Configuring Wireguard on EdgeOS 3

In this article, I will walk you through the process of configuring WireGuard on EdgeOS. While this setup was tested on a Ubiquiti EdgeRouter 4, it should also work on other similar devices running EdgeOS.

Objective

The primary goal of this setup is to enable secure connections to a WireGuard server running on the EdgeRouter 4 and to route traffic through it.

Prerequisites

  • EdgeOS 3 Firmware: To install and configure WireGuard, you need EdgeOS version 3 or later. Note that I joined the Ubiquiti Beta Program to access the latest firmware, downloaded it, and flashed my router. Ensure you follow all precautions during this process to avoid potential issues.

Notes and Observations

EdgeOS 2: Unfortunately, I couldn’t get WireGuard running on the EdgeRouter 2. This might be due to hardware limitations or insufficient effort on my part. If you attempt this on an EdgeRouter 2, be prepared to troubleshoot and adapt the configuration process.

EdgeOS 3: During the configuration you have to double check it because some times UI doesn’t work as expected and might break your configuration, also Firewall Rules are not visible in UI.

WireGuard Tunnel Performance

WireGuard is known for its lightweight design and efficient performance.

  • The tunnel provided a pretty good connection, I did some testing but nothing very detailed yet.
  • Bandwidth performance was impressive – in my speed tests I did not observe performance decline.

A visual representation of what we want to achieve:

I will not explain how Wireguard works, you can find more details here: https://www.wireguard.com/#conceptual-overview

Before we start let’s look at my network setup:

  • On eth3 I have internet connected
  • eth1 and eth2 are connected to bridge br0
show interfaces           
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                 
---------    ----------                        ---  -----------                 
br0          192.168.1.1/24                    u/u  Local Bridge                
eth0         -                                 u/D                              
eth1         -                                 u/D  Local Bridge                
eth2         -                                 u/u  Local Bridge                
eth3         192.168.100.50/24                 u/u  Internet                    
lo           127.0.0.1/8                       u/u                              

Enabling Wireguard service Web GUI

  1. Login
  2. Go to VPN
  3. Enable Wireguard
  4. Add a new peer

Enabling Wireguard service using CLI

Use console cable or SSH to the EdgeOS

Generate private and public keys, I did this on my Linux machine, you need wireguard installed on your machine:

wg genkey | tee privatekey | wg pubkey > publickey

On EdgeOs

configure
set interfaces wireguard wg0 address 10.0.0.1/24
set interfaces wireguard wg0 private-key <PRIVATE_KEY>
set interfaces wireguard wg0 listen-port 51820

set interfaces wireguard wg0 peer <PEER_PUBLIC_KEY> allowed-ips 10.0.0.3/32
commit
save

At this moment theoretically everything works but in practice it’s not accessible, we should add a firewall rule to allow traffic to port 51820:

set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 30 description "Allow WireGuard"
set firewall name WAN_LOCAL rule 20 destination port 51820
set firewall name WAN_LOCAL rule 20 protocol udp

commit
save

I also enabled traffic to LAN using this configuration:

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description "Allow traffic to LAN"
set firewall name WAN_LOCAL rule 30 destination address 192.168.1.0/24
set firewall name WAN_LOCAL rule 30 protocol all

commit
save
exit

Because I have eth1 and eth2 connected to Bridge br0, and I want to be able to access local devices connected to the router using the VPN I configured a NAT rule:

Or using CLI

configure

set nat source rule 10 description 'NAT for WireGuard'
set nat source rule 10 outbound-interface br0
set nat source rule 10 action masquerade
set nat source rule 10 source 10.0.0.0/24

commit
save

Once we have it configured, we can check the status using, it should be Up:

show interfaces wireguard 
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                 
---------    ----------                        ---  -----------                 
wg0          10.0.0.1/32                       u/u

Useful debugging commands

sudo tcpdump -i wg0 udp port 51820

show dhcp leases

# Wireguard uses DHCP, we can't use telnet for debugging
# Check if port is reacheable

nc -zv -u <router ip> 5182
Connection to <router ip> 51820 port [udp/*] succeeded!

Connecting a Linux client

I will show configurations for 2 clients, one PC with Linux and one Android phone

Linux configuration:

/etc/wireguard/wg0.conf
[Interface]
PrivateKey = <use private key generated earlier>
Address = 10.0.0.2/32
DNS = 8.8.8.8

[Peer]
PublicKey = <get public key from WireGuard from EdgeRouter>
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24
Endpoint = <router ip>:51820
PersistentKeepalive = 25

sudo wg-quick up wg0 - turn on VPN tunnel
sudo wg-quick down wg0 - turn off VPN tunnel

Test it
You should be able to ping 10.0.0.1

traceroute 10.0.0.1   
traceroute to 10.0.0.1 (10.0.0.1), 30 hops max, 60 byte packets
 1  10.0.0.1 (10.0.0.1)  3.896 ms  3.958 ms  4.609 ms

Also when connecting to another network you should be able to communicate with devices that are connected to the Edge Router.

Connecting Android client

I used WireGuard client from Play Store

Private key was generated using EdgeOS WebUI, important configurations are:

Addresses: Your address used inside the VPN network, should match the one configured under Peers on router
mine was: 10.0.0.3/32

Endpoint: Router IP address - where WireGuard service runs + port
mine was: <router ip>:51820

Allowed Ips: this is really up to you, if you want to use VPN for all traffic you can configure it to 0.0.0.0/0
mine was: 10.0.0.0/24, 192.168.1.0/24

For debugging on Android I used Termux – terminal and tools like telnet, ping, curl

Lasă un răspuns

Adresa ta de email nu va fi publicată. Câmpurile obligatorii sunt marcate cu *

Acest site folosește Akismet pentru a reduce spamul. Află cum sunt procesate datele comentariilor tale.