Setup WireGuard VPN Server with Ubiquiti Edgerouter X (EdgeOS) (2024)

WireGuard is a fast and secure VPN protocol that uses state-of-the-art cryptography. It is designed to be easy to implement and manage, and has a minimal attack surface. Its simplicity and efficiency make it well-suited for use in mobile devices and large-scale deployments.

Note: Before making any major changes on your EdgeOS router, always make a backup.Refer to the official documentation on how to perform one.

Step 1. Installation

Note: The following installation guide was verified working on EdgeOS v2.0.9-hotfix.4 as of Feb 2023.

Verify your EdgeOS version

`1`	`show version`

Download Wireguard

Head over to WireGuard’s EdgeOS releases and look for the release that matches your platform/version.

On the ER-X, use curl to download the .deb file

`1`	`curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20220627-1/e50-v2-v1.0.20220627-v1.0.20210914.deb`

Install with dpkg

`1`	`sudo dpkg -i e50-v2-v1.0.20220627-v1.0.20210914.deb`

Output Log

123456789

user@ER-X:~$ sudo dpkg -i e50-v2-v1.0.20220627-v1.0.20210914.debSelecting previously unselected package wireguard.(Reading database ... 37091 files and directories currently installed.)Preparing to unpack e50-v2-v1.0.20220627-v1.0.20210914.deb ...Adding 'diversion of /opt/vyatta/share/perl5/Vyatta/Interface.pm to /opt/vyatta/share/perl5/Vyatta/Interface.pm.vyatta by wireguard'Adding 'diversion of /opt/vyatta/share/vyatta-cfg/templates/firewall/options/mss-clamp/interface-type/node.def to /opt/vyatta/share/vyatta-cfg/templates/firewall/options/mss-clamp/interface-type/node.def.vyatta by wireguard'Adding 'diversion of /opt/vyatta/share/vyatta-cfg/templates/firewall/options/mss-clamp6/interface-type/node.def to /opt/vyatta/share/vyatta-cfg/templates/firewall/options/mss-clamp6/interface-type/node.def.vyatta by wireguard'Unpacking wireguard (1.0.20220627-1) ...Setting up wireguard (1.0.20220627-1) ...

If there is no space available

If additional storage space is needed, you can safely delete the backup system image (not the currently running firmware).

`1`	`delete system image`

You can check if wireguard is installed by running:

`1`	`wg version`

Output log:

`12`	`user@ER-X:~$ wg versionwireguard-tools v1.0.20210914 - https://git.zx2c4.com/wireguard-tools/`

Step 2. Key Creation

Confirm working directory

pwd

Generate Server Keys

Create folder for your server keysYou can create it in the /config directory to preserve your files during upgrades, and to make it easier during backups.

`1`	`cd /config`

Create a folder wireguard, then create another folder for server_keys

`12`	`mkdir wireguard; cd wireguardmkdir server_keys; cd server_keys`

Generate a key pair for the Wireguard server

`1`	`wg genkey \| tee privatekey \| wg pubkey > publickey`

Generate Client Keys

Move to wireguard directory.

`1`	`cd /config/wireguard`

Create folder wg_clients

`1`	`mkdir wg_clients ; cd wg_clients`

Create folder for client01

`1`	`mkdir client01 ; cd client01`

Generate client keys.

`1`	`wg genkey \| tee privatekey \| wg pubkey > publickey`

Note your public and private key for the next configuration steps.

`1`	`cat publickey privatekey`

Example output:

user@ER-X:~$ cat privatekey publickey sAoqK3dXpc2UbOn2LWb/MMcHTKtU0nqHjDQiXqNcyHs=Bf6LBfuoRDRbO4EJ+tawJXu6qu5BOWaXGK0V+uVRC3Q=

Step 3. wg0 Interface Configuration

Enter configure mode

`1`	`configure`

Set the location of the server’s private-key, previously generated

`1`	`set interfaces wireguard wg0 private-key <server-private-key-here>`

Create the Gateway IP for the VPN and the subnetThis subnet can be any private IP range, though make sure to check for conflicts

`1`	`set interfaces wireguard wg0 address 10.0.0.1/32`

Create entries in the route table for the VPN subnet

`1`	`set interfaces wireguard wg0 route-allowed-ips true`

Set the UDP port for WG (that peers will use)WireGuard default port is 51820, but can be changed to any port

`1`	`set interfaces wireguard wg0 listen-port 51820`

Save

`1`	`commit ; save`

Step 4. Adding peers to the wg0 Interface

Adding Client 01

Note: make sure you are in configure mode.

`1`	`set interfaces wireguard wg0 peer <public-key-here>`

`1`	`set interfaces wireguard wg0 peer <public-key-here> allowed-ips 10.0.0.5/32`

`1`	`set interfaces wireguard wg0 peer <public-key-here> description client01`

Adding Additional Clients

When adding additional peers, repeat the steps above, make sure to update allowed-ips and description for the new clients.

