Configuration Guide How to Configure WireGuard VPN on Omada Controller
Background:
This post provides a comprehensive configuration guide on WireGuard VPN with side notes for explanation.
Extra reference: How to Configure Site-to-Site WireGuard VPN on Omada Controller
This Article Applies to:
All routers with WireGuard VPN are supported.
Configuration Steps:
Step 1. Configure WireGuard VPN on the Omada SDN Controller.
1. Launch the Omada SDN Controller, and select a site from the drop-down list of Organization. Go to Settings > VPN > WireGuard.
2. Click Create New WireGuard and configure the parameters.
- Name: Specify the name that identifies the WireGuard interface. (This does not affect the VPN tunnel or behavior.)
- Status: Specify whether to enable the WireGuard interface. (Enable or disable your VPN tunnel.)
- MTU: Specify the MTU value of the WireGuard interface. The default value of 1420 is recommended. (Usually, it does not need to be set, and is generally determined automatically by the system.)
- Listen Port: Specify the port number that the WireGuard interface listens to. The default value is 51820. (Usually, the client does not need this to be configured. In this example, our router is the server. You can change this if you need it and you know what you are doing.)
- Local IP Address: Specify the IP address of the WireGuard interface. (Define the IP address of the WireGuard interface, which should be a non-occupied IP address.)
- Private Key: Specify the private key of the WireGuard interface. The value will be automatically generated on the device, and you can also modify it manually (Defines the private key of this specific VPN tunnel. It has to be set and cannot be shared with other tunnels.)
3. Click Apply. The WireGuard VPN entry will be displayed.
Step 2. Configure the WireGuard VPN on the PC
We use a Windows PC as an example.
1. On the PC, download and install the WireGuard VPN software from https://www.wireguard.com/install.
2. Open the WireGuard VPN software and choose Add Tunnel > Add empty tunnel.
3. Record the public key information and fill in the following parameters:
[Interface]
Address = 10.0.0.1/24 (Fill in the interface IP address for the WireGuard VPN. You can fill in what you like. Recommend a non-occupied IP or subnet.)
DNS = 8.8.8.8 (Fill in the DNS Server. If not specified, the PC(as the VPN client) will be unable to access the Internet. VPN clients use this specified DNS server to process DNS requests in the tunnel. You may set multiple servers here DNS = 8.8.8.8,1.1.1.1)
[Peer]
PublicKey = Ulv24MDAJMZYjAXAfXEYX+P/hU4SwwcNGpx6NIX5rTY= (Fill in the public key of the WireGuard VPN configured on the Omada SDN Controller. This defines the public key of the peer server. It has to be set correctly.)
AllowedIPs = 0.0.0.0/0 (0.0.0.0/0 means that all data sent by the PC(src) goes to the VPN tunnel, reaches the peer, and is then forwarded by the Omada Router. The range of source addresses allowed in VPN traffic sent by this peer.)
If you set it to be a subnet(10.20.0.1/24) of your LAN on your Omada router, only when you access the destination of 10.20.0.1/24, data is routed to the VPN tunnel. Because this has an effect on how you route your traffic, so set it at your own discretion.
Endpoint = 192.168.1.110:51820 (Fill in the Omada Router’s WAN IP address and corresponding port. Specify the public IP address of the remote server or peer.)
4. Save the above configuration as shown below.
Step 3. Configure peer information on the Omada SDN Controller.
1. Launch the Omada SDN Controller, and select a site from the drop-down list of Organization. Go to Settings > VPN > WireGuard > Peers.
2. Click Create New Peer. Configure the parameters and click Apply.
- Name: Specify the name that identifies the peer.
- Status: Specify whether to enable the peer.
- Interface: Choose the WireGuard interface to which the peer belongs.
- Endpoint: Specify the IP address of the peer. This parameter is required when the Omada Router actively connects to other WireGuard Server. (Specify the public network address of the remote peer. This field can be ignored if the remote peer is behind a NAT or does not have a stable public access address, which is what we have in this guide, a PC behind a NAT.)
- Endpoint Port: Specify the port number of the peer. This parameter is required when the Omada Router actively connects to other WireGuard Server.
- Allowed Address: Specify the address segment that allows traffic to pass through. It is the same as the WireGuard VPN interface IP configured on the PC.
