How to Configure WireGuard VPN on Omada Controller

How to Configure WireGuard VPN on Omada Controller

How to Configure WireGuard VPN on Omada Controller
How to Configure WireGuard VPN on Omada Controller
2023-08-21 08:24:07 - last edited 3 weeks ago

Background:

 

This post provides a comprehensive configuration guide on WireGuard VPN with side notes for explanation.

Extra reference: How to Configure Site-to-Site WireGuard VPN on Omada Controller

 

This Article Applies to:

 

All routers with WireGuard VPN are supported.

 

Configuration Steps:

 

Step 1. Configure WireGuard VPN on the Omada SDN Controller.

 

1. Launch the Omada SDN Controller, and select a site from the drop-down list of Organization. Go to Settings > VPN > WireGuard.

2. Click Create New WireGuard and configure the parameters.

 

  • Name: Specify the name that identifies the WireGuard interface. (This does not affect the VPN tunnel or behavior.)
  • Status: Specify whether to enable the WireGuard interface. (Enable or disable your VPN tunnel.)
  • MTU: Specify the MTU value of the WireGuard interface. The default value of 1420 is recommended. (Usually, it does not need to be set, and is generally determined automatically by the system.)
  • Listen Port: Specify the port number that the WireGuard interface listens to. The default value is 51820. (Usually, the client does not need this to be configured. In this example, our router is the server. You can change this if you need it and you know what you are doing.)
  • Local IP Address: Specify the IP address of the WireGuard interface. (Define the IP address of the WireGuard interface, which should be a non-occupied IP address.)
  • Private Key: Specify the private key of the WireGuard interface. The value will be automatically generated on the device, and you can also modify it manually (Defines the private key of this specific VPN tunnel. It has to be set and cannot be shared with other tunnels.)

 

3. Click Apply. The WireGuard VPN entry will be displayed.

 

Step 2. Configure the WireGuard VPN on the PC

 

We use a Windows PC as an example.

1. On the PC, download and install the WireGuard VPN software from https://www.wireguard.com/install.

2. Open the WireGuard VPN software and choose Add Tunnel > Add empty tunnel.

 

3. Record the public key information and fill in the following parameters:

[Interface]

Address = 10.0.0.1/24 (Fill in the interface IP address for the WireGuard VPN. You can fill in what you like. Recommend a non-occupied IP or subnet.)

DNS = 8.8.8.8 (Fill in the DNS Server. If not specified, the PC(as the VPN client) will be unable to access the Internet. VPN clients use this specified DNS server to process DNS requests in the tunnel. You may set multiple servers here DNS = 8.8.8.8,1.1.1.1)

 

[Peer]

PublicKey = Ulv24MDAJMZYjAXAfXEYX+P/hU4SwwcNGpx6NIX5rTY= (Fill in the public key of the WireGuard VPN configured on the Omada SDN Controller. This defines the public key of the peer server. It has to be set correctly.)

AllowedIPs = 0.0.0.0/0 (0.0.0.0/0 means that all data sent by the PC(src) goes to the VPN tunnel, reaches the peer, and is then forwarded by the Omada Router. The range of source addresses allowed in VPN traffic sent by this peer.)

If you set it to be a subnet(10.20.0.1/24) of your LAN on your Omada router, only when you access the destination of 10.20.0.1/24, data is routed to the VPN tunnel. Because this has an effect on how you route your traffic, so set it at your own discretion.

Endpoint = 192.168.1.110:51820 (Fill in the Omada Router’s WAN IP address and corresponding port. Specify the public IP address of the remote server or peer.)

 

 

4. Save the above configuration as shown below.

 

Step 3. Configure peer information on the Omada SDN Controller.

 

1. Launch the Omada SDN Controller, and select a site from the drop-down list of Organization. Go to Settings > VPN > WireGuard > Peers.

