Business Community > Routers > How to Configure Site-to-Site WireGuard VPN on Omada Controller
< Routers

Configuration Guide How to Configure Site-to-Site WireGuard VPN on Omada Controller

12

Configuration Guide How to Configure Site-to-Site WireGuard VPN on Omada Controller

Configuration GuideHow to Configure Site-to-Site WireGuard VPN on Omada Controller
How to Configure Site-to-Site WireGuard VPN on Omada Controller
2023-08-28 08:47:47 - last edited Yesterday
Tags: #VPN #Official #WireGuard

Background:

 

This post provides a comprehensive configuration guide on Site-to-Site WireGuard VPN with side notes for explanation.

Extra reference: How to Configure WireGuard VPN on Omada Controller

 

This Article Applies to:

 

All routers with WireGuard VPN are supported.

 

Application Scenario:

 

 

Configuration Steps:

 

Step 1. Configure the HQ Site WireGuard Interface:

 

1. Launch the Omada SDN Controller, and select a site from the drop-down list of Organization. Go to Settings > VPN > WireGuard.

2. Click Create New WireGuard and configure the parameters.

 

  • Name: Specify the name that identifies the WireGuard interface. (This does not affect the VPN tunnel or behavior.)
  • Status: Specify whether to enable the WireGuard interface. (Enable or disable your VPN tunnel.)
  • MTU: Specify the MTU value of the WireGuard interface. The default value of 1420 is recommended. (Usually, it does not need to be set, and is generally determined automatically by the system.)
  • Listen Port: Specify the port number that the WireGuard interface listens to. The default value is 51820. (Usually, the client does not need this to be configured. In this example, our router is the server. You can change this if you need it and you know what you are doing.)
  • Local IP Address: Specify the IP address of the WireGuard interface. (Define the IP address of the WireGuard interface, which should be a non-occupied IP address. It is okay to configure outside your existing LAN range.)
  • Private Key: Specify the private key of the WireGuard interface. The value will be automatically generated on the device, and you can also modify it manually (Defines the private key of this specific VPN tunnel. It has to be set and cannot be shared with other tunnels.)

 

3. Click Apply. The WireGuard VPN entry will be displayed.

 

Step 2. Configure the Satellite Site WireGuard Interface:

 

1. Launch the Omada SDN Controller, and select a site from the drop-down list of Organization. Go to Settings > VPN > WireGuard.

2. Click Create New WireGuard and configure the parameters.

 

  • Name: Specify the name that identifies the WireGuard interface. (This does not affect the VPN tunnel or behavior.)
  • Status: Specify whether to enable the WireGuard interface. (Enable or disable your VPN tunnel.)
  • MTU: Specify the MTU value of the WireGuard interface. The default value of 1420 is recommended. (Usually, it does not need to be set, and is generally determined automatically by the system.)
  • Listen Port: Specify the port number that the WireGuard interface listens to. The default value is 51820. (Usually, the client does not need this to be configured. In this example, our router is the server. You can change this if you need it and you know what you are doing.)
  • Local IP Address: Specify the IP address of the WireGuard interface. (Define the IP address of the WireGuard interface, which should be a non-occupied IP address. It is okay to configure outside your existing LAN range.)
  • Private Key: Specify the private key of the WireGuard interface. The value will be automatically generated on the device, and you can also modify it manually (Defines the private key of this specific VPN tunnel. It has to be set and cannot be shared with other tunnels.)

 

3. Click Apply. The WireGuard VPN entry will be displayed.

 

 

 

Step 3. Configure Peer Information on the HQ Site Controller:

 

1. Launch the Omada SDN Controller, and select a site from the drop-down list of Organization. Go to Settings > VPN > WireGuard > Peers.

2. Click Create New Peer. Configure the parameters and click Apply.

 

  • Name: Specify the name that identifies the WireGuard tunnel.
  • Status: Specify whether to enable the peer setting.
  • Interface: Choose the WireGuard interface to which the peer belongs.
  • Endpoint: Specify the IP address of the peer. This parameter is required when the Omada Router actively connects to other WireGuard peers. (If you need to specify the peer server, you can put the public IP address of the peer server. If the HQ has initiated the connection, this can be optional, which is the case in this guide. If you don't specify the Endpoint on both sites, then the connection cannot be made.)
  • Endpoint Port: Specify the port number of the peer. This parameter is required when the Omada Router actively connects to other WireGuard peers.
  • Allowed Address: Specify the address segment that allows traffic to pass through. (Here you should specify the subnet of the peer LAN. This defines what you are allowed to access on the peer site. If you do not include the subnet, then you don't have access to it.)
  • Persistent Keepalive: Specify the tunnel keepalive packet interval. (This defines the interval of the keepalive packet sent to the Allowed Address.)
  • Comment: Enter the description of the peer.
  • Public Key: Fill in the public key of the peer Satellite site.
  • Preshared Key: Specify a shared key if needed.