- Persistent Keepalive: Specify the tunnel keepalive packet interval. (This defines the interval of keepalive packet sent to the Allowed Address.)
- Comment: Enter the description of the peer.
- Public Key: Fill in the public key of the peer PC. (The public key of the peer. If you have multiple servers in a WireGuard tunnel, every node(including relay servers, the public key has to be set properly. They can share the same public key with other peers. Yet, this is not what we discussed in this guide.)
- Preshared Key: Specify a shared key if needed.
Step 4. Connect to the Omada SDN Controller using WireGuard VPN.
Click Activate on the WireGuard VPN to connect to the Omada SDN Controller. The Status will change from Inactive to Active, indicating that the VPN connection has been successfully established.
Note:
1. If you are configuring peer-to-multiple-peers, and plan to set up the interfaces on multiple peers to be the same subnet like 10.0.0.1/24, make sure you set up the peer settings on the Omada router to /32 instead of /24 in the Allowed IP address in the Configuration Steps 3.
i.e. Devices are using the interfaces below:
iOS device A, Peer A, interface = 10.0.0.1/24
macOS device B, Peer B, interface = 10.0.0.2/24
Windows device C, interface = 10.0.0.3/24
...
Allowed IPs in Omada router peer settings for A, B, and C should be 10.0.0.1/32 and 10.0.0.2/32, 10.0.0.3/32, and so on and so forth.
2. UBNT WireGuard VPN Config Guide with Omada Routers
3. In some extremely rare situations, if you cannot access the web, but everything else like ping or SSH works properly, and you are using PPPoE, you may consider lowering your WireGuard MTU to avoid such an issue.
Update Log:
Jun 20th, 2024:
Update the Note.
Mar 18th, 2024:
Update the Note.
Jan 16th, 2024:
Update the format.
Add a note to the peer-to-multiple-peers situation.
Recommended Threads:
UBNT WireGuard VPN Config Guide with Omada Routers
Get the Latest Firmware Releases for Omada Routers Here - Subscribe for Updates
Get the Latest Omada SDN Controller Releases Here - Subscribe for Updates
Feedback:
- If this was helpful, welcome to give us Kudos by clicking the upward triangle below.
- If there is anything unclear in this solution post, please feel free to comment below.
Thank you in advance for your valuable feedback!
------------------------------------------------------------------------------------------------
Have other off-topic issues to report?
Welcome to > Start a New Thread < and elaborate on the issue for assistance.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@Clive_A thanks again. I now have a remote iPad client working and a remote android as well, each with their own config files. Happy with the results.
- Copy Link
- Report Inappropriate Content
Following on from the original guide, for anyone having issues setting this up with a Linux client the following should help. Tested in Debian 12.5 with gnome desktop env. But should also work in Ubuntu 22.04 LTS.
To create the private key on the client machine to paste in the below conf example.
install wireguard if not done so already.
sudo apt install wireguard –assume-yes
cd /etc/wiregaurd
if you get permission denied in the last step run sudo -i then try again.
(umask 077 && wg genkey > wg-private.key)
wg pubkey < wg-private.key > wg-public.key
cat wg-private.key
As well as gaining the wg-private.key in the last step you will also need the wg-public.key
this public key needs to be pasted into paste into the router on the create peer step later.
From the wireguard directory (assuming you know how to use nano text editor)
nano wg0.conf
(this can be renamed to whatever you like but must end in .conf)
paste in the following and edit according to the notes below.
-----------long version with comments
[Interface]
PrivateKey = <PASTE wg-private.key HERE>
## Client IP (no need to change unless this is second or third peer)
Address = 10.0.0.1/24
## Add A DNS server
DNS = 1.1.1.1
[Peer]
## PublicKey from wireguard tab in router (created from + Create New Wireguard option)
## You will also need to port forward the unique local IP address of the wireguard server chosen in ## the + Create New Wireguard step
PublicKey = <PASTE PUBLIC KEY HERE>
## to pass internet trafic 0.0.0.0 but for peer connection only use local IP of the server you want to access, or you can also specify comma separated IPs
AllowedIPs = 0.0.0.0/0
## Public IP of router and the port
Endpoint = <YOUR PUBLIC WAN IP:WG-PORT>
## Optional
PersistentKeepalive = 20
-----------
-----------Short Version
[Interface]
PrivateKey = <PASTE wg-private.key HERE>
Address = 10.0.0.1/24
DNS = 1.1.1.1
[Peer]
PublicKey = <PASTE PUBLIC KEY HERE>
AllowedIPs = 0.0.0.0/0
Endpoint = <YOUR PUBLIC WAN IP:WG-PORT
PersistentKeepalive = 20
-----------
run the following steps to import the config to the linux network
CONF_FILE="wg0.conf"
nmcli connection import type wireguard file "$CONF_FILE"
It should now be available to use in your network manager.
