys

Generate a key pair for the Wireguard server

wg genkey | tee privatekey | wg pubkey > publickey

Display keys and copy or document them as needed

more privatekey
more publickey

Navigate back to the home directory

cd /home/ubnt

If you need to generate user keys, you can follow these steps to make subdirectories for each key pair you want to generate. You can also have the users generate their keys and then add them manually later. In this example we'll generate one key pair to use in our basic remote access configuration.

Create a user keys folder and navigate to it

mkdir peer_keys; cd user_keys

Create a subdirectory for the user you wish to create and navigate to it

mkdir hostifi_user; cd hostifi_user

Generate a key pair for the user

wg genkey | tee privatekey | wg pubkey > publickey

Display keys and copy or document them as needed

more privatekey
more publickey

Navigate back to the home directory

cd /home/ubnt

Step 3: Configure Wireguard Interface and Users

Now that the keys have been made, we need to configure the Wireguard interface and make the other needed configuration changes to allow remote access.

Enter configure mode

configure

Set the EdgeRouter's private key, using the previously generated key

set interfaces wireguard wg0 private-key /home/ubnt/server_keys/privatekey

Create the subnet and gateway IP for the Wireguard VPN subnet. This subnet can be any private IP range, but check for conflicts

set interfaces wireguard wg0 address 10.200.254.1/24

Create entry in the routing table for the VPN subnet

set interfaces wireguard wg0 route-allowed-ips true

Set the UDP port number that peers will use, default is 51820

set interfaces wireguard wg0 listen-port 51820

Add the public key and IP for your remote user peer

set interfaces wireguard wg0 peer Ilv0Iau0lqRzGGQk9OsLjmIiXXMz8ivDdB9muL4WGUo= allowed-ips 10.200.254.10/32
set interfaces wireguard wg0 peer Ilv0Iau0lqRzGGQk9OsLjmIiXXMz8ivDdB9muL4WGUo= description HostiFi_Peer

Lastly, we have to create an allow rule for UDP traffic landing on our WAN port, using the port number we defined earlier. The specifics of this command and the rule name and number will vary. If you are using the default WAN_LOCAL rule, these commands will work. If not, adjust as needed.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 protocol udp
set firewall name WAN_LOCAL rule 30 destination port 51820
set firewall name WAN_LOCAL rule 30 description 'WireGuard'

Commit and save your changes

commit ; save

Step 4: Connect and Test

At this point the tunnel is ready to test. You will need to download and install the Wireguard client application, and create a new tunnel. In this configuration file, you would define the user's Wireguard interface, using the user's private key you generated earlier. Then, you'd define the EdgeRouter side under the peer section, where you place the EdgeRouter's public key and public IP or DNS record.

For our example user, the configuration would look like this:

[Interface]
PrivateKey = <private key of user>
ListenPort = 51820
Address = <IP of user within the the Wireguard subnet, matching the IP set on the server>
DNS = <DNS server for user to use>

[Peer]
PublicKey = <public key of EdgeRouter>
AllowedIPs = <IP range that will route through Wireguard tunnel>
Endpoint = <public IP or DNS record of EdgeRouter>:51820

In our example, our client's config file would be this:

[Interface]
PrivateKey = qPmvaboI4Rh6H33ptha4Wr/zo9dW55c7j0CC06GjPEg=
ListenPort = 51820
Address = 10.200.254.10/32
DNS = 1.1.1.1
‍
[Peer]
PublicKey = e1gvI+LQeGQdDlTKwt6BAWqPltGioB+p+cNLWXTTBvVY=
AllowedIPs = 10.200.0.0/16
Endpoint = 100.64.0.1:51820

The best way to view status on the EdgeRouter is to use the "wg0" or "sudo wg0" commands, which show connected clients, their public keys, their IP address, when they last connected, and how much data they have sent and received.

Step 5: Additional Users and Firewall Rules

After creating the tunnel file and connecting to it, the remote user should be able to reach any internal IP in the 10.200.0.0/16 range. The allowed-ips argument can be modified to send all traffic over the tunnel (0.0.0.0/0) or only a specific subnet (10.200.11.0/24). Firewall rules can also be applied on the wg0 interface to restrict or allow access as well.