2. Click Create New Peer. Configure the parameters and click Apply.

 

  • Name: Specify the name that identifies the peer.
  • Status: Specify whether to enable the peer.
  • Interface: Choose the WireGuard interface to which the peer belongs.
  • Endpoint: Specify the IP address of the peer. This parameter is required when the Omada Router actively connects to other WireGuard Server. (Specify the public network address of the remote peer. This field can be ignored if the remote peer is behind a NAT or does not have a stable public access address, which is what we have in this guide, a PC behind a NAT.)
  • Endpoint Port: Specify the port number of the peer. This parameter is required when the Omada Router actively connects to other WireGuard Server.
  • Allowed Address: Specify the address segment that allows traffic to pass through. It is the same as the WireGuard VPN interface IP configured on the PC.
  • Persistent Keepalive: Specify the tunnel keepalive packet interval. (This defines the interval of keepalive packet sent to the Allowed Address.)
  • Comment: Enter the description of the peer.
  • Public Key: Fill in the public key of the peer PC. (The public key of the peer. If you have multiple servers in a WireGuard tunnel, every node(including relay servers, the public key has to be set properly. They can share the same public key with other peers. Yet, this is not what we discussed in this guide.)
  • Preshared Key: Specify a shared key if needed.

 

Step 4. Connect to the Omada SDN Controller using WireGuard VPN.

 

Click Activate on the WireGuard VPN  to connect to the Omada SDN Controller. The Status will change from Inactive to Active, indicating that the VPN connection has been successfully established.

 

 

Note:

 

1. If you are configuring peer-to-multiple-peers, and plan to set up the interfaces on multiple peers to be the same subnet like 10.0.0.1/24, make sure you set up the peer settings on the Omada router to /32 instead of /24 in the Allowed IP address in the Configuration Steps 3.

 

i.e. Devices are using the interfaces below:

iOS device A, Peer A, interface = 10.0.0.1/24

macOS device B, Peer B, interface = 10.0.0.2/24

Windows device C, interface = 10.0.0.3/24

...

Allowed IPs in Omada router peer settings for A, B, and C should be 10.0.0.1/32 and 10.0.0.2/32, 10.0.0.3/32, and so on and so forth.  

 

2. UBNT WireGuard VPN Config Guide with Omada Routers

3. In some extremely rare situations, if you cannot access the web, but everything else like ping or SSH works properly, and you are using PPPoE, you may consider lowering your WireGuard MTU to avoid such an issue.

 

Update Log:

 

Jun 20th, 2024:

Update the Note.

 

Mar 18th, 2024:

Update the Note.

 

Jan 16th, 2024:

Update the format.

Add a note to the peer-to-multiple-peers situation.

 

Recommended Threads:

 

UBNT WireGuard VPN Config Guide with Omada Routers

Get the Latest Firmware Releases for Omada Routers Here - Subscribe for Updates

Get the Latest Omada SDN Controller Releases Here - Subscribe for Updates

 

Feedback:

 

  • If this was helpful, welcome to give us Kudos by clicking the upward triangle below.
  • If there is anything unclear in this solution post, please feel free to comment below.

 

Thank you in advance for your valuable feedback!

 

------------------------------------------------------------------------------------------------

Have other off-topic issues to report? 

Welcome to > Start a New Thread < and elaborate on the issue for assistance.

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
  6      
  6      
#1
Options
28 Reply
Re:How to Configure WireGuard VPN on Omada Controller
2023-08-23 22:31:18

  @Clive_A 

Is there a tutorial on how to setup this up on a mobile device like IOS or Android?
That would be helpful.

I setup L2TP/IPsec so the router can be acccessed through a Windows Computer, but VPN won't setup on a mobile device.

Hoping Wireguard is usuable for different devices.

  2  
  2  
#2
Options
Re:How to Configure WireGuard VPN on Omada Controller
2023-08-25 03:18:23

Hi @FlameOtter 

The setup for Wireguard is the same. You have to put in the parameters and the software is the same as well. Unlike L2TP or IPsec, you may see different names for a parameter on a different system.

But the WireGuard and OVPN are the software and universal. Which part is quite hard to configure in Android or iOS?