 

Step 4. Configure Peer Information on the Satellite Site Controller:

 

1. Launch the Omada SDN Controller, and select a site from the drop-down list of Organization. Go to Settings > VPN > WireGuard > Peers.

2. Click Create New Peer. Configure the parameters and click Apply.

 

 

  • Name: Specify the name that identifies the WireGuard tunnel.
  • Status: Specify whether to enable the peer setting.
  • Interface: Choose the WireGuard interface to which the peer belongs.
  • Endpoint: Specify the IP address of the peer. This parameter is required when the Omada Router actively connects to other WireGuard peers. (If you need to specify the peer server, you can put the public IP address of the peer server. If the HQ has initiated the connection, this can be optional, which is the case in this guide. If you don't specify the Endpoint on both sites, then the connection cannot be made.)
  • Endpoint Port: Specify the port number of the peer. This parameter is required when the Omada Router actively connects to other WireGuard peers.
  • Allowed Address: Specify the address segment that allows traffic to pass through. (Here you should specify the subnet of the peer LAN. This defines what you are allowed to access on the peer site. If you do not include the subnet, then you don't have access to it.)
  • Persistent Keepalive: Specify the tunnel keepalive packet interval. (This defines the interval of the keepalive packet sent to the Allowed Address.)
  • Comment: Enter the description of the peer.
  • Public Key: Fill in the public key of the peer HQ site.
  • Preshared Key: Specify a shared key if needed.

 

Verification:

 

1. Verify the HQ site has access to the Satellite site.

Use a computer from the HQ to ping the Satellite gateway and PC.

 

 

Use a computer from the HQ to access the file server located on the Satellite site. Files can be uploaded or downloaded without any problems.

 

 

2. Verify the Satellite site has access to the HQ site.

Use a computer from the Satellite site to ping the HQ gateway.

 

 

Update Log:

 

Jan 11th, 2024:

Update the format.

 

Recommended Threads:

 

Configuration Guide How to Configure WireGuard VPN on Omada Controller

Get the Latest Firmware Releases for Omada Routers Here - Subscribe for Updates

Get the Latest Omada SDN Controller Releases Here - Subscribe for Updates

 

Feedback:

 

  • If this was helpful, welcome to give us Kudos by clicking the upward triangle below.
  • If there is anything unclear in this solution post, please feel free to comment below.

 

Thank you in advance for your valuable feedback!

 

------------------------------------------------------------------------------------------------

Have other off-topic issues to report? 

Welcome to > Start a New Thread < and elaborate on the issue for assistance.

 

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. Don't be a lazy asker. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  3      
 
  3      
 
#1
Options
12 Reply
Re:How to Configure Site-to-Site WireGuard VPN on Omada Controller
2023-09-03 16:57:19
Will this allow VPN connections w/ CGNAT sites (Starlink)?
  0  
  0  
#2
Options
Re:How to Configure Site-to-Site WireGuard VPN on Omada Controller
2023-09-03 23:25:53

  @Clive_A any way to configure a peer with a FQDN and not an IP, the site I am connecting to has a dynamic IP so it will work only as long as the IP stays the same. I don't want to have to login remotely every time the IP address changes.

 

This was also posted in the other WireGuard HowTo just in case it belongs here instead as it is a site-to-site question.

  2  
  2  
#3
Options
Re:How to Configure Site-to-Site WireGuard VPN on Omada Controller
2023-09-04 01:34:30 - last edited 2023-09-04 01:44:58

Hi @RSCW

No. In a live network, you would NOT make ANY VPN work if you are on CGNAT. Basic VPN concept and rule.

 

If behind CGNAT, or any private IP, you can initiate a connection from a device but your router/device is not available to the Internet because of the NAT. Unless you port forward.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. Don't be a lazy asker. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#4
Options
Re:How to Configure Site-to-Site WireGuard VPN on Omada Controller
2023-09-04 01:41:25 - last edited 2023-09-05 06:47:22

Hi @nlibby

nlibby wrote

  @Clive_A any way to configure a peer with a FQDN and not an IP, the site I am connecting to has a dynamic IP so it will work only as long as the IP stays the same. I don't want to have to login remotely every time the IP address changes.

 

This was also posted in the other WireGuard HowTo just in case it belongs here instead as it is a site-to-site question.

