Setup WireGuard VPN Server with Ubiquiti Edgerouter X (EdgeOS) (2024)

WireGuard is a fast and secure VPN protocol that uses state-of-the-art cryptography. It is designed to be easy to implement and manage, and has a minimal attack surface. Its simplicity and efficiency make it well-suited for use in mobile devices and large-scale deployments.

Note: Before making any major changes on your EdgeOS router, always make a backup.Refer to the official documentation on how to perform one.

Step 1. Installation

Note: The following installation guide was verified working on EdgeOS v2.0.9-hotfix.4 as of Feb 2023.

Verify your EdgeOS version

1
show version

Download Wireguard

Head over to WireGuard’s EdgeOS releases and look for the release that matches your platform/version.

On the ER-X, use curl to download the .deb file

1
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20220627-1/e50-v2-v1.0.20220627-v1.0.20210914.deb

Install with dpkg

1
sudo dpkg -i e50-v2-v1.0.20220627-v1.0.20210914.deb

Output Log

123456789
user@ER-X:~$ sudo dpkg -i e50-v2-v1.0.20220627-v1.0.20210914.debSelecting previously unselected package wireguard.(Reading database ... 37091 files and directories currently installed.)Preparing to unpack e50-v2-v1.0.20220627-v1.0.20210914.deb ...Adding 'diversion of /opt/vyatta/share/perl5/Vyatta/Interface.pm to /opt/vyatta/share/perl5/Vyatta/Interface.pm.vyatta by wireguard'Adding 'diversion of /opt/vyatta/share/vyatta-cfg/templates/firewall/options/mss-clamp/interface-type/node.def to /opt/vyatta/share/vyatta-cfg/templates/firewall/options/mss-clamp/interface-type/node.def.vyatta by wireguard'Adding 'diversion of /opt/vyatta/share/vyatta-cfg/templates/firewall/options/mss-clamp6/interface-type/node.def to /opt/vyatta/share/vyatta-cfg/templates/firewall/options/mss-clamp6/interface-type/node.def.vyatta by wireguard'Unpacking wireguard (1.0.20220627-1) ...Setting up wireguard (1.0.20220627-1) ...

If there is no space available

If additional storage space is needed, you can safely delete the backup system image (not the currently running firmware).

1
delete system image

You can check if wireguard is installed by running:

1
wg version

Output log:

12
user@ER-X:~$ wg versionwireguard-tools v1.0.20210914 - https://git.zx2c4.com/wireguard-tools/

Step 2. Key Creation

Confirm working directory

1
pwd

Generate Server Keys

Create folder for your server keysYou can create it in the /config directory to preserve your files during upgrades, and to make it easier during backups.

1
cd /config

Create a folder wireguard, then create another folder for server_keys

12
mkdir wireguard; cd wireguardmkdir server_keys; cd server_keys

Generate a key pair for the Wireguard server

Note your public and private key for the next configuration steps.

1
cat publickey privatekey

Generate Client Keys

Move to wireguard directory.

1
cd /config/wireguard

Create folder wg_clients

1
mkdir wg_clients ; cd wg_clients

Create folder for client01

1
mkdir client01 ; cd client01

Generate client keys.

1
wg genkey | tee privatekey | wg pubkey > publickey

Note your public and private key for the next configuration steps.

1
cat publickey privatekey

Example output:

123
user@ER-X:~$ cat privatekey publickey sAoqK3dXpc2UbOn2LWb/MMcHTKtU0nqHjDQiXqNcyHs=Bf6LBfuoRDRbO4EJ+tawJXu6qu5BOWaXGK0V+uVRC3Q=

Step 3. wg0 Interface Configuration

Enter configure mode

1
configure

Set the location of the server’s private-key, previously generated

1
set interfaces wireguard wg0 private-key <server-private-key-here>

Create the Gateway IP for the VPN and the subnetThis subnet can be any private IP range, though make sure to check for conflicts

1
set interfaces wireguard wg0 address 10.0.0.1/32

Create entries in the route table for the VPN subnet

1
set interfaces wireguard wg0 route-allowed-ips true

Set the UDP port for WG (that peers will use)WireGuard default port is 51820, but can be changed to any port

1
set interfaces wireguard wg0 listen-port 51820

Save

1
commit ; save

Step 4. Adding peers to the wg0 Interface

Adding Client 01

Note: make sure you are in configure mode.

1
set interfaces wireguard wg0 peer <public-key-here>
1
set interfaces wireguard wg0 peer <public-key-here> allowed-ips 10.0.0.5/32
1
set interfaces wireguard wg0 peer <public-key-here> description client01

Adding Additional Clients

When adding additional peers, repeat the steps above, make sure to update allowed-ips and description for the new clients.

1
set interfaces wireguard wg0 peer <public-key-here>
1
set interfaces wireguard wg0 peer <public-key-here> allowed-ips 10.0.0.6/32
1
set interfaces wireguard wg0 peer <public-key-here> description client02

Save

1
commit ; save

Step 5. Create firewall rules for WireGuard

Create an accept rule in WAN_LOCAL to accept all incoming UDP connections from port 51820 (or any port of your choice).

1234
set firewall name WAN_LOCAL rule 50 action acceptset firewall name WAN_LOCAL rule 50 protocol udpset firewall name WAN_LOCAL rule 50 destination port 51820set firewall name WAN_LOCAL rule 50 description 'WireGuard'

Save

1
commit ; save

Once this is done, your wg0 interface and firewall configuration should look something like this.

