Configuration Guide How to Configure WireGuard VPN on Omada Controller
Background:
This post provides a comprehensive configuration guide on WireGuard VPN with side notes for explanation.
Extra reference: How to Configure Site-to-Site WireGuard VPN on Omada Controller
This Article Applies to:
All routers with WireGuard VPN are supported.
Configuration Steps:
Step 1. Configure WireGuard VPN on the Omada SDN Controller.
1. Launch the Omada SDN Controller, and select a site from the drop-down list of Organization. Go to Settings > VPN > WireGuard.
2. Click Create New WireGuard and configure the parameters.
- Name: Specify the name that identifies the WireGuard interface. (This does not affect the VPN tunnel or behavior.)
- Status: Specify whether to enable the WireGuard interface. (Enable or disable your VPN tunnel.)
- MTU: Specify the MTU value of the WireGuard interface. The default value of 1420 is recommended. (Usually, it does not need to be set, and is generally determined automatically by the system.)
- Listen Port: Specify the port number that the WireGuard interface listens to. The default value is 51820. (Usually, the client does not need this to be configured. In this example, our router is the server. You can change this if you need it and you know what you are doing.)
- Local IP Address: Specify the IP address of the WireGuard interface. (Define the IP address of the WireGuard interface, which should be a non-occupied IP address.)
- Private Key: Specify the private key of the WireGuard interface. The value will be automatically generated on the device, and you can also modify it manually (Defines the private key of this specific VPN tunnel. It has to be set and cannot be shared with other tunnels.)
3. Click Apply. The WireGuard VPN entry will be displayed.
Step 2. Configure the WireGuard VPN on the PC
We use a Windows PC as an example.
1. On the PC, download and install the WireGuard VPN software from https://www.wireguard.com/install.
2. Open the WireGuard VPN software and choose Add Tunnel > Add empty tunnel.
3. Record the public key information and fill in the following parameters:
[Interface]
Address = 10.0.0.1/24 (Fill in the interface IP address for the WireGuard VPN. You can fill in what you like. Recommend a non-occupied IP or subnet.)
DNS = 8.8.8.8 (Fill in the DNS Server. If not specified, the PC(as the VPN client) will be unable to access the Internet. VPN clients use this specified DNS server to process DNS requests in the tunnel. You may set multiple servers here DNS = 8.8.8.8,1.1.1.1)
[Peer]
PublicKey = Ulv24MDAJMZYjAXAfXEYX+P/hU4SwwcNGpx6NIX5rTY= (Fill in the public key of the WireGuard VPN configured on the Omada SDN Controller. This defines the public key of the peer server. It has to be set correctly.)
AllowedIPs = 0.0.0.0/0 (0.0.0.0/0 means that all data sent by the PC(src) goes to the VPN tunnel, reaches the peer, and is then forwarded by the Omada Router. The range of source addresses allowed in VPN traffic sent by this peer.)
If you set it to be a subnet(10.20.0.1/24) of your LAN on your Omada router, only when you access the destination of 10.20.0.1/24, data is routed to the VPN tunnel. Because this has an effect on how you route your traffic, so set it at your own discretion.
Endpoint = 192.168.1.110:51820 (Fill in the Omada Router’s WAN IP address and corresponding port. Specify the public IP address of the remote server or peer.)
4. Save the above configuration as shown below.
Step 3. Configure peer information on the Omada SDN Controller.
1. Launch the Omada SDN Controller, and select a site from the drop-down list of Organization. Go to Settings > VPN > WireGuard > Peers.
2. Click Create New Peer. Configure the parameters and click Apply.
- Name: Specify the name that identifies the peer.
- Status: Specify whether to enable the peer.
- Interface: Choose the WireGuard interface to which the peer belongs.
- Endpoint: Specify the IP address of the peer. This parameter is required when the Omada Router actively connects to other WireGuard Server. (Specify the public network address of the remote peer. This field can be ignored if the remote peer is behind a NAT or does not have a stable public access address, which is what we have in this guide, a PC behind a NAT.)
- Endpoint Port: Specify the port number of the peer. This parameter is required when the Omada Router actively connects to other WireGuard Server.
- Allowed Address: Specify the address segment that allows traffic to pass through. It is the same as the WireGuard VPN interface IP configured on the PC.
- Persistent Keepalive: Specify the tunnel keepalive packet interval. (This defines the interval of keepalive packet sent to the Allowed Address.)
- Comment: Enter the description of the peer.
- Public Key: Fill in the public key of the peer PC. (The public key of the peer. If you have multiple servers in a WireGuard tunnel, every node(including relay servers, the public key has to be set properly. They can share the same public key with other peers. Yet, this is not what we discussed in this guide.)
