Configuration Guide How to Configure WireGuard VPN on Omada Controller
Background:
This post provides a comprehensive configuration guide on WireGuard VPN with side notes for explanation.
Extra reference: How to Configure Site-to-Site WireGuard VPN on Omada Controller
This Article Applies to:
All routers with WireGuard VPN are supported.
Configuration Steps:
Step 1. Configure WireGuard VPN on the Omada SDN Controller.
1. Launch the Omada SDN Controller, and select a site from the drop-down list of Organization. Go to Settings > VPN > WireGuard.
2. Click Create New WireGuard and configure the parameters.
- Name: Specify the name that identifies the WireGuard interface. (This does not affect the VPN tunnel or behavior.)
- Status: Specify whether to enable the WireGuard interface. (Enable or disable your VPN tunnel.)
- MTU: Specify the MTU value of the WireGuard interface. The default value of 1420 is recommended. (Usually, it does not need to be set, and is generally determined automatically by the system.)
- Listen Port: Specify the port number that the WireGuard interface listens to. The default value is 51820. (Usually, the client does not need this to be configured. In this example, our router is the server. You can change this if you need it and you know what you are doing.)
- Local IP Address: Specify the IP address of the WireGuard interface. (Define the IP address of the WireGuard interface, which should be a non-occupied IP address.)
- Private Key: Specify the private key of the WireGuard interface. The value will be automatically generated on the device, and you can also modify it manually (Defines the private key of this specific VPN tunnel. It has to be set and cannot be shared with other tunnels.)
3. Click Apply. The WireGuard VPN entry will be displayed.
Step 2. Configure the WireGuard VPN on the PC
We use a Windows PC as an example.
1. On the PC, download and install the WireGuard VPN software from https://www.wireguard.com/install.
2. Open the WireGuard VPN software and choose Add Tunnel > Add empty tunnel.
3. Record the public key information and fill in the following parameters:
[Interface]
Address = 10.0.0.1/24 (Fill in the interface IP address for the WireGuard VPN. You can fill in what you like. Recommend a non-occupied IP or subnet.)
DNS = 8.8.8.8 (Fill in the DNS Server. If not specified, the PC(as the VPN client) will be unable to access the Internet. VPN clients use this specified DNS server to process DNS requests in the tunnel. You may set multiple servers here DNS = 8.8.8.8,1.1.1.1)
[Peer]
PublicKey = Ulv24MDAJMZYjAXAfXEYX+P/hU4SwwcNGpx6NIX5rTY= (Fill in the public key of the WireGuard VPN configured on the Omada SDN Controller. This defines the public key of the peer server. It has to be set correctly.)
AllowedIPs = 0.0.0.0/0 (0.0.0.0/0 means that all data sent by the PC(src) goes to the VPN tunnel, reaches the peer, and is then forwarded by the Omada Router. The range of source addresses allowed in VPN traffic sent by this peer.)
If you set it to be a subnet(10.20.0.1/24) of your LAN on your Omada router, only when you access the destination of 10.20.0.1/24, data is routed to the VPN tunnel. Because this has an effect on how you route your traffic, so set it at your own discretion.
Endpoint = 192.168.1.110:51820 (Fill in the Omada Router’s WAN IP address and corresponding port. Specify the public IP address of the remote server or peer.)
4. Save the above configuration as shown below.
Step 3. Configure peer information on the Omada SDN Controller.
1. Launch the Omada SDN Controller, and select a site from the drop-down list of Organization. Go to Settings > VPN > WireGuard > Peers.
2. Click Create New Peer. Configure the parameters and click Apply.
- Name: Specify the name that identifies the peer.
- Status: Specify whether to enable the peer.
- Interface: Choose the WireGuard interface to which the peer belongs.
- Endpoint: Specify the IP address of the peer. This parameter is required when the Omada Router actively connects to other WireGuard Server. (Specify the public network address of the remote peer. This field can be ignored if the remote peer is behind a NAT or does not have a stable public access address, which is what we have in this guide, a PC behind a NAT.)
- Endpoint Port: Specify the port number of the peer. This parameter is required when the Omada Router actively connects to other WireGuard Server.
- Allowed Address: Specify the address segment that allows traffic to pass through. It is the same as the WireGuard VPN interface IP configured on the PC.