An endpoint is not necessary for a site-to-site connection or a regular connection. If you read this guide carefully, I did not specify the endpoint. Same as the other guide for the similar to "client-to-site" guide. It does not affect anything at all.

 

At least one of the sites should specify the Endpoint IP address. If it is a multi-site, you can specify the IP address of one of the sites that has a static IP address as a temporary workaround.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. Don't be a lazy asker. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#5
Options
Re:How to Configure Site-to-Site WireGuard VPN on Omada Controller
2023-09-04 02:11:08
Do you have any timeline on when FQDNs will be supported? One side of the VPN needs to have a Endpoint and port assigned or the VPN will not connect (a public key alone will not allow the connection of the VPN), so if I want to have 2 separate sites connected via Wireguard and want to use All Omada hardware I will require FQDN support.
  1  
  1  
#6
Options
Re:How to Configure Site-to-Site WireGuard VPN on Omada Controller
2023-10-19 07:29:15

  @Clive_A 

Hello
the connection itself can be made. However, no IP on the OMADA network can be accessed. Is there any special routing?

  0  
  0  
#8
Options
Re:How to Configure Site-to-Site WireGuard VPN on Omada Controller
2023-10-19 07:37:14

Hi @HenryDy 

Thanks for posting in our business forum.

HenryDy wrote

  @Clive_A 

Hello
the connection itself can be made. However, no IP on the OMADA network can be accessed. Is there any special routing?

Examine your config: Allow IP. ACL. Check if you can access the default gateway. (some devices do not allow over VPN access, you should contact your OS support.)

Re-read the explanation of the Allowed IP if you are not sure about what it means.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. Don't be a lazy asker. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#9
Options
Re:How to Configure Site-to-Site WireGuard VPN on Omada Controller
2023-11-08 21:44:49

  @nlibby Agree.  Since the router supports DDNS, it only makes sense that this support FQDNs

  0  
  0  
#10
Options
Re:How to Configure Site-to-Site WireGuard VPN on Omada Controller
2023-11-10 15:33:09

  @Clive_A 

 

  @onemorecable and @nlibby

 

Very reasonable requests for the FQDN vs IP address for endpoint.  I've used Wireguard on 3 other vendor devices and they support FQDN as endpoint on Wireguard tunnels.  It would be safe to say that the majority of users on the ER605, 7206, 707-M2, 8411, etc line of Omada routers would be using dynamic ip's on the wan.  

 

Cheers,

BrnM.

  1  
  1  
#11
Options
Re:How to Configure Site-to-Site WireGuard VPN on Omada Controller
2023-12-14 11:43:56

Hi!

ER605 V2 here, firmware 2.2.2.
Trying to config SITE-TO-SITE (permanent tunnel).
How can I add multiple subnets in Peer "Allowed IP" parameter? (On each side).
I can not ping between subnets, but routers can between them.

 

--------------------------------------------------------

 

# Subnet A

10.10.2.0/24


# Router A

[Wireguard]

Local IP Address = 10.10.10.2

Listen Port = 51820

[Peers]

Public Key = PubKey Router B

Endpoint = Router B IP

Endpoint Port = 51820

Allowed IP = 10.10.3.0/24      <<<<<<<<  THIS IS WHERE I CAN NOT ADD ANOTHER SUBNET

Persistent Keepalive = 16

 

--------------------------------------------------------

 

# Subnet B

10.10.3.0/24


# Router B

[Wireguard]

Local IP Address = 10.10.10.3

Listen Port = 51820

[Peers]

Public Key = PubKey Router A

Endpoint = [empty]

Endpoint Port = [empty]

Allowed IP = 10.10.2.0/24      <<<<<<<<  THIS IS WHERE I CAN NOT ADD ANOTHER SUBNET

Persistent Keepalive = 16

 

--------------------------------------------------------

 

From any device from Subnet A I can ping only to Router B IP.

(ping 10.10.3.1  >> OK)
(ping 10.10.3.101 >> Request timed out!)

 

From any device from Subnet B I can ping only to Router A IP.

(ping 10.10.2.1  >> OK)
(ping 10.10.2.101 >> Request timed out!)

 

 

Any help will be appreciated!
Thanks!

  0  
  0  
#12
Options
12

Information

Helpful: 3

Views: 7304

Replies: 12

Tags

VPN Official WireGuard
Related Articles
How to Configure WireGuard to Enable Client to Access Remote IPsec Site
1213 3
Wireguard access to a remote vpn client site
191 0
How to Configure WireGuard VPN on Omada Controller
16090 6
Wireguard site to site tunnel
321 0
Configuration Wireguard
418 0
Omada Site to Site VPN with UDM Pro
81 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.