Configuration Guide How to Configure WireGuard VPN on Omada Controller
Background:
This post provides a comprehensive configuration guide on WireGuard VPN with side notes for explanation.
Extra reference: How to Configure Site-to-Site WireGuard VPN on Omada Controller
This Article Applies to:
All routers with WireGuard VPN are supported.
Configuration Steps:
Step 1. Configure WireGuard VPN on the Omada SDN Controller.
1. Launch the Omada SDN Controller, and select a site from the drop-down list of Organization. Go to Settings > VPN > WireGuard.
2. Click Create New WireGuard and configure the parameters.
- Name: Specify the name that identifies the WireGuard interface. (This does not affect the VPN tunnel or behavior.)
- Status: Specify whether to enable the WireGuard interface. (Enable or disable your VPN tunnel.)
- MTU: Specify the MTU value of the WireGuard interface. The default value of 1420 is recommended. (Usually, it does not need to be set, and is generally determined automatically by the system.)
- Listen Port: Specify the port number that the WireGuard interface listens to. The default value is 51820. (Usually, the client does not need this to be configured. In this example, our router is the server. You can change this if you need it and you know what you are doing.)
- Local IP Address: Specify the IP address of the WireGuard interface. (Define the IP address of the WireGuard interface, which should be a non-occupied IP address.)
- Private Key: Specify the private key of the WireGuard interface. The value will be automatically generated on the device, and you can also modify it manually (Defines the private key of this specific VPN tunnel. It has to be set and cannot be shared with other tunnels.)
3. Click Apply. The WireGuard VPN entry will be displayed.
Step 2. Configure the WireGuard VPN on the PC
We use a Windows PC as an example.
1. On the PC, download and install the WireGuard VPN software from https://www.wireguard.com/install.
2. Open the WireGuard VPN software and choose Add Tunnel > Add empty tunnel.
3. Record the public key information and fill in the following parameters:
[Interface]
Address = 10.0.0.1/24 (Fill in the interface IP address for the WireGuard VPN. You can fill in what you like. Recommend a non-occupied IP or subnet.)
DNS = 8.8.8.8 (Fill in the DNS Server. If not specified, the PC(as the VPN client) will be unable to access the Internet. VPN clients use this specified DNS server to process DNS requests in the tunnel. You may set multiple servers here DNS = 8.8.8.8,1.1.1.1)
[Peer]
PublicKey = Ulv24MDAJMZYjAXAfXEYX+P/hU4SwwcNGpx6NIX5rTY= (Fill in the public key of the WireGuard VPN configured on the Omada SDN Controller. This defines the public key of the peer server. It has to be set correctly.)
AllowedIPs = 0.0.0.0/0 (0.0.0.0/0 means that all data sent by the PC(src) goes to the VPN tunnel, reaches the peer, and is then forwarded by the Omada Router. The range of source addresses allowed in VPN traffic sent by this peer.)
If you set it to be a subnet(10.20.0.1/24) of your LAN on your Omada router, only when you access the destination of 10.20.0.1/24, data is routed to the VPN tunnel. Because this has an effect on how you route your traffic, so set it at your own discretion.
Endpoint = 192.168.1.110:51820 (Fill in the Omada Router’s WAN IP address and corresponding port. Specify the public IP address of the remote server or peer.)
4. Save the above configuration as shown below.
Step 3. Configure peer information on the Omada SDN Controller.
1. Launch the Omada SDN Controller, and select a site from the drop-down list of Organization. Go to Settings > VPN > WireGuard > Peers.
2. Click Create New Peer. Configure the parameters and click Apply.
- Name: Specify the name that identifies the peer.
- Status: Specify whether to enable the peer.
- Interface: Choose the WireGuard interface to which the peer belongs.
- Endpoint: Specify the IP address of the peer. This parameter is required when the Omada Router actively connects to other WireGuard Server. (Specify the public network address of the remote peer. This field can be ignored if the remote peer is behind a NAT or does not have a stable public access address, which is what we have in this guide, a PC behind a NAT.)