- Preshared Key: Specify a shared key if needed.
Step 4. Connect to the Omada SDN Controller using WireGuard VPN.
Click Activate on the WireGuard VPN to connect to the Omada SDN Controller. The Status will change from Inactive to Active, indicating that the VPN connection has been successfully established.
Note:
1. If you are configuring peer-to-multiple-peers, and plan to set up the interfaces on multiple peers to be the same subnet like 10.0.0.1/24, make sure you set up the peer settings on the Omada router to /32 instead of /24 in the Allowed IP address in the Configuration Steps 3.
i.e. Devices are using the interfaces below:
iOS device A, Peer A, interface = 10.0.0.1/24
macOS device B, Peer B, interface = 10.0.0.2/24
Windows device C, interface = 10.0.0.3/24
...
Allowed IPs in Omada router peer settings for A, B, and C should be 10.0.0.1/32 and 10.0.0.2/32, 10.0.0.3/32, and so on and so forth.
2. UBNT WireGuard VPN Config Guide with Omada Routers
Update Log:
Mar 18th, 2024:
Update the Note.
Jan 16th, 2024:
Update the format.
Add a note to the peer-to-multiple-peers situation.
Recommended Threads:
UBNT WireGuard VPN Config Guide with Omada Routers
Get the Latest Firmware Releases for Omada Routers Here - Subscribe for Updates
Get the Latest Omada SDN Controller Releases Here - Subscribe for Updates
Feedback:
- If this was helpful, welcome to give us Kudos by clicking the upward triangle below.
- If there is anything unclear in this solution post, please feel free to comment below.
Thank you in advance for your valuable feedback!
------------------------------------------------------------------------------------------------
Have other off-topic issues to report?
Welcome to > Start a New Thread < and elaborate on the issue for assistance.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@Clive_A thanks again. I now have a remote iPad client working and a remote android as well, each with their own config files. Happy with the results.
- Copy Link
- Report Inappropriate Content
Following on from the original guide, for anyone having issues setting this up with a Linux client the following should help. Tested in Debian 12.5 with gnome desktop env. But should also work in Ubuntu 22.04 LTS.
To create the private key on the client machine to paste in the below conf example.
install wireguard if not done so already.
sudo apt install wireguard –assume-yes
cd /etc/wiregaurd
if you get permission denied in the last step run sudo -i then try again.
(umask 077 && wg genkey > wg-private.key)
wg pubkey < wg-private.key > wg-public.key
cat wg-private.key
As well as gaining the wg-private.key in the last step you will also need the wg-public.key
this public key needs to be pasted into paste into the router on the create peer step later.
From the wireguard directory (assuming you know how to use nano text editor)
nano wg0.conf
(this can be renamed to whatever you like but must end in .conf)
paste in the following and edit according to the notes below.
-----------long version with comments
[Interface]
PrivateKey = <PASTE wg-private.key HERE>
## Client IP (no need to change unless this is second or third peer)
Address = 10.0.0.1/24
## Add A DNS server
DNS = 1.1.1.1
[Peer]
## PublicKey from wireguard tab in router (created from + Create New Wireguard option)
## You will also need to port forward the unique local IP address of the wireguard server chosen in ## the + Create New Wireguard step
PublicKey = <PASTE PUBLIC KEY HERE>
## to pass internet trafic 0.0.0.0 but for peer connection only use local IP of the server you want to access, or you can also specify comma separated IPs
AllowedIPs = 0.0.0.0/0
## Public IP of router and the port
Endpoint = <YOUR PUBLIC WAN IP:WG-PORT>
## Optional
PersistentKeepalive = 20
-----------
-----------Short Version
[Interface]
PrivateKey = <PASTE wg-private.key HERE>
Address = 10.0.0.1/24
DNS = 1.1.1.1
[Peer]
PublicKey = <PASTE PUBLIC KEY HERE>
AllowedIPs = 0.0.0.0/0
Endpoint = <YOUR PUBLIC WAN IP:WG-PORT
PersistentKeepalive = 20
-----------
run the following steps to import the config to the linux network
CONF_FILE="wg0.conf"
nmcli connection import type wireguard file "$CONF_FILE"
It should now be available to use in your network manager.
To remove the config if not working or no loger used from network manager run
nmcli connection delete wg0
You can add mutiple WG toggles in this way if you have many VPNs
I called my conf file oc200.conf not the default wg0.conf. Also the gnome extension "WG indicator" is useful as it lights up red when a WG VPN is active.
You can also import the conf file with a GUI using this gnome extension, but best to manage it from the terminal.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 5
Views: 9494
Replies: 22