Configuration Guide How to Configure Site-to-Site WireGuard VPN on Omada Controller
Configuration Guide How to Configure Site-to-Site WireGuard VPN on Omada Controller
Background:
This post provides a comprehensive configuration guide on Site-to-Site WireGuard VPN with side notes for explanation.
Extra reference: How to Configure WireGuard VPN on Omada Controller
This Article Applies to:
All routers with WireGuard VPN are supported.
Application Scenario:
Configuration Steps:
Step 1. Configure the HQ Site WireGuard Interface:
1. Launch the Omada SDN Controller, and select a site from the drop-down list of Organization. Go to Settings > VPN > WireGuard.
2. Click Create New WireGuard and configure the parameters.
- Name: Specify the name that identifies the WireGuard interface. (This does not affect the VPN tunnel or behavior.)
- Status: Specify whether to enable the WireGuard interface. (Enable or disable your VPN tunnel.)
- MTU: Specify the MTU value of the WireGuard interface. The default value of 1420 is recommended. (Usually, it does not need to be set, and is generally determined automatically by the system.)
- Listen Port: Specify the port number that the WireGuard interface listens to. The default value is 51820. (Usually, the client does not need this to be configured. In this example, our router is the server. You can change this if you need it and you know what you are doing.)
- Local IP Address: Specify the IP address of the WireGuard interface. (Define the IP address of the WireGuard interface, which should be a non-occupied IP address. It is okay to configure outside your existing LAN range.)
- Private Key: Specify the private key of the WireGuard interface. The value will be automatically generated on the device, and you can also modify it manually (Defines the private key of this specific VPN tunnel. It has to be set and cannot be shared with other tunnels.)
3. Click Apply. The WireGuard VPN entry will be displayed.
Step 2. Configure the Satellite Site WireGuard Interface:
1. Launch the Omada SDN Controller, and select a site from the drop-down list of Organization. Go to Settings > VPN > WireGuard.
2. Click Create New WireGuard and configure the parameters.
- Name: Specify the name that identifies the WireGuard interface. (This does not affect the VPN tunnel or behavior.)
- Status: Specify whether to enable the WireGuard interface. (Enable or disable your VPN tunnel.)
- MTU: Specify the MTU value of the WireGuard interface. The default value of 1420 is recommended. (Usually, it does not need to be set, and is generally determined automatically by the system.)
- Listen Port: Specify the port number that the WireGuard interface listens to. The default value is 51820. (Usually, the client does not need this to be configured. In this example, our router is the server. You can change this if you need it and you know what you are doing.)
- Local IP Address: Specify the IP address of the WireGuard interface. (Define the IP address of the WireGuard interface, which should be a non-occupied IP address. It is okay to configure outside your existing LAN range.)
- Private Key: Specify the private key of the WireGuard interface. The value will be automatically generated on the device, and you can also modify it manually (Defines the private key of this specific VPN tunnel. It has to be set and cannot be shared with other tunnels.)
3. Click Apply. The WireGuard VPN entry will be displayed.
Step 3. Configure Peer Information on the HQ Site Controller:
1. Launch the Omada SDN Controller, and select a site from the drop-down list of Organization. Go to Settings > VPN > WireGuard > Peers.
2. Click Create New Peer. Configure the parameters and click Apply.
- Name: Specify the name that identifies the WireGuard tunnel.
- Status: Specify whether to enable the peer setting.
- Interface: Choose the WireGuard interface to which the peer belongs.
- Endpoint: Specify the IP address of the peer. This parameter is required when the Omada Router actively connects to other WireGuard peers. (If you need to specify the peer server, you can put the public IP address of the peer server. If the HQ has initiated the connection, this can be optional, which is the case in this guide. If you don't specify the Endpoint on both sites, then the connection cannot be made.)
- Endpoint Port: Specify the port number of the peer. This parameter is required when the Omada Router actively connects to other WireGuard peers.
- Allowed Address: Specify the address segment that allows traffic to pass through. (Here you should specify the subnet of the peer LAN. This defines what you are allowed to access on the peer site. If you do not include the subnet, then you don't have access to it.)
- Persistent Keepalive: Specify the tunnel keepalive packet interval. (This defines the interval of the keepalive packet sent to the Allowed Address.)
- Comment: Enter the description of the peer.
- Public Key: Fill in the public key of the peer Satellite site.