First, we'll create additional user folders, generate keys, and document them as needed:

cd /home/ubnt/user_keys
mkdir admin2; cd admin2
wg genkey | tee privatekey | wg pubkey > publickey
more privatekey
more publickey

Repeat that process for any additional users you wish to create. Then, enter configuration mode and add the new peers to the EdgeRouter configuration.

In this example I made one more admin-level user, and two basic users. We'll use these users to configure some basic access restrictions with firewall groups and rules.

set interfaces wireguard wg0 peer <publickey-here> description admin2
set interfaces wireguard wg0 peer <publickey-here> allowed-ips 10.200.254.11/32
set interfaces wireguard wg0 peer <publickey-here> description user1
set interfaces wireguard wg0 peer <publickey-here> allowed-ips 10.200.254.100/32
set interfaces wireguard wg0 peer <publickey-here> description user2
set interfaces wireguard wg0 peer <publickey-here> allowed-ips 10.200.254.101/32

Next, create any needed firewall groups. These are some example groups that may be useful, but the specifics will vary with what the VPN is being used for. We are making address groups for admins and user, and network groups for all LANs, and a smaller set of LANs that basic users should have access to.

Firewall Groups

Address groups can be made to specify specific peer IPs, to selectively apply policies to them as a group:

set firewall group address-group Wireguard-Admin-IPs address 10.200.254.10
set firewall group address-group Wireguard-Admin-IPs address 10.200.254.11
set firewall group address-group Wireguard-Admin-IPs description 'All Wireguard Admin IPs'
set firewall group address-group Wireguard-User-IPs address 10.200.254.100
set firewall group address-group Wireguard-User-IPs address 10.200.254.101
set firewall group address-group Wireguard-User-IPs description 'All Wireguard User IPs'

Network groups can be made to specify source and destination IP addresses in your firewall policies:

set firewall group network-group All-LANs description 'All LANs'
set firewall group network-group All-LANs network 10.200.1.0/24
set firewall group network-group All-LANs network 10.200.4.0/24
set firewall group network-group All-LANs network 10.200.10.0/24
set firewall group network-group All-LANs network 10.200.11.0/24
set firewall group network-group All-LANs network 10.200.254.0/24

set firewall group network-group RFC1918 network 10.0.0.0/8
set firewall group network-group RFC1918 network 172.16.0.0/12
set firewall group network-group RFC1918 network 192.168.0.0/16
‍
set firewall group network-group All-Wireguard-IPs description 'Wireguard IP Range'
set firewall group network-group All-Wireguard-IPs network 10.200.254.0/24
‍
set firewall group network-group User-LANs description 'All User LANs'
set firewall group network-group User-LANs network 10.200.10.0/24

Port groups can be made to selectively allow specific ports and services in your rules:

set firewall group port-group Router-Services description 'DNS and other Router Services'
set firewall group port-group Router-Services port 53
set firewall group port-group Router-Services port 67
set firewall group port-group Router-Services port 853
set firewall group port-group Admin-Services description 'SSH, HTTP, and other Admin Services'
set firewall group port-group Admin-Services port 22
set firewall group port-group Admin-Services port 53
set firewall group port-group Admin-Services port 67
set firewall group port-group Admin-Services port 80
set firewall group port-group Admin-Services port 443
set firewall group port-group Admin-Services port 853

Firewall Rules

After any needed groups are made, you can create your Wireguard In and Wireguard Local rules.