To remove the config if not working or no loger used from network manager run
nmcli connection delete wg0
You can add mutiple WG toggles in this way if you have many VPNs
I called my conf file oc200.conf not the default wg0.conf. Also the gnome extension "WG indicator" is useful as it lights up red when a WG VPN is active.
You can also import the conf file with a GUI using this gnome extension, but best to manage it from the terminal.
- Copy Link
- Report Inappropriate Content
Is there a way to see active Wireguard connections? I cant seem to find my active connections - is this not implemented yet?
- Copy Link
- Report Inappropriate Content
Active incoming connection to the router?
Or active connections on a Linux client / pc? In my example im just using the wireguard-VPN-extension (gnome exention)
But to see incoming wireguard at the router or OC, Im not sure and not qualified to answer. Hopefully one of the TPlink guys knows and will get back to you.
- Copy Link
- Report Inappropriate Content
@j1979 Yep, i meant active incoming connection to the router!
- Copy Link
- Report Inappropriate Content
Controller mode, go to the VPN connections. That'll display all the types of connections.
Standalone, in the same tab of the Wiregaurd. You have the active connections listed in the peer.
- Copy Link
- Report Inappropriate Content
Hi @Clive_A well, thats not very satisfying. I can´t see if the connection is currently active for example. Furthermore, I cant see traffic or any statistics regarding the Wireguard connection.
Edit: Ok its in Insights -- VPN Status
- Copy Link
- Report Inappropriate Content
DarkwingDuck wrote
Hi @Clive_A well, thats not very satisfying. I can´t see if the connection is currently active for example. Furthermore, I cant see traffic or any statistics regarding the Wireguard connection.
Edit: Ok its in Insights -- VPN Status
Good to know you've found it.
Try to get familiar with the system. The status stuff are based on certain psges. They don't display anywhere else but somewhere centralized.
- Copy Link
- Report Inappropriate Content
First off thank you for your guide! With it I have been able to at least connect to my Router. My issue that I have been currently having is how to I connect to my internal DNS.
- For instance I have my internal network setup as 192.168.5.0
- My DNS is running piHole on 192.168.5.2
I have my Wireguard to use the ip address 192.168.5.3 - Nothing is connected to this
Now this is the part that has me a bit confused and I have tried a couple of different ips.
On the peer. I have setup the allowed address of 10.0.0.1/24. I have also tried 192.168.5.4/24. Neither of these options respond to my internal dns server on 192.168.5.3.
Maybe you can see what I am doing wrong. I apologize if this is an easy fix. I am just starting to dive into the advanced network set ups.
Cheers
- Copy Link
- Report Inappropriate Content
Hi @CeApollo
Thanks for posting in our business forum.
CeApollo wrote
First off thank you for your guide! With it I have been able to at least connect to my Router. My issue that I have been currently having is how to I connect to my internal DNS.
- For instance I have my internal network setup as 192.168.5.0
- My DNS is running piHole on 192.168.5.2
I have my Wireguard to use the ip address 192.168.5.3 - Nothing is connected to this
Now this is the part that has me a bit confused and I have tried a couple of different ips.
On the peer. I have setup the allowed address of 10.0.0.1/24. I have also tried 192.168.5.4/24. Neither of these options respond to my internal dns server on 192.168.5.3.
Maybe you can see what I am doing wrong. I apologize if this is an easy fix. I am just starting to dive into the advanced network set ups.
Cheers
Start a new thread with the diagram and your current config. Mosaic the sensitive information. If you need to further discuss your issue.
Interface IP should be excluded from the 192.168.5.0/24. Try to change this first.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 6
Views: 19670
Replies: 32