- Preshared Key: Specify a shared key if needed.
Step 4. Configure Peer Information on the Satellite Site Controller:
1. Launch the Omada SDN Controller, and select a site from the drop-down list of Organization. Go to Settings > VPN > WireGuard > Peers.
2. Click Create New Peer. Configure the parameters and click Apply.
- Name: Specify the name that identifies the WireGuard tunnel.
- Status: Specify whether to enable the peer setting.
- Interface: Choose the WireGuard interface to which the peer belongs.
- Endpoint: Specify the IP address of the peer. This parameter is required when the Omada Router actively connects to other WireGuard peers. (If you need to specify the peer server, you can put the public IP address of the peer server. If the HQ has initiated the connection, this can be optional, which is the case in this guide. If you don't specify the Endpoint on both sites, then the connection cannot be made.)
- Endpoint Port: Specify the port number of the peer. This parameter is required when the Omada Router actively connects to other WireGuard peers.
- Allowed Address: Specify the address segment that allows traffic to pass through. (Here you should specify the subnet of the peer LAN. This defines what you are allowed to access on the peer site. If you do not include the subnet, then you don't have access to it.)
- Persistent Keepalive: Specify the tunnel keepalive packet interval. (This defines the interval of the keepalive packet sent to the Allowed Address.)
- Comment: Enter the description of the peer.
- Public Key: Fill in the public key of the peer HQ site.
- Preshared Key: Specify a shared key if needed.
Verification:
1. Verify the HQ site has access to the Satellite site.
Use a computer from the HQ to ping the Satellite gateway and PC.
Use a computer from the HQ to access the file server located on the Satellite site. Files can be uploaded or downloaded without any problems.
2. Verify the Satellite site has access to the HQ site.
Use a computer from the Satellite site to ping the HQ gateway.
Update Log:
Jan 11th, 2024:
Update the format.
Recommended Threads:
Configuration Guide How to Configure WireGuard VPN on Omada Controller
Get the Latest Firmware Releases for Omada Routers Here - Subscribe for Updates
Get the Latest Omada SDN Controller Releases Here - Subscribe for Updates
Feedback:
- If this was helpful, welcome to give us Kudos by clicking the upward triangle below.
- If there is anything unclear in this solution post, please feel free to comment below.
Thank you in advance for your valuable feedback!
------------------------------------------------------------------------------------------------
Have other off-topic issues to report?
Welcome to > Start a New Thread < and elaborate on the issue for assistance.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @dmvazquez
Thanks for posting in our business forum.
dmvazquez wrote
Hi!
ER605 V2 here, firmware 2.2.2.
Trying to config SITE-TO-SITE (permanent tunnel).
How can I add multiple subnets in Peer "Allowed IP" parameter? (On each side).
I can not ping between subnets, but routers can between them.
--------------------------------------------------------
# Subnet A
10.10.2.0/24
# Router A[Wireguard]
Local IP Address = 10.10.10.2
Listen Port = 51820
[Peers]
Public Key = PubKey Router B
Endpoint = Router B IP
Endpoint Port = 51820
Allowed IP = 10.10.3.0/24 <<<<<<<< THIS IS WHERE I CAN NOT ADD ANOTHER SUBNET
Persistent Keepalive = 16
--------------------------------------------------------
# Subnet B
10.10.3.0/24
# Router B[Wireguard]
Local IP Address = 10.10.10.3
Listen Port = 51820
[Peers]
Public Key = PubKey Router A
Endpoint = [empty]
Endpoint Port = [empty]
Allowed IP = 10.10.2.0/24 <<<<<<<< THIS IS WHERE I CAN NOT ADD ANOTHER SUBNET
Persistent Keepalive = 16
--------------------------------------------------------
From any device from Subnet A I can ping only to Router B IP.
(ping 10.10.3.1 >> OK)
(ping 10.10.3.101 >> Request timed out!)
From any device from Subnet B I can ping only to Router A IP.
(ping 10.10.2.1 >> OK)
(ping 10.10.2.101 >> Request timed out!)
Any help will be appreciated!
Thanks!
In controller mode, you can add multiple subnets in allowed-ips.
- Copy Link
- Report Inappropriate Content
@RSCW unfortunately no, the port cannot be accessed on CGNAT
- Copy Link
- Report Inappropriate Content
Information
Helpful: 3
Views: 7298
Replies: 12
Voters 3
