WIREGUARD ON EDGEOS FOR A FASTER HOME VPN

INSTALLING WIREGUARD ON UBIQUITI ROUTERS FOR FASTER HOME VPN

This article is a repost from here and modified/updated based on personal experience.

You might also find this video helpful

Wireguard is an extremely simple, fast, and modern VPN. With it’s introduction into the mainline linux kernel, Wireguard promises to provide a simpler, faster, and more secure way for setting up a VPN without needing to deal with traditional solutions like OpenVPN and L2TP/IPSEC, which can be cumbersome and slow.

In this article I’ll cover how to install Wireguard on a Ubiquiti router, and how to connect a remote client to it.

SETTING UP THE ROUTER

The first step in getting Wireguard installed on EdgeOS is to SSH into your router. If SSH is not already set up on your router, it can be enabled by following this guide.

Once you can SSH into your router, download the appropriate DEB package from https://github.com/WireGuard/wireguard-vyatta-ubnt and install it via dpkg. The code below is for my Edge Router 4P running firmware v2.

cd /tmp

# Download the appropriate version
curl -qLs https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20220627-1/e300-v2-v1.0.20220627-v1.0.20210914.deb -o wireguard.deb
sudo dpkg -i wireguard.deb

Once Wireguard is installed on your router it can be configured via the standard Vyatta interface.

Note that since Wireguard is not software bundled with the EdgeOS firmware, firmware upgrades necessitate re-installing the Wireguard debian package. Once the wireguard package is re-installed re-applying the existing Vyatta config file, or rebooting will restore your interfaces.

Your first step is to generate a private key for your router, and to generate a public key which you can distribute to clients.

Note: I put my keys in the following locations: /config/auth/wireguard/server and /config/auth/wireguard/clients

mkdir -p /config/auth/server && mkdir -p /config/auth/client # Create the paths

wg genkey | tee /config/auth/server/wg.key | wg pubkey > /config/auth/server/wg.pub

This will create two new files in the /config/auth/server path, the first being your private key, and the second being your public key (below is an example, please use your own!). If you look at the content, you will see something like this:

cat /config/auth/server/wpg.key
0GbmWkPkYB9y2s5aIaAxUrAPoSnsDFnuhHjRnujEsm8=

Next, using the standard Vyatta configure cli tool, we’re going to set up Wireguard Interface:

configure

# Adjust the address as necessary. This will be the primary IP/GW on your wireguard network
set interfaces wireguard wg0 address 192.168.33.1/24
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips true

set interfaces wireguard wg0 private-key /config/auth/server/wg.key

# You might need to change the rule number depending on your settings
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 protocol udp
set firewall name WAN_LOCAL rule 20 description 'WireGuard'
set firewall name WAN_LOCAL rule 20 destination port 51820

commit
save
exist

Next, using the standard Vyatta configure cli tool, we’re going to set up a Wireguard Peer (note you will need some information from the steps below to finish this step):

Generate a client key (recommendation is to create a folder under /config/auth/client for each client)

wg genkey | tee wg.key | wg pubkey > wg.pub
configure

# Create a new peer
set interfaces wireguard wg0 peer <peer public key from wg genkey> allowed-ips 192.168.33.101/32

commit
save
exit

These commands will create a wireguard network on 192.168.33.1/24, and will route all traffic on 192.168.33.1/24 through the new wireguard interface.

SETTING UP THE CLIENT

With our router now set up, we next need to repeat the key generation process on our client and exchange public keys to establish a connection.

First, we need to install Wireguard on our client. On Ubuntu, this can be done by runnung:

$ sudo add-apt-repository ppa:wireguard/wireguard
$ sudo apt-get update
$ sudo apt-get install wireguard

Instructions for additional platforms are available on the wireguard wiki.

On your client device (Mac or Linux), repeat the key generation command:

$ wg genkey | tee /dev/tty | wg pubkey
eFzrSu/yJMgDjZDNXL9dJsDcT9n00hySFYUOCFulO1Y=
aWLc3A6WnKtVpTYPki3TRrKGDg8JUS0HephzxpnP8js=

Now, we need to create the wireguard interface on our client by creating /etc/wireguard/wg0.conf

# touch /etc/wireguard/wg0.conf
# chown root:root /etc/wireguard/wg0.conf
# chmod 600 /etc/wireguard/wg0.conf

Then we need to populate this file with the interface information, and the information for our router.

