WireGuard VPN Setup

Prepare

Before creating the VPN, prepare the following:

  1. Does the client have a static WAN IP? If not, they need to have one otherwise you will encounter issues when the DHCP WAN IP changes. You can somewhat mitigate this by using a DDNS service (like afraid.org) but it requires extra manual setup and it's generally not worth it.

    1. The Static WAN IP must be entered into the Unifi router before you start configuring the VPN.

  2. What is the default LAN subnet?

    1. Unifi, by default, uses 192.168.1.1/24 as the default LAN IP. Since that IP scheme is almost always a default on routers across all brands, you'll want to change it to something less common to avoid IP scheme issues. Skip all the other common default schemes as well:

      1. 192.168.1.0
      2. 192.168.0.0
      3. 192.168.2.0
      4. 10.0.0.1
      5. 172.168.0.1
    2. Do this prior to setting up the VPN and verify that the customer maintains connectivity to all devices. For devices with static IP reservations (either on the device or in Unifi), you will need to update them to match the new scheme
  3. What will the remote subnet be? The WireGuard VPN reserves its own subnet for remote clients when they connect - this should also be something uncommon (see 2.1 above). The VPN setup page will try to default this to something common - manually override it when you get to that point

  4. (Windows hosts only) What needs to connect to what? Only for Windows hosts, you must identify which devices need to be accessed and from which direction. Windows disallows network access from LAN IPs outside of the IP scheme of its local network

    1. Consider the following two "types" of devices:

      1. LAN Device: Anything that is connected (wired or wireless) to the Unifi router
      2. VPN Client Device: Anything that uses the WireGuard VPN to connect to the office

    2. There are 4 possibilities:

      1. LAN Device connects to LAN Device: this is possible without the VPN, so no special consideration is needed.
      2. LAN Device connects to VPN Client Device: The VPN Client Device will need a firewall rule allowing connections from the LAN
      3. VPN Client Device to LAN Device: The LAN Device will need a firewall rule allowing connections from the VPN
      4. VPN Client Device to VPN Client Device: No special access should be required since they'll be in the same subnet anyways
    3. Take note of the devices that need special firewall rules and implement those rules after the VPN is installed

Execute

Configure VPN: Settings -> VPN (use the new Unifi interface)

  1. You start on the Teleport tab
  2. Go to "VPN Server"
  3. Choose WireGuard
  4. Name it "WireGuard VPN"
  5. Server Address should be the WAN interface and you should see the static WAN IP here - if you don't, revisit the "Prepare" section and make sure you have the WAN IP configured correctly
  6. Under "Advanced", change the setting to manual and change the Gateway/Subnet to the unique IP scheme you chose earlier
  7. Click "Apply Changes"

  8. Prepare one VPN Client per device that will connect to the VPN. Wireguard allocates a static LAN IP for each client created, so using the same client for multiple connected devices could lead to an IP address conflict if two or more computers sharing a profile attempted to connect at the same time

    1. For each device that will connect:

      1. Click "+ Add Client"
      2. Give it a meaningful but short name
      3. Download the configuration file (if you skip this step you'll need to recreate the client because you can't get the configuration file again)
      4. Click Add
      5. On the main VPN Server screen, click "Apply Settings" (you can save this step and do it once after all the clients are created, but you must click "Apply Settings" else your changes will not be saved)

Connect clients

  1. On the computers that will connect to the VPN, download the WireGuard VPN client: https://www.wireguard.com/install/
  2. Install the WireGuard client and open it, then click "Add Tunnel"
  3. Transfer the tunnel file to the computer (use the file transfer feature of ScreenConnect or Bitwarden's "Send" feature) and open it on the "Import tunnel(s) from file" browser dialog window

  4. Connect to the VPN - note that VPNs generally don't work when you're on the same network as the server so you may need to connect the device to your phone hotspot to test if it's working

    1. WireGuard VPN automatically reconnects on reboot if you were connected at the time of shutdown
  5. Verify connectivity. If you are connecting to Windows hosts through the VPN, see the "Connecting to Windows hosts" section below. Otherwise, you should be able to access/ping any device on the network now

Connecting to Windows hosts

Windows hosts disable connection from outside their LAN, by default. This is configured by a firewall rule. You must configure the firewall rule to allow connections via the WireGuard VPN - turning off the firewall is not sufficient to allow the connection to pass through.

For example, if a Windows device is on network with the scheme 192.168.56.0/24, Windows only allows connections from devices on that same 192.168.56.0/24 scheme. If the VPN is set up to use 192.168.55.0/24, devices that connect from the VPN will not be able to access anything on the Windows host without configuring a specific firewall rule.

