Wireguard on Ubiquiti EdgeRouter 4

· 4min · Dan F.

Wireguard is one of the hottest new VPN's available today, and is rapidly being adopted as the possible successor to OpenVPN. The Ubiquiti EdgeRouter is an awesome, high-performing wired router, which also comes with a firewall and vpn functionality. This article will walk you through how to quickly setup wireguard on an EdgeRouter 4.

First, you will need to download the proper .deb for your EdgeRouter. Check out this repo, making sure to download the proper version for your hardware. In my case, I had to download the e300-v2 package, since my EdgeRouter is running v2 firmware.

# Download .deb
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e300-v2-v1.0.20211208-v1.0.20210914.deb

# Install deb
dpkg -i e300-v2-v1.0.20211208-v1.0.20210914.deb

Next, you will need to generate private and public keys for both your EdgeRouter and your client. We will only walk through creating a config for a single client today.

# Generate server keys and a set of client keys
cd $HOME
mkdir -p wireguard/server
mkdir -p wireguard/client_one
wg genkey | tee wireguard/server/privatekey | wg pubkey > wireguard/server/publickey
wg genkey | tee wireguard/client_one/privatekey | wg pubkey > wireguard/client_one/publickey

Now we need to configure the VPN on the EdgeRouter. These steps will create the wg0 interface, as well as specify the network for the VPN.

# Enter configure mode
configure

# The location of the server's private key
set interfaces wireguard wg0 private-key /home/ubnt/wireguard/server/privatekey

# Create the gateway ip for the new wireguard vpn. Ensure this network is unique on your router. 
set interfaces wireguard wg0 address 10.10.0.1/24

# Creates entries in the route table for the VPN subnet
set interfaces wireguard wg0 route-allowed-ips true

# Port for wireguard which peers will use to connect
set interfaces wireguard wg0 listen-port 51820

# Commit and save
commit; save

Now we need to add our client's public key for our new wg0 interface. I ran into issues referencing the publickey file when running the "set interfaces" command for our peer, but I found that pasting the publickey directly into the command worked. The peer's allowed-ip must be on the same network as the wireguard wg0 interface. In my example above, the wg0 network is 10.10.0.1/24, so I set my client below to 10.10.0.2/32.

# Cat out client's publickey, and paste it below
cat wireguard/client_one/publickey

# Create new client with publickey from above
set interfaces wireguard wg0 peer {{ public key from above }} allowed-ips 10.10.0.2/32

# Update firewall rules
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 protocol udp
set firewall name WAN_LOCAL rule 20 destination port 51820
set firewall name WAN_LOCAL rule 20 description 'WireGuard'

# Commit and save
commit; save

# Exit
exit

Finally, we need to create the client's config. This config will need to be provided to your client device. The peer's AllowedIP's can be set to 0.0.0.0/0 in order to route all packets leaving the client through the VPN, or can optionally set to the network of your home network, such as 192.168.0.0/24, to create a split tunnel. A split tunnel will only route traffic destined for the AllowedIP's network through the VPN, leaving all external web traffic going out your device's default gateway.

Go ahead and run this script from the edgerouter in order to generate client_one's client config:

#!/bin/bash

echo "[Interface]
PrivateKey = $(cat wireguard/client_one/privatekey)
ListenPort = 51820
Address = 10.10.0.2/32              # client ip set above
DNS = 1.1.1.1                       # optionally set DNS

[Peer]
PublicKey = $(cat wireguard/server/publickey)
AllowedIPs = 0.0.0.0/0
Endpoint = $(curl -s ifconfig.me):51820     # public ip or fqdn of server"

In order to add more clients, you will need to generate new public/private keys for each client, add the public key to wg0, then create a config for each with unique addresses.