The WG_IN rules are for traffic coming from the wg0 interface, and headed for other networks. This would be a remote access user attempting to reach a LAN network, or the Internet if they are routing all of their traffic through the tunnel. Here, we are going to allow our admin users to access everything, and our regular users will be able to access our 10.200.10.0/24 LAN network, as well as an internal web server.

set firewall name WG_IN default-action drop
set firewall name WG_IN description 'Wireguard to LAN'
‍
set firewall name WG_IN rule 10 action accept
set firewall name WG_IN rule 10 description 'Allow Admins to All'
set firewall name WG_IN rule 10 destination group network-group All-LANs
set firewall name WG_IN rule 10 log disable
set firewall name WG_IN rule 10 protocol all
set firewall name WG_IN rule 10 source group address-group Wireguard-Admin-IPs
‍
set firewall name WG_IN rule 20 action accept
set firewall name WG_IN rule 20 description 'Allow Wireguard-Users to LAN'
set firewall name WG_IN rule 20 destination group network-group User-LANs
set firewall name WG_IN rule 20 log disable
set firewall name WG_IN rule 20 protocol all
set firewall name WG_IN rule 20 source group address-group Wireguard-User-IPs
‍
set firewall name WG_IN rule 30 action accept
set firewall name WG_IN rule 30 description 'Allow Wireguard-Users to web server'
set firewall name WG_IN rule 30 destination address 10.200.11.154
set firewall name WG_IN rule 30 destination port 443
set firewall name WG_IN rule 30 log disable
set firewall name WG_IN rule 30 protocol tcp
set firewall name WG_IN rule 30 source group address-group Wireguard-User-IPs

set firewall name WG_IN rule 40 action drop
set firewall name WG_IN rule 40 description 'Drop all others'
set firewall name WG_IN rule 40 log disable
set firewall name WG_IN rule 40 protocol all

The Wireguard local rules are for users attempting to access the Wireguard interface on the EdgeRouter. For typical users, they would just need DNS and other essential services. You could also specifically block them from HTTPS, SSH, and other ports they should not have access to, if needed.

With the local rules, we are allowing all Wireguard peers to DNS, and allowing our admin group to SSH, HTTP, and HTTPS with our Admin-Services port group

set firewall name WG_LOCAL default-action drop
set firewall name WG_LOCAL description 'Wireguard to Router'
‍
set firewall name WG_LOCAL rule 10 action accept
set firewall name WG_LOCAL rule 10 description 'Allow Admins to Router'
set firewall name WG_LOCAL rule 10 destination address 10.200.254.1
set firewall name WG_LOCAL rule 10 log disable
set firewall name WG_LOCAL rule 10 protocol all
set firewall name WG_LOCAL rule 10 source group address-group Wireguard-Admin-IPs
‍
set firewall name WG_LOCAL rule 20 action accept
set firewall name WG_LOCAL rule 20 description 'Allow Users to Router Services'
set firewall name WG_LOCAL rule 20 destination address 10.200.254.1
set firewall name WG_LOCAL rule 20 destination group port-group Router-Services
set firewall name WG_LOCAL rule 20 log disable
set firewall name WG_LOCAL rule 20 protocol tcp_udp
set firewall name WG_LOCAL rule 20 source group address-group Wireguard-User-IPs
‍
set firewall name WG_LOCAL rule 30 action drop
set firewall name WG_LOCAL rule 30 description 'Drop all others'

Next, apply rules to your wg0 interface, and commit and save your changes:

set interfaces wireguard wg0 firewall in name WG_IN
set interfaces wireguard wg0 firewall local name WG_LOCAL
commit; save

Review and Test

To review, let's look at our topology again.

Admins will have the following policies applied:

• Able to resolve DNS via the EdgeRouter
• Able to SSH to the EdgeRouter and view the web interface at 10.200.254.1.
• Access all LAN networks, including the management network where the Wi-Fi access point and managed switch are.
• Access the internal server at 10.200.11.154.

Users will have the following policies applied:

• Able to resolve DNS via the EdgeRouter
• Blocked from SSH, HTTP, and HTTPS to the EdgeRouter
• Access the 10.200.10.0/24 LAN network
• Blocked from 10.200.4.0/24 management network
• Blocked from 10.200.11.0/24 server network

HostiFi

Contact HostiFi for all your UniFi and UISP hosting needs at support@hostifi.com, or by using the live chat on our website. HostiFi Pro offers professional network services, specializing in Ubiquiti hardware and software.