Note: Do not attempt to set the VPN network to use the same LAN IP scheme as the router's default LAN IP scheme in an attempt to circumvent this step.

For the following instructions, assume that the IP schemes are as follows:

  1. Unifi default LAN IP scheme: 192.168.56.0/24
  2. WireGuard VPN IP scheme: 10.10.250.0/24

If you see either of those IP schemes in the following instructions, replace them with the correct values for your current network configuration.

  1. In Windows, open Network & Sharing Center
  2. Go to Firewall
  3. Go to "Advanced settings" to open the Advanced Firewall page

  4. Create a new Inbound Rule

    1. Type: Custom
    2. All Programs
    3. Any Protocol
    4. Local IP addresses: any

    5. Remote IP addresses: the "other" subnet

      1. Are you on a device local to the Unifi router? Then this value needs to be the WireGuard VPN IP scheme (e.g. 10.10.250.0/24)
      2. Are you on a device that connects with the WireGuard VPN client? Then this value needs to be the Unifi default LAN IP scheme (e.g. 192.168.56.0/24)
    6. Allow the connection
    7. Profile: all
    8. Name: "Allow WireGuard VPN"
  5. Save the new rule - you should immediately be able to access the Windows host now

Troubleshooting: Printer or other local devices inaccessible when connected to VPN

Overview

By default, WireGuard tunnel configurations include AllowedIPs = 0.0.0.0/0 in their configuration, which tells the VPN-connected device "route all traffic through the VPN adapter". This also includes local LAN traffic, such as a printer that is on the same physical network as the VPN-connected device. This can break access to local devices (e.g., printers or file shares) on the user's home or office network.

Because 0.0.0.0/0 represents literally every IPv4 address possible, we have to tell the WireGuard VPN client to "route every IPv4 address through the tunnel, except this local LAN subnet". Since there is no shorthand for this, we have to construct an AllowedIPs list that explicitly contains every possible IP except the ones we don't want to route through the VPN tunnel.

To avoid routing local subnet traffic through WireGuard, we use the Procustodibus AllowedIPs Calculator to subtract a specific local subnet from 0.0.0.0/0. Assume the following:

  1. The current AllowedIPs value contains 192.168.55.1/32,192.168.55.4/32,0.0.0.0/0
  2. The LAN subnet of the VPN-connected device is 192.168.0.0/24
  3. There is a device on the LAN subnet (i.e. a printer) that needs to remain accessible even when the VPN tunnel is established

In this scenario, you will need to use the calculator linked above to generate an AllowedIPs value that excludes the LAN subnet and save the configuration in the WireGuard VPN client.

Get the current AllowedIPs value

  1. Open the WireGuard VPN client, click on the tunnel you want to modify, and click the "Edit" button at the bottom of the window
  2. Search for AllowedIPs and copy the comma-delimited IP list

Identify the LAN Subnet

  1. With the VPN disconnected on the target machine, do an ipconfig /all (or its OS's equivalent) to find the gateway and subnet. For this example, we will assume the LAN gateway is 192.168.0.1 and the subnet is 255.255.255.0, and so the shorthand CIDR notation is 192.168.0.0/24.

Use the calculator

  1. Visit Procustodibus AllowedIPs Calculator
  2. Enter the current AllowedIPs value into the "Allowed IPs" field
  3. Enter the LAN Subnet (ex 192.168.0.0/24) into the "Disallowed IPs" field
  4. Click "Calculate"
  5. Copy the output of the calculator, which should be a long list of IPs such as AllowedIPs = 0.0.0.0/1, 128.0.0.0/2, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.168.1.0/24, 192.168.2.0/23, 192.168.4.0/22, 192.168.8.0/21, 192.168.16.0/20, 192.168.32.0/19, 192.168.55.1/32, 192.168.55.4/32, 192.168.64.0/18, 192.168.128.0/17, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 224.0.0.0/3
  6. In the WireGuard VPN client on the target machine, click on the tunnel you want to modify and click the Edit button at the bottom of the window
  7. Replace the AllowedIPs field with the newly generated value
  8. Save the configuration
  9. Connect to the VPN
  10. Confirm connectivity still works to local devices (i.e. printers)
Discard
Save
Draft
Was this article helpful?
Edit Page New Page Revisions Page Settings

Previous Page

Left

Next Page

Right

On this page

Review Changes ← Back to Content
Message Status Space Raised By Last update on