In this article, I will walk you through the process of configuring WireGuard on EdgeOS. While this setup was tested on a Ubiquiti EdgeRouter 4, it should also work on other similar devices running EdgeOS.
Objective
The primary goal of this setup is to enable secure connections to a WireGuard server running on the EdgeRouter 4 and to route traffic through it.
Prerequisites
- EdgeOS 3 Firmware: To install and configure WireGuard, you need EdgeOS version 3 or later. Note that I joined the Ubiquiti Beta Program to access the latest firmware, downloaded it, and flashed my router. Ensure you follow all precautions during this process to avoid potential issues.
Notes and Observations
EdgeOS 2: Unfortunately, I couldn’t get WireGuard running on the EdgeRouter 2. This might be due to hardware limitations or insufficient effort on my part. If you attempt this on an EdgeRouter 2, be prepared to troubleshoot and adapt the configuration process.
EdgeOS 3: During the configuration you have to double check it because some times UI doesn’t work as expected and might break your configuration, also Firewall Rules are not visible in UI.
WireGuard Tunnel Performance
WireGuard is known for its lightweight design and efficient performance.
- The tunnel provided a pretty good connection, I did some testing but nothing very detailed yet.
- Bandwidth performance was impressive – in my speed tests I did not observe performance decline.
A visual representation of what we want to achieve:
![](https://dan.iftodi.com/wp-content/uploads/2024/12/Untitled-Diagram.drawio1-1024x418.png)
I will not explain how Wireguard works, you can find more details here: https://www.wireguard.com/#conceptual-overview
Before we start let’s look at my network setup:
- On eth3 I have internet connected
- eth1 and eth2 are connected to bridge br0
show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
br0 192.168.1.1/24 u/u Local Bridge
eth0 - u/D
eth1 - u/D Local Bridge
eth2 - u/u Local Bridge
eth3 192.168.100.50/24 u/u Internet
lo 127.0.0.1/8 u/u
Enabling Wireguard service Web GUI
- Login
- Go to VPN
- Enable Wireguard
- Add a new peer
![](https://dan.iftodi.com/wp-content/uploads/2024/12/Screenshot-from-2024-12-27-21-50-00-1024x622.png)
![](https://dan.iftodi.com/wp-content/uploads/2024/12/Screenshot-from-2024-12-27-21-50-54-875x1024.png)
Enabling Wireguard service using CLI
Use console cable or SSH to the EdgeOS
Generate private and public keys, I did this on my Linux machine, you need wireguard installed on your machine:
wg genkey | tee privatekey | wg pubkey > publickey
On EdgeOs
configure
set interfaces wireguard wg0 address 10.0.0.1/24
set interfaces wireguard wg0 private-key <PRIVATE_KEY>
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 peer <PEER_PUBLIC_KEY> allowed-ips 10.0.0.3/32
commit
save
At this moment theoretically everything works but in practice it’s not accessible, we should add a firewall rule to allow traffic to port 51820
:
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 30 description "Allow WireGuard"
set firewall name WAN_LOCAL rule 20 destination port 51820
set firewall name WAN_LOCAL rule 20 protocol udp
commit
save
I also enabled traffic to LAN using this configuration:
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description "Allow traffic to LAN"
set firewall name WAN_LOCAL rule 30 destination address 192.168.1.0/24
set firewall name WAN_LOCAL rule 30 protocol all
commit
save
exit
Because I have eth1 and eth2 connected to Bridge br0, and I want to be able to access local devices connected to the router using the VPN I configured a NAT rule:
![](https://dan.iftodi.com/wp-content/uploads/2024/12/Screenshot-from-2024-12-27-22-08-18-782x1024.png)
Or using CLI
configure
set nat source rule 10 description 'NAT for WireGuard'
set nat source rule 10 outbound-interface br0
set nat source rule 10 action masquerade
set nat source rule 10 source 10.0.0.0/24
commit
save
Once we have it configured, we can check the status using, it should be Up:
show interfaces wireguard
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
wg0 10.0.0.1/32 u/u
Useful debugging commands
sudo tcpdump -i wg0 udp port 51820
show dhcp leases
# Wireguard uses DHCP, we can't use telnet for debugging
# Check if port is reacheable
nc -zv -u <router ip> 5182
Connection to <router ip> 51820 port [udp/*] succeeded!
Connecting a Linux client
I will show configurations for 2 clients, one PC with Linux and one Android phone
Linux configuration:
/etc/wireguard/wg0.conf
[Interface]
PrivateKey = <use private key generated earlier>
Address = 10.0.0.2/32
DNS = 8.8.8.8
[Peer]
PublicKey = <get public key from WireGuard from EdgeRouter>
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24
Endpoint = <router ip>:51820
PersistentKeepalive = 25
sudo wg-quick up wg0 - turn on VPN tunnel
sudo wg-quick down wg0 - turn off VPN tunnel
Test it
You should be able to ping 10.0.0.1
traceroute 10.0.0.1
traceroute to 10.0.0.1 (10.0.0.1), 30 hops max, 60 byte packets
1 10.0.0.1 (10.0.0.1) 3.896 ms 3.958 ms 4.609 ms
Also when connecting to another network you should be able to communicate with devices that are connected to the Edge Router.
Connecting Android client
I used WireGuard
client from Play Store
Private key was generated using EdgeOS WebUI, important configurations are:
Addresses: Your address used inside the VPN network, should match the one configured under Peers on router
mine was: 10.0.0.3/32
Endpoint: Router IP address - where WireGuard service runs + port
mine was: <router ip>:51820
Allowed Ips: this is really up to you, if you want to use VPN for all traffic you can configure it to 0.0.0.0/0
mine was: 10.0.0.0/24, 192.168.1.0/24
![](https://dan.iftodi.com/wp-content/uploads/2024/12/image-469x1024.png)
For debugging on Android I used Termux – terminal and tools like telnet
, ping
, curl