`1`	`set interfaces wireguard wg0 peer <public-key-here>`

`1`	`set interfaces wireguard wg0 peer <public-key-here> allowed-ips 10.0.0.6/32`

`1`	`set interfaces wireguard wg0 peer <public-key-here> description client02`

Save

`1`	`commit ; save`

Step 5. Create firewall rules for WireGuard

Create an accept rule in WAN_LOCAL to accept all incoming UDP connections from port 51820 (or any port of your choice).

set firewall name WAN_LOCAL rule 50 action acceptset firewall name WAN_LOCAL rule 50 protocol udpset firewall name WAN_LOCAL rule 50 destination port 51820set firewall name WAN_LOCAL rule 50 description 'WireGuard'

Save

`1`	`commit ; save`

Once this is done, your wg0 interface and firewall configuration should look something like this.

 1 2 3 4 5 6 7 8 910111213141516171819202122232425262728293031323334

user@ER-X$ show configuration wireguard wg0 { address 10.0.0.1/32 listen-port 51820 peer Bf6LBfuoRDRbO4EJ+tawJXu6qu5BOWaXGK0V+uVRC3Q= { allowed-ips 10.0.0.6/32 description client02 } peer Kf6LBfuoRDRbO4EJ+tawJXu6qu5BOWaXGK0V+uVRC3Q= { allowed-ips 10.0.0.5/32 description client01 } } private-key **************** route-allowed-ips true } } rule 50 { action accept description WireGuard destination { port 51820 } log enable protocol udp source { } } }}

Step 6. Constructing the Config on the peer side

Config File (.conf)

Create a file on the peer, with the file extension as .conf

The peer side needs a few pieces of information to create the tunnel:

The server’s public key
The server’s endpoint (public IP address, or DNS record)
The peer’s private key
The peer’s IP address in the VPN subnet (the allowed IPs value set on the server)

Therefore, the previously generated client01 private-key and the server-public-key, should be copied to the peer device.

The configuration should look something like the one below:

Example Client 01

 1 2 3 4 5 6 7 8 910

[Interface]PrivateKey = <private-key-here>ListenPort = 51820Address = 10.0.0.5/32DNS = <any dns>, 9.9.9.9[Peer]PublicKey = <public-key-here>AllowedIPs = 0.0.0.0/0Endpoint = <your-public-ip-or-dynamic-dns-hostname>:51820

Example Client 02

 1 2 3 4 5 6 7 8 910

[Interface]PrivateKey = <private-key-here>ListenPort = 51820Address = 10.0.0.6/32DNS = <any dns>, 9.9.9.9[Peer]PublicKey = <public-key-here>AllowedIPs = 0.0.0.0/0Endpoint = <your-public-ip-or-dynamic-dns-hostname>:51820

Once the .conf file is created, you can import that into the peer/device of your choice.

To bring up your tunnel, you can use the wg-quick command.

`1`	`wg-quick up client01.conf`

Run wg show on your peer to verify you are connected to the endpoint.

 1 2 3 4 5 6 7 8 910111213

user@PC$ wg showinterface: client01 public key: <private-key> private key: (hidden) listening port: 51820 fwmark: 0xca6cpeer: <peer-key> endpoint: xx.xx.xx.xx:51820 allowed ips: 0.0.0.0/0 latest handshake: 11 seconds ago transfer: 3.11 MiB received, 6.92 MiB sent

Step 7. Save WireGuard Keys and Configuration Files

Once the above configuration is made, you can easily save the config by running a backup from the Edgerouter’s GUI.

Navigate to the System tab in the bottom-left of the GUI to download the backup configuration archive.

System > Configuration Management & Device Maintenance > Back Up Config

Download the backup config file by clicking on the Download button.
The EdgeRouter will prompt you to save the archive on your computer.

You can then extract this file on your local machine, and in the /config directory, you’ll find the wireguard public and private keys you generated earlier.

Warning, the following script is not guaranteed to work, you may need to modify it according to your specific platform/version. Use at your own risk.

Determine shell with echo $SHELL

`12`	`user@ER-X:~$ echo $SHELL/bin/vbash`

EdgeOS comes with vi, you can use that to create the script.

`12`	`user@ER-X:~$ touch wg-setup.shuser@ER-X:~$ vi wg-setup.sh`

NOTE: Make sure to modify your $SHELL in case it differs, for EdgeOS, it will usually be #!/bin/vbash

Paste the following:

12345678

#!/bin/vbash/bin/ip link add dev wg0 type wireguard/bin/ip addr add 10.0.0.1/32 dev wg0/usr/bin/sudo /usr/bin/wg setconf wg0 /home/$USER/wg0.conf/bin/ip link set up dev wg0/bin/ip route add 10.0.0.1/32 dev wg0/usr/bin/sudo /sbin/ifconfig wg0 mtu 1300

Make executable

`1`	`chmod +x wg-setup.sh`

Run

`1`	`./wg-setup.sh`

Sources:

Setup WireGuard VPN Server with Ubiquiti Edgerouter X (EdgeOS) (2024)

FAQs

Does EdgeRouter support WireGuard? ›

Download/Install WireGuard

To get started, access your EdgeRouter through SSH. Once logged in, download the appropriate WireGuard installation file tailored for your specific EdgeRouter model. In my case, the EdgeRouter 4P, i'll be using the E300 (v2) installation package.

