Guides

A WireGuard VPN installation on the Ubiquiti Edgerouter X.

Find the link for your EdgeRouter variant and software version from the WireGuard github repository then run the following commands in an ssh session with the router.

# Download the .deb from the link from above, e.g.
cd /tmp
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/${RELEASE}/${BOARD}-${RELEASE}.deb
# Install the .deb
sudo dpkg -i ${BOARD}-${RELEASE}.deb
rm ${BOARD}-${RELEASE}.deb
# Verify installation
show interfaces wireguard

# Generating Server Key Pair
mkdir -p /config/auth/wireguard/server
wg genkey | tee /config/auth/wireguard/server/privatekey | wg pubkey > /config/auth/wireguard/server/publickey
 
# wg0 Interface Configuration
configure
# The server's previously generated private key
set interfaces wireguard wg0 private-key /config/auth/wireguard/server/privatekey
# Creates the Gateway IP for the VPN and the subnet
# This subnet can be any private IP range
set interfaces wireguard wg0 address 10.0.5.1/24
# Creates entries in the route table for the VPN subnet
set interfaces wireguard wg0 route-allowed-ips true
# Port for WG (that peers will use)
set interfaces wireguard wg0 listen-port 51820
 
# Poking a hole in the firewall for WireGuard
# Creates an accept rule in the WAN_LOCAL list (WAN_LOCAL - wan to router)
# Accepts all incoming UDP connections, from port 51820
show firewall name WAN_LOCAL
# Using the above command, choose the next unused rule number for the following rule
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 protocol udp
set firewall name WAN_LOCAL rule 30 destination port 51820
set firewall name WAN_LOCAL rule 30 description "WireGuard"
 
# Enable DNS forwarding for the WireGuard interface
set service dns forwarding listen-on wg0
 
commit ; save
exit

Choose the following for each peer you want to add, and replace where needed in the following instructions:

• Name of the peer without spaces
  • peer_name = peer1
• IP address of the peer on the VPN
  • ip_address = 10.0.5.10/32
• Whether to tunnel all traffic or just traffic destined for computers on the VPN network
  • To tunnel all traffic use: ip_subnets = 0.0.0.0/0
  • To only tunnel specific subnets (split tunnel) use a comma delimited list of them, e.g. the VPN subset, and the LAN subnet of the server: ip_subnets = 10.0.5.1/24, 10.0.0.1/24

Run the following commands in an ssh session with the router.

# Adding peers to the wg0 Interface
# Generate the Peer Key Pair
mkdir -p /config/auth/wireguard/${peer_name}
wg genkey | tee /config/auth/wireguard/${peer_name}/privatekey | wg pubkey > /config/auth/wireguard/${peer_name}/publickey
# Show the public key to copy for the next step
cat /config/auth/wireguard/${peer_name}/publickey
 
configure
# Set the public key and IP address of the peer on the VPN
set interfaces wireguard wg0 peer ${publickey} description ${peer_name}
set interfaces wireguard wg0 peer ${publickey} allowed-ips ${ip_address}
commit ; save
exit

And configure each peer using the following configuration which can be saved as a .conf file on the peer or added directly to the peer. For mobile devices you can paste the config into https://www.wireguardconfig.com/qrcode to generate a QR Code and read it using the WireGuard app.

[Interface]
PrivateKey = ${contents of /config/auth/wireguard/${peer_name}/privatekey}
ListenPort = 51820
Address = ${ip_address}
DNS = 10.0.5.1, server.com        # Gateway IP of the VPN, and optionally a DNS search domain for short names
 
[Peer]
PublicKey = ${contents of /config/auth/wireguard/server/publickey}
AllowedIPs = ${ip_subnets}
Endpoint = server.com:51820       # Public IP or DNS record of server

This method allows upgrading without reboot.

• Find the link for your EdgeRouter variant and software version from the WireGuard github repository then run the following commands in an ssh session with the router.

curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/${RELEASE}/${BOARD}-${RELEASE}.deb
 
configure
set interfaces wireguard wg0 route-allowed-ips false
commit
delete interfaces wireguard
commit
sudo rmmod wireguard
sudo dpkg -i ${BOARD}-${RELEASE}.deb
sudo modprobe wireguard
# Recover previous config
load
commit
exit

FIXME
* Add IPV6 to the full VPN, and make the split VPN just use IPV6, should fix the problem of the networks being on the same subnet..?
* Need to check if the following is needed: ''/config/data/firstboot/install-packages/'' optional for .deb packages that would be automatically installed on first boot after firmware upgrade

• https://blog.usman.network/posts/wireguard-vpn-on-a-ubiquiti-edgerouter/
• https://github.com/WireGuard/wireguard-vyatta-ubnt/wiki/EdgeOS-and-Unifi-Gateway
• https://github.com/pirate/wireguard-docs