Setting Up WireGuard with TP Link Omada

Setting Up WireGuard with TP Link Omada

Setting Up WireGuard with TP Link Omada
Setting Up WireGuard with TP Link Omada
2023-05-26 04:41:00 - last edited 2023-10-11 19:41:23
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: v1.3.0

Note: Added update 10/11/23

 

Hello all, one of my YT viewer advised me that there's still no guide about WireGuard with Omada so I am posting one here.  I also made a step-by-step guide video, you can find the configuration starting at Part 4  (the video has more info as it also covers ACL and InterVLAN). Find more info about WireGuard  at wireguard dot com. Download their client at wireguard dot com /install/

 

Please refer to your hardware's release notes if your system is supported.

 

Hardware tested :

  • ER-7206 v2 with v1.3.x (or higher) firmware
  • OC-300 with v5.9.x firmware

 

Update 10/11/23:

Supported Hardware

  • ER-605 v1 does not support Wireguard. May never get this added since OG ER-605 is EOL :(
  • ER-605 v2, ER-7206, ER-8411 - I personally have tested and works
  • Other Gateways, please refer to their latest firmware for Wireguard support (high chance it is supported)

 

TP Link's VPN Clent (Includes Wireguard, OpenVPN, etc in one Client)

* There is a VPN Client for Windows released by TP Link which is much simpler to use.

End of Update 10/11/23

 

Note:
WireGuard supports many hardware and Operating Systems. But for this guide, I am only going to use Windows 10 Operating System for Client with ER-7206 as Server/interface.

 

Pre-requisites:

  1. WAN IP or FQDN pointing to WAN IP
  2. WireGuard Client installed

 

High Level Steps:

  1. WireGuard Interface (server) Set Up (Omada)
  2. WireGuard Client Set Up (Windows)
  3. WireGuard Peers (client) Set Up (Omada)

 

WireGuard Interface (server) Set Up (Omada)

  1. Settings > VPN > WireGuard
  2. Click "+Create New WireGuard" 
  3. Enter "Name:" i.e. wg0
  4. Use your an unused LAN IP to fill up "Local IP Address"
  5. Click "Apply" 
  6. Copy the "Public Key", save it to text editor

 

WireGuard Client Set Up (Windows)

  1. Launch your WireGuard client
  2. Click "Empty Tunnel"
  3. Give it a name i.e. OmadaWGS
  4. Copy the "Public key" string that is just under the "Name" of the tunnel, save it to text editor
  5. Under [Interface]
    1.  "PrivateKey" = Do not modify
    2.  "Address" = Add unused PrivateIP in CIDR format i.e. 10.1.1.1/24
    3.  "DNS" = Add well known public  i.e. 1.1.1.1 or 8.8.8.8
  6. Under [Peer]
    1. "Public Key" - Enter the value copied in "Step 6" of the WireGuard Interface Set Up
    2.  "AllowedIPs" = use 0.0.0.0/0, ::/0
    3.  "Endpoint" = Use FQDN and/or WAN IP with :51820 port i.e. 172.20.110.102:51820
  7. Save

 

WireGuard Peers (client) Set Up (Onada)

  1. Settings > VPN > WireGuard > Peers
  2. Give it a "Name" i.e. RemotePC
  3. Select the "Interface" from the drop down
  4. In "Allow Address" field, enter the same IP you entered in "Step 5.2" of the WireGuard Client Set Up with /32 (single IP) or /24 (subnet IP)
  5. In "Public Key", enter the value copied in "Step 4" of the WireGuard Client Set Up
  6. Click "Apply"

 

Testing:

  1. Click "Activate" on the WireGuard Client.
  2. In Omada, go to Insights > VPN Status > WireGuard VPN

 

For reference, below is how I have my lab set up in my video guide.

 

Happy hunting!

  2      
  2      
#1
Options
1 Accepted Solution
Re:Setting Up WireGuard with TP Link Omada-Solution
2023-09-26 02:01:41 - last edited 2023-09-28 01:43:33

Hi @akikoy 

Thanks for posting in our business forum.

akikoy wrote

  @Death_Metal i've seen ur youtube videos .... followed the steps doesnt work ....  using er605 v1, oc200

ER605 V1 does not support WireGuard VPN. Of course, it does not work for you.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Beta firmware got some NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
Recommended Solution
  0  
  0  
#3
Options
4 Reply
Re:Setting Up WireGuard with TP Link Omada
2023-09-25 12:40:20

  @Death_Metal i've seen ur youtube videos .... followed the steps doesnt work ....  using er605 v1, oc200