[Interface]
Address = 192.168.33.2/32
PrivateKey = eFzrSu/yJMgDjZDNXL9dJsDcT9n00hySFYUOCFulO1Y=

[Peer]
PublicKey = KsVzrtWPGWDbuCLPUyTsTL6pQOfiS+96VOXsMnPo+SI=
AllowedIPs = 192.168.33.0/24  # Add additional networks (comma delimited) here that you need access to (ex: 192.168.1.0/24, 10.0.0.0/24)
Endpoint = public_dns_or_ip_of_server:51820

As this file is the most confusing part of Wireguard, let’s take a moment to break down exactly what each block is doing.

CLIENT INTERFACE

The [Interface] block defines the private key of the client, and the IP address that the interface should use for connecting to any peer. The IP address should be in CIDR/32 format, since we’ll only ever have a single IP address.

[Interface]
Address = 192.168.33.2/32
PrivateKey = eFzrSu/yJMgDjZDNXL9dJsDcT9n00hySFYUOCFulO1Y=

PEER

The [Peer] block defines who we’re connecting to, and what routes we want to Wireguard to send over the previously created interface.

[Peer]
PublicKey = KsVzrtWPGWDbuCLPUyTsTL6pQOfiS+96VOXsMnPo+SI=
AllowedIPs = 192.168.33.0/24
Endpoint = public_ip_of_router:51820

The PublicKey line is the public key of our router, and the Endpoint defines where our router is located at on the public internet.

The AllowedIPs line tells the wg0 interface what routes we want to send through the interface. In this example, Wireguard will route any traffic to 192.168.33.0/24 over the Wireguard interface and to our router.

While this gets us connectivity to our router, it doesn’t let us access other devices on our LAN behind our router. To do that, we simply need to update the AllowedIPs section with our LAN IP range. For instance, of devices on your network have an IP within 192.168.0.0/24, we can simply update our AllowedIPs line to look as follows:

AllowedIPs 192.168.33.0/24, 192.168.0.0/24

Now traffic over our VPN, and to our LAN will be routed over the Wireguard interface and to our router, which will seamlessly handle forwarding to clients on our LAN.

PEERING OUR ROUTER

Now that we have our public key of our client, we need to update our router’s configuration.

set interfaces wireguard wg0 peer aWLc3A6WnKtVpTYPki3TRrKGDg8JUS0HephzxpnP8js= allowed-ips 192.168.33.2/32

commit
save

This command tells our router to accept traffic from our client with the public key of aWLc3A6WnKtVpTYPki3TRrKGDg8JUS0HephzxpnP8js= (which we generated earlier), and to only forward and accept traffic from the IP address of our client, 192.168.33.2/32.

When configuring your router with multiple peers, it’s important that you don’t create overlapping entries for the allowed-ips line, as the router won’t be able to route traffic appropriately.

BRINGING THE CLIENT INTERFACE UP

Back on the client, we can now bring our wg0 interface up by running:

sudo wg-quick up wg0

We can verify connectivty by running sudo wg, which will give us information about peers we are connected to.

interface: wg0
  public key: QLpJ0XIWAgPtC+8P2ctmmRITv1SufXOzRqKIdlzcd1I=
  private key: (hidden)
  listening port: 55972

peer: aWLc3A6WnKtVpTYPki3TRrKGDg8JUS0HephzxpnP8js=
  endpoint: ip_of_router:51820
  allowed ips: 192.168.33.0/24, 192.168.0.0/24
  latest handshake: 49 minutes, 26 seconds ago
  transfer: 472 B received, 6.01 KiB sent

We can repeat the sudo wg command on our router to verify connectivity as well.

After confirming that Wireguard thinks it’s connected, we can use any of our standard networking tools to connect to hosts behind our LAN, such as ping, SSH, etc…

Automatically bringing the interface up on Linux

On Linux, Wireguard comes a systemd command which can be used to automatically bring the interface up on boot. It can be enabled by running:

$ sudo systemctl enable wg-quick@wg0.service
$ sudo systemctl start wg-quick@wg0.service

CLOSING THOUGHTS

Wireguard is a very fast VPN, and once it has mainline support in the Linux kernel, it’ll be even faster. As this article has shown, setting up Wireguard is extremely easy, especially compared to other VPN solutions such as OpenVPN or L2TP/IPSEC.

I hope you find this article useful – be sure to reach out with any questions if you have them. I look forward to hearing from you.