 1 2 3 4 5 6 7 8 910111213141516171819202122232425262728293031323334
user@ER-X$ show configuration wireguard wg0 { address 10.0.0.1/32 listen-port 51820 peer Bf6LBfuoRDRbO4EJ+tawJXu6qu5BOWaXGK0V+uVRC3Q= { allowed-ips 10.0.0.6/32 description client02 } peer Kf6LBfuoRDRbO4EJ+tawJXu6qu5BOWaXGK0V+uVRC3Q= { allowed-ips 10.0.0.5/32 description client01 } } private-key **************** route-allowed-ips true } } rule 50 { action accept description WireGuard destination { port 51820 } log enable protocol udp source { } } }}

Step 6. Constructing the Config on the peer side

Config File (.conf)

Create a file on the peer, with the file extension as .conf

The peer side needs a few pieces of information to create the tunnel:

  • The server’s public key
  • The server’s endpoint (public IP address, or DNS record)
  • The peer’s private key
  • The peer’s IP address in the VPN subnet (the allowed IPs value set on the server)

Therefore, the previously generated client01 private-key and the server-public-key, should be copied to the peer device.

The configuration should look something like the one below:

Example Client 01

 1 2 3 4 5 6 7 8 910
[Interface]PrivateKey = <private-key-here>ListenPort = 51820Address = 10.0.0.5/32DNS = <any dns>, 9.9.9.9[Peer]PublicKey = <public-key-here>AllowedIPs = 0.0.0.0/0Endpoint = <your-public-ip-or-dynamic-dns-hostname>:51820

Example Client 02

 1 2 3 4 5 6 7 8 910
[Interface]PrivateKey = <private-key-here>ListenPort = 51820Address = 10.0.0.6/32DNS = <any dns>, 9.9.9.9[Peer]PublicKey = <public-key-here>AllowedIPs = 0.0.0.0/0Endpoint = <your-public-ip-or-dynamic-dns-hostname>:51820

Once the .conf file is created, you can import that into the peer/device of your choice.

To bring up your tunnel, you can use the wg-quick command.

1
wg-quick up client01.conf

Run wg show on your peer to verify you are connected to the endpoint.

 1 2 3 4 5 6 7 8 910111213
user@PC$ wg showinterface: client01 public key: <private-key> private key: (hidden) listening port: 51820 fwmark: 0xca6cpeer: <peer-key> endpoint: xx.xx.xx.xx:51820 allowed ips: 0.0.0.0/0 latest handshake: 11 seconds ago transfer: 3.11 MiB received, 6.92 MiB sent

Step 7. Save WireGuard Keys and Configuration Files

Once the above configuration is made, you can easily save the config by running a backup from the Edgerouter’s GUI.

  1. Navigate to the System tab in the bottom-left of the GUI to download the backup configuration archive.

System > Configuration Management & Device Maintenance > Back Up Config

  1. Download the backup config file by clicking on the Download button.

  2. The EdgeRouter will prompt you to save the archive on your computer.

You can then extract this file on your local machine, and in the /config directory, you’ll find the wireguard public and private keys you generated earlier.

Warning, the following script is not guaranteed to work, you may need to modify it according to your specific platform/version. Use at your own risk.

Determine shell with echo $SHELL

12
user@ER-X:~$ echo $SHELL/bin/vbash

EdgeOS comes with vi, you can use that to create the script.

12
user@ER-X:~$ touch wg-setup.shuser@ER-X:~$ vi wg-setup.sh

NOTE: Make sure to modify your $SHELL in case it differs, for EdgeOS, it will usually be #!/bin/vbash

Paste the following:

12345678
#!/bin/vbash/bin/ip link add dev wg0 type wireguard/bin/ip addr add 10.0.0.1/32 dev wg0/usr/bin/sudo /usr/bin/wg setconf wg0 /home/$USER/wg0.conf/bin/ip link set up dev wg0/bin/ip route add 10.0.0.1/32 dev wg0/usr/bin/sudo /sbin/ifconfig wg0 mtu 1300

Make executable

1
chmod +x wg-setup.sh

Run

1
./wg-setup.sh

Sources:

Setup WireGuard VPN Server with Ubiquiti Edgerouter X (EdgeOS) (2024)
Top Articles
Prime Rib Recipe (VIDEO)
50 Vintage Recipes That Celebrate Butter
16 trillion modded xbox account | ID 209065580 | PlayerAuctions
PC/PSN/XBOX/SWITCH 102 SKINS (OG SKINS,STACKED) - BLACK KNIGHT,DA... | ID 209061729 | PlayerAuctions
Latest Posts
Gluten Free Cornish Pasty Recipe with the BEST Gluten Free Pastry
EASY Ladyfingers Recipe - Alyona’s Cooking
Article information

Author: Fredrick Kertzmann

Last Updated:

Views: 6196

Rating: 4.6 / 5 (46 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Fredrick Kertzmann

Birthday: 2000-04-29

Address: Apt. 203 613 Huels Gateway, Ralphtown, LA 40204

Phone: +2135150832870

Job: Regional Design Producer

Hobby: Nordic skating, Lacemaking, Mountain biking, Rowing, Gardening, Water sports, role-playing games

Introduction: My name is Fredrick Kertzmann, I am a gleaming, encouraging, inexpensive, thankful, tender, quaint, precious person who loves writing and wants to share my knowledge and understanding with you.