- Persistent Keepalive: Specify the tunnel keepalive packet interval. (This defines the interval of keepalive packet sent to the Allowed Address.)
- Comment: Enter the description of the peer.
- Public Key: Fill in the public key of the peer PC. (The public key of the peer. If you have multiple servers in a WireGuard tunnel, every node(including relay servers, the public key has to be set properly. They can share the same public key with other peers. Yet, this is not what we discussed in this guide.)
- Preshared Key: Specify a shared key if needed.
Step 4. Connect to the Omada SDN Controller using WireGuard VPN.
Click Activate on the WireGuard VPN to connect to the Omada SDN Controller. The Status will change from Inactive to Active, indicating that the VPN connection has been successfully established.
Note:
1. If you are configuring peer-to-multiple-peers, and plan to set up the interfaces on multiple peers to be the same subnet like 10.0.0.1/24, make sure you set up the peer settings on the Omada router to /32 instead of /24 in the Allowed IP address in the Configuration Steps 3.
i.e. Devices are using the interfaces below:
iOS device A, Peer A, interface = 10.0.0.1/24
macOS device B, Peer B, interface = 10.0.0.2/24
Windows device C, interface = 10.0.0.3/24
...
Allowed IPs in Omada router peer settings for A, B, and C should be 10.0.0.1/32 and 10.0.0.2/32, 10.0.0.3/32, and so on and so forth.
2. UBNT WireGuard VPN Config Guide with Omada Routers
3. In some extremely rare situations, if you cannot access the web, but everything else like ping or SSH works properly, and you are using PPPoE, you may consider lowering your WireGuard MTU to avoid such an issue.
Update Log:
Jun 20th, 2024:
Update the Note.
Mar 18th, 2024:
Update the Note.
Jan 16th, 2024:
Update the format.
Add a note to the peer-to-multiple-peers situation.
Recommended Threads:
UBNT WireGuard VPN Config Guide with Omada Routers
Get the Latest Firmware Releases for Omada Routers Here - Subscribe for Updates
Get the Latest Omada SDN Controller Releases Here - Subscribe for Updates
Feedback:
- If this was helpful, welcome to give us Kudos by clicking the upward triangle below.
- If there is anything unclear in this solution post, please feel free to comment below.
Thank you in advance for your valuable feedback!
------------------------------------------------------------------------------------------------
Have other off-topic issues to report?
Welcome to > Start a New Thread < and elaborate on the issue for assistance.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Perhaps not the best place to ask this question, but I'm new to Wireguard and a little confused by the IP subnet (which one is the LAN/WAN/VPN?).
Can you please indicate at the start of the howto how the network setup is for the example you provided. It would clarify allot for me (and other people).
I'm trying to setup a client-to-server connection but can't get it to work. At this moment I can't rule out my configuration so I'm not sure if I should be looking there or somewhere else.
- Copy Link
- Report Inappropriate Content
Hi @Theedoek
Thanks for posting in our business forum.
Theedoek wrote
Perhaps not the best place to ask this question, but I'm new to Wireguard and a little confused by the IP subnet (which one is the LAN/WAN/VPN?).
Can you please indicate at the start of the howto how the network setup is for the example you provided. It would clarify allot for me (and other people).
I'm trying to setup a client-to-server connection but can't get it to work. At this moment I can't rule out my configuration so I'm not sure if I should be looking there or somewhere else.
In this guide, the 10.0.0.1/32 is the WG interface IP.
192.168.0.2 is the WG interface IP of the router.
Router LAN is not specified and you can use either 0.0.0.0/0 or the router LAN IP.
I think I can upload a diagram later.
- Copy Link
- Report Inappropriate Content
I found this online Wireguard configurator really helpful : wireguardconfig dot com .
I told it how many clients I wanted and my server IP (instead of DNS) and it gave me all the configuration files I needed to set up the Omada Controller Server and Peers, as well as the client configuration files. It gives a couple of "post-up" and "post-down" rules but I just ignored them. It generated a private key for the server from the Random Seed on the page, so everything on the server you set up hangs off that, so the private key has to be saved in the server (router) so it can generate the corresponding public key. Once I got the hang of it, it was too easy. When the server and the peers were set up on the router, all I had to do was import the config files into the clients and it just worked! Hope this helps. I was doing my head in before this configurator.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 6
Views: 20455
Replies: 33