View Details ›

Does ubiquiti support WireGuard? ›

VPN Client

UniFi currently supports up to 8 clients using the following protocols: OpenVPN. Wireguard.

Discover More ›

Does the EdgeRouter X support VPN? ›

The EdgeRouter L2TP server provides VPN access to the LAN (192.168. 1.0/24) for authenticated L2TP clients. Follow the steps below to configure the L2TP VPN server on the EdgeRouter: CLI: Access the Command Line Interface.

Keep Reading ›

How do I setup a WireGuard VPN server on my router? ›

Configure WireGuard VPN on the router.

Go to VPN -->Wireguard--> Wireguard, click Add and fill in the following parameters: Name: test. MTU: 1420 (Default is 1420, no need to modify) Listen Port: 51820 (The default port is 51820, which can be modified)

Get More Info Here ›

Why not to use WireGuard? ›

Why you shouldn't use WireGuard. WireGuard prioritizes speed, ease of use, and network security, but, some might say, at the expense of privacy. WireGuard does lack some standard features and practices many other protocols offer to enhance user privacy protection, such as: Dynamic IP addresses.

Tell Me More ›

Is anything better than WireGuard? ›

Tailscale does more than WireGuard, so that will always be true.

How do I setup a VPN on my Ubiquiti router? ›

Log in to your UniFi device, then go to Settings > VPN and switch to the VPN Server tab. Click Create New to set up a new VPN server: Choose WireGuard as your connection type, then give your connection a name. Your server details will be automatically generated for you.

Get More Info ›

How to configure VPN on EdgeRouter? ›

Open the VPN Tracker EdgeRouter Connection Creator. Enter the IP address or hostname of your EdgeRouter and follow the remaining steps in the setup wizard. Once you've completed all the steps, save your new VPN connection in your account for secure remote access to your EdgeRouter on your Mac.

Get More Info Here ›

Does Edge router X have a firewall? ›

The EdgeRouter uses a stateful firewall, which means the router firewall rules can match on different connection states. The traffic states are: new The incoming packets are from a new connection. established The incoming packets are associated with an already existing connection.

Read The Full Story ›

How do I make a WireGuard server? ›

Installing the server components. Update your local system. Install the toolchain.
Download and compile the wireguard module.
Download and compile the wireguard tools (wg, etc.)
Initial configuration. Key generation. ...
Forward port on your router.
Set up a domain name for your router.
Start the server.
Check everything is running.

More items...

What ports does WireGuard VPN server use? ›

What ports do you use for WireGuard? UDP ports 53, 80, 443, 1194, 2049, 2050, 30587, 41893, 48574, 58237.

Discover More ›

Is WireGuard better than IKEv2? ›

IKEv2 vs WireGuard

WireGuard is a newer option that still has some issues to iron out, but as an open-source protocol, it's more widely available than IKEv2, which has limited compatibility. Both options offer excellent speed.

Learn More ›

What VPNS support WireGuard? ›

NordVPN – Full WireGuard support in all apps, extremely fast speeds, and tons of extra privacy and security features (with a 72% Off Coupon) Surfshark – A fast and affordable VPN with WireGuard support in all apps. OVPN – This Swedish VPN supports WireGuard directly in desktop and mobile apps, with solid speeds.

Get More Info ›

What is the best port to run WireGuard on? ›

What ports do you use for WireGuard? UDP ports 53, 80, 443, 1194, 2049, 2050, 30587, 41893, 48574, 58237.

Get More Info ›

What OS does EdgeRouter use? ›

EdgeOS is a powerful, sophisticated operating system that manages your EdgeRouter.

Setup WireGuard VPN Server with Ubiquiti Edgerouter X (EdgeOS) (2024)

Step 1. Installation

Verify your EdgeOS version

Download Wireguard

Install with dpkg

If there is no space available

Step 2. Key Creation

Generate Server Keys

Generate Client Keys

Step 3. wg0 Interface Configuration

Step 4. Adding peers to the wg0 Interface

Adding Client 01

Adding Additional Clients

Step 5. Create firewall rules for WireGuard

Step 6. Constructing the Config on the peer side

Config File (.conf)

Example Client 01

Example Client 02

Step 7. Save WireGuard Keys and Configuration Files

FAQs

Does EdgeRouter support WireGuard? ›

What ports does WireGuard VPN server use? ›

References