- Endpoint Port: Specify the port number of the peer. This parameter is required when the Omada Router actively connects to other WireGuard Server.
- Allowed Address: Specify the address segment that allows traffic to pass through. It is the same as the WireGuard VPN interface IP configured on the PC.
- Persistent Keepalive: Specify the tunnel keepalive packet interval. (This defines the interval of keepalive packet sent to the Allowed Address.)
- Comment: Enter the description of the peer.
- Public Key: Fill in the public key of the peer PC. (The public key of the peer. If you have multiple servers in a WireGuard tunnel, every node(including relay servers, the public key has to be set properly. They can share the same public key with other peers. Yet, this is not what we discussed in this guide.)
- Preshared Key: Specify a shared key if needed.
Step 4. Connect to the Omada SDN Controller using WireGuard VPN.
Click Activate on the WireGuard VPN to connect to the Omada SDN Controller. The Status will change from Inactive to Active, indicating that the VPN connection has been successfully established.
Note:
1. If you are configuring peer-to-multiple-peers, and plan to set up the interfaces on multiple peers to be the same subnet like 10.0.0.1/24, make sure you set up the peer settings on the Omada router to /32 instead of /24 in the Allowed IP address in the Configuration Steps 3.
i.e. Devices are using the interfaces below:
iOS device A, Peer A, interface = 10.0.0.1/24
macOS device B, Peer B, interface = 10.0.0.2/24
Windows device C, interface = 10.0.0.3/24
...
Allowed IPs in Omada router peer settings for A, B, and C should be 10.0.0.1/32 and 10.0.0.2/32, 10.0.0.3/32, and so on and so forth.
2. UBNT WireGuard VPN Config Guide with Omada Routers
3. In some extremely rare situations, if you cannot access the web, but everything else like ping or SSH works properly, and you are using PPPoE, you may consider lowering your WireGuard MTU to avoid such an issue.
Update Log:
Jun 20th, 2024:
Update the Note.
Mar 18th, 2024:
Update the Note.
Jan 16th, 2024:
Update the format.
Add a note to the peer-to-multiple-peers situation.
Recommended Threads:
UBNT WireGuard VPN Config Guide with Omada Routers
Get the Latest Firmware Releases for Omada Routers Here - Subscribe for Updates
Get the Latest Omada SDN Controller Releases Here - Subscribe for Updates
Feedback:
- If this was helpful, welcome to give us Kudos by clicking the upward triangle below.
- If there is anything unclear in this solution post, please feel free to comment below.
Thank you in advance for your valuable feedback!
------------------------------------------------------------------------------------------------
Have other off-topic issues to report?
Welcome to > Start a New Thread < and elaborate on the issue for assistance.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Connecting on the Local LAN works fine. Connecting over OpenVPN works fine.
- Copy Link
- Report Inappropriate Content
Hi @Booneville
Thanks for posting in our business forum.
Booneville wrote
Is there something that needs to be done so I can access computers on the network after connecting through wireguard. I specifically need to RDP to one computer.
Consider the firewall on your Windows PC. Quite common to face RDP issue when you are connecting to it via VPN (because your VPN IP is unknown) to the computer.
- Copy Link
- Report Inappropriate Content
If it works over the OpenVPN solution, should it not work over the WireGuard solution.
My understanding is that the WireGuard works faster, but I really like the limiting access to peers directly with WireGuard.
I also see that when connected through WireGuard, I cannot ping anything on the network.
The Network subnet is 192.168.1.1/24 and the WireGuard is a 192.168.100.1/24 network.
- Copy Link
- Report Inappropriate Content
Hi @Booneville
Thanks for posting in our business forum.
Booneville wrote
If it works over the OpenVPN solution, should it not work over the WireGuard solution.
My understanding is that the WireGuard works faster, but I really like the limiting access to peers directly with WireGuard.
I also see that when connected through WireGuard, I cannot ping anything on the network.
The Network subnet is 192.168.1.1/24 and the WireGuard is a 192.168.100.1/24 network.
Please go and start a new thread. I'll follow it up.
It does not matter what kind of subnet you use because WG creates the routings automatically.