I am open to your suggestions and fix the problem.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
  0  
  0  
#3
Options
Re:How to Configure WireGuard VPN on Omada Controller
2023-08-25 14:21:26

  @Clive_A 

Thank you for replying. I've figured out how to setup Wireguard and Ovpn. It seems like Ovpn speeds are slowed on the download by quite a bit compared to Wireguard.

Also did reach out to Tech Support, it seems like IPsec and Ikev2 doesn't support full tunnels when the VPN is created.

What would be the most recommended VPN Setup?

L2TP, as I see there is that function available on IOS systems now. I don't have an android so I can't tell which covers the most users.

  1  
  1  
#4
Options
Re:How to Configure WireGuard VPN on Omada Controller
2023-08-28 01:45:37

Hi  @FlameOtter 

FlameOtter wrote

  @Clive_A 

Thank you for replying. I've figured out how to setup Wireguard and Ovpn. It seems like Ovpn speeds are slowed on the download by quite a bit compared to Wireguard.

Also did reach out to Tech Support, it seems like IPsec and Ikev2 doesn't support full tunnels when the VPN is created.

What would be the most recommended VPN Setup?

L2TP, as I see there is that function available on IOS systems now. I don't have an android so I can't tell which covers the most users.

 

WireGuard as the latest gen of VPN is faster than any older type of VPN. Quite normal to see a difference in the speed with different types.

IPsec was first designed for site-to-site. Never an ideal option for clien-to-site full tunnel connection. So I don't have any suggestions on this. Consider a different type.

 

OVPN for most basic use. If you are advanced enough, use WireGuard as it relates to routing. If you misconfigure one peer of the WireGaurd, everything goes haywire. This is one of my motives for writing this configuration guide and plan to add more scenarios in the future.

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
  0  
  0  
#5
Options
Re:How to Configure WireGuard VPN on Omada Controller
2023-09-03 23:15:13

  @Clive_A any way to configure a peer with a FQDN and not an IP, the site I am connecting to has a dynamic IP so it will work only as long as the IP stays the same. I don't want to have to login remotely every time the IP address changes.

  0  
  0  
#6
Options
Re:How to Configure WireGuard VPN on Omada Controller
2023-09-04 01:49:16

Hi @nlibby 

Thanks for posting in our business forum.

nlibby wrote

  @Clive_A any way to configure a peer with a FQDN and not an IP, the site I am connecting to has a dynamic IP so it will work only as long as the IP stays the same. I don't want to have to login remotely every time the IP address changes.

WireGuard software supports FQDN. It's not the same like the Site-to-Site. Your client is connecting by the WireGuard software and you can specify more parameters based on the WireGuard guide. The script is written by you.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
  0  
  0  
#7
Options
Re:How to Configure WireGuard VPN on Omada Controller
2023-09-04 02:01:37
The Client in this case is a ER605, so for the ER605 to connect back to my ER8411 long term it needs to be able to accept FQDNs.
  1  
  1  
#8
Options
Re:How to Configure WireGuard VPN on Omada Controller
2023-09-04 06:04:43

Hi @nlibby 

TBH, I don't agree. Up to you how you think it. Yet, in this case, you are clearly allowing the computer to access and forward all the IP addresses to the WireGuard on the ER605.

Moreover, I don't think there is such a concept, client-to-site, in WireGuard. If your goal is to use the FQDN, then you can start a new thread in the Requests & Suggestions.

Please don't spam comments under the guide. Or I will manually remove duplicate posts. Either start a request thread in the correct section or a new thread to bring up questions.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
  0  
  0  
#9
Options
Re:How to Configure WireGuard VPN on Omada Controller
2023-10-31 14:27:46
Is there something that needs to be done so I can access computers on the network after connecting through wireguard. I specifically need to RDP to one computer.
  0  
  0  
#10
Options
Re:How to Configure WireGuard VPN on Omada Controller
2023-10-31 17:33:38

  @Booneville 

How do you have Wireguard configured?

Have you tried connecting to the other computers through RDP from a device within the local network already before connecting from outside with Wireguard?

Some of those details might be helpful.

 

 

  0  
  0  
#11
Options

Information

Helpful: 6

Views: 12526

Replies: 28

Related Articles