  0  
  0  
#2
Options
Re:Setting Up WireGuard with TP Link Omada-Solution
2023-09-26 02:01:41 - last edited 2023-09-28 01:43:33

Hi @akikoy 

Thanks for posting in our business forum.

akikoy wrote

  @Death_Metal i've seen ur youtube videos .... followed the steps doesnt work ....  using er605 v1, oc200

ER605 V1 does not support WireGuard VPN. Of course, it does not work for you.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Beta firmware got some NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
Recommended Solution
  0  
  0  
#3
Options
Re:Setting Up WireGuard with TP Link Omada
2023-10-10 12:10:52

  @Death_Metal 

 

Thank you for the Tutorial, this helped me a lot to set up my basic WireGuard VPN. I got it running with the VPN-Client IP Adresses 10.0.0.1

 

Now I want to have all Remote Connections in the VLAN 90 and Configure the connection to the other VLANs with ACL. 

 

My Setup now is: 

Omada Router with 4 VLANs (Secure/Guest/ioT/Remote) 

VLAN Secure (VLAN 1) has the IP-Range 192.168.60.1/24
VLAN Remote (VLAN 90) has the IP-Range 192.168.90.1/24

 

My Wireguard Configuration is: 

MTU: 1420
Listen Port: 51820
Local IP Address: 10.1.1.1
Private Key: Server-Private-Key
Public Key: Server-Public-Key

 

My Peer Configuration on Omada is: 
Endpoint: EMPTY
Endpoint Port: EMPTY
Allow Address: 192.168.90.5/32
Public Key: Client-Public-Key

 

My Configuration of the Wireguard Client on my MacBook is: 

 

[Interface]
PrivateKey = Interface-Private-Key
Address = 192.168.90.5/24
DNS = 1.1.1.1

 

[Peer]
PublicKey = Server-Public-Key
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = mydomain:51820

 

ACL-Rule Permits all Connections between Remote and Secure Lan.

 

The Wireguard Client shows me Data Traffic and that the Handshake is OK. The Omada Interface Shows me that there is a connection but I can't reach any IP-Address in my Secure LAN? Can anybody tell me what the Problem in my Setup could be? If I use 10.0.0.1/24 as Address, it works fine?  
 

 

Thanks

 

S

  0  
  0  
#4
Options
Re:Setting Up WireGuard with TP Link Omada
2023-10-11 01:24:37

Hi @Stefan83 

Thanks for posting in our business forum.

Stefan83 wrote

  @Death_Metal 

 

Thank you for the Tutorial, this helped me a lot to set up my basic WireGuard VPN. I got it running with the VPN-Client IP Adresses 10.0.0.1

 

Now I want to have all Remote Connections in the VLAN 90 and Configure the connection to the other VLANs with ACL. 

 

My Setup now is: 

Omada Router with 4 VLANs (Secure/Guest/ioT/Remote) 

VLAN Secure (VLAN 1) has the IP-Range 192.168.60.1/24
VLAN Remote (VLAN 90) has the IP-Range 192.168.90.1/24

 

My Wireguard Configuration is: 

MTU: 1420
Listen Port: 51820
Local IP Address: 10.1.1.1
Private Key: Server-Private-Key
Public Key: Server-Public-Key

 

My Peer Configuration on Omada is: 
Endpoint: EMPTY
Endpoint Port: EMPTY
Allow Address: 192.168.90.5/32
Public Key: Client-Public-Key

 

My Configuration of the Wireguard Client on my MacBook is: 

 

[Interface]
PrivateKey = Interface-Private-Key
Address = 192.168.90.5/24
DNS = 1.1.1.1

 

[Peer]
PublicKey = Server-Public-Key
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = mydomain:51820

 

ACL-Rule Permits all Connections between Remote and Secure Lan.

 

The Wireguard Client shows me Data Traffic and that the Handshake is OK. The Omada Interface Shows me that there is a connection but I can't reach any IP-Address in my Secure LAN? Can anybody tell me what the Problem in my Setup could be? If I use 10.0.0.1/24 as Address, it works fine?  
 

 

Thanks

 

S

You should refer to the CG we have released. I appreciate it if you would read the article: Configuration Guide How to Configure WireGuard VPN on Omada Controller

 

WireGuard is not an easy VPN and requires basic networking knowledge. If you would like to have an easy setup, go for the OVPN which is way easier than WG.

 

In your parameters, set the IP address to either both /32 or both /24.

If you are capable of running some checks, you should check what kind of IP you get on the PC. I think you are not getting the correct interface IP.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Beta firmware got some NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
  0  
  0  
#5
Options

Information

Helpful: 2

Views: 3809

Replies: 4

Related Articles