Also, if you use the official firmware, please update to the beta which fixes problems with the WG VPN. See the pinned thread.
- Copy Link
- Report Inappropriate Content
@Clive_A Thank you so much for this incredibly helpful guide, had my first connection up and running in no time. I'm struggling with my second peer device though and hoping you can help. Firstly, am I correct in assuming that I can run one a single WireGuard server and have multiple simultaneous unique peer accounts connected? If so, I'm doing something wrong, because when the second peer trys to connect, the first stops working. I setup the first peer interface as per the guide on 10.0.0.1/24 and the second as 10.0.0.2/24 - is this perhaps where I am going wrong?
- Copy Link
- Report Inappropriate Content
Hi @Grigsy
Thanks for posting in our business forum.
Grigsy wrote
@Clive_A Thank you so much for this incredibly helpful guide, had my first connection up and running in no time. I'm struggling with my second peer device though and hoping you can help. Firstly, am I correct in assuming that I can run one a single WireGuard server and have multiple simultaneous unique peer accounts connected? If so, I'm doing something wrong, because when the second peer trys to connect, the first stops working. I setup the first peer interface as per the guide on 10.0.0.1/24 and the second as 10.0.0.2/24 - is this perhaps where I am going wrong?
Firstly, am I correct in assuming that I can run one a single WireGuard server and have multiple simultaneous unique peer accounts connected?
Yes. One server can allow multiple peers to join. On the server, you don't have to specify the Endpoint but you gotta specify the Endpoint on the rest of the peers(AKA clients).
I setup the first peer interface as per the guide on 10.0.0.1/24 and the second as 10.0.0.2/24 - is this perhaps where I am going wrong?
I probably go with 10.0.0.1/32, because the interface does not matter too much in this situation. Even if you set it to be 10.0.0.1/24, and 10.0.0.2/24, it should not affect the connection based on my previous configuration.
So, you can go with either 10.0.0.1/32 10.0.0.2/32, and so on. Interface often does not conflict with each other. So I think it is fine.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hi @Grigsy
Thanks for posting in our business forum.
Grigsy wrote
Thanks for quick response. I guess whatever the issue is isn't related to the addressing then, as sounds like my existing setup should be working. Any other thoughts on why the second device connecting would cause the first to stop working? It doesn't disconnect for the server, but all communications stop working (can't access local servers or websites through the tunnel)
Does the tunnel still show up in the tunnel list? You can start a new thread and post your config screenshots so I can help you check it.
- Copy Link
- Report Inappropriate Content
@Clive_A Yayy! Finally got it configured and working between a remote Windows 11 Pro (V.23H2) client PC to a wireguard server configured on a TP-Link ER8411 router (via static public WAN IP) at home with an Omada OC200 HW Controller. Really appreciate the tutorial. Took me a while to get it sorted, but that's due to my misunderstanding, not the tech, which works great! Thanks so muchly!
Now to try to add a second remote client device located overseas. The tutorial doesn't discuss how to do this but, if I understand it correctly, I would need to set up a new PEER in the WG.VPN server for each remote client, and each remote client would need an individual <clientName> conf file. Would that be correct?
Thanks again.
Paul
- Copy Link
- Report Inappropriate Content
Hi @paulrob
Thanks for posting in our business forum.
paulrob wrote
@Clive_A Yayy! Finally got it configured and working between a remote Windows 11 Pro (V.23H2) client PC to a wireguard server configured on a TP-Link ER8411 router (via static public WAN IP) at home with an Omada OC200 HW Controller. Really appreciate the tutorial. Took me a while to get it sorted, but that's due to my misunderstanding, not the tech, which works great! Thanks so muchly!
Now to try to add a second remote client device located overseas. The tutorial doesn't discuss how to do this but, if I understand it correctly, I would need to set up a new PEER in the WG.VPN server for each remote client, and each remote client would need an individual <clientName> conf file. Would that be correct?
Thanks again.
Paul
In response to the red mark, redo Steps 2 and 3. Yes. You are correct.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 6
Views: 19379
Replies: 30