Great video. Hope you did a video on how to allow VPN to access only a particular VLAN but block all other VLANs, it seems like the interface doesn't make this easy to do.
Easy to setup up but doesn't allow access to any of the local network resources same with the Open VPN implementation sadly no idea how to fix it. Seems to be a problem for a lot of people from what I have gathered. If you have any insights into how to allow access to the LAN resources using the Wireguard or Open VPN Unifi implementations that would be great as all it seems to do is allow you to access the internet which kind of defeats the point.
Same here...I spent hours with my ISP to finally setup and log in to my UDM pro and now I cannot reach anything. :D Maybe its a firewall issue? Or wireguard alloweip issue?
In my case, I am successfull connected, received the ip correctectly, but no internet traffic is running after wireguard is active (connected), it's with no internet aparently after connected. 😞 (using udm-pro in 04/2024)
Hello Willie, hope you are doing well. Does this mean that if I setup WireGuard VPN Server to my Unifi Dream Machine SE, and also install the WireGuard app on a client like an iPhone, any internet traffic (browsing, etc.) from my iPhone is routed to WireGuard VPN?
I have a UDM behind a Unifi Edge... WAN coming into the UDM from the Edge. I assume the endpoint should be the public address of the Edge, which then needs to forward the incoming session to the UDM interface, not having much luck. The UDM LAN IP range is x.x.2.x, but the Wireguard config auto assigned an address in the x.x.4.x range, not sure if thats the issue?
When connected via the Wireguard VPN is it possible to access local resources by hostname (DNS) rather than IP address? OP Would you consider making a video on this topic?
followed this exactly and when activated, the internet cuts off...deactivate wireguard and internet comes back...shouldn't the config file ensure the internet is maintained?
I'm a novice at this, but I would think the UDM handles inter-VLAN routing natively. I would think you'd need to have firewall rules in place of you didn't want the VPN network to have access to other networks.
Hey Willie great video. Quick question…I have a gl-ax1800 travel router that supports wireguard vpn. I hoping to set my travel router up as a client, then be able to connect my device (phone, laptop, etc) to the travel router and have all of my device traffic go through the vpn to my home network. Or is that more of a site-to-site vpn?
Ok, so I got this setup, side-by-side with the wireguard that is on my Unraid. Letting it do port ...21 instead of ...20 wasn't an issue apparently. Too bad I can't specify my duckdns on the ui setup, so I'll have to change it manually on each client. My problem with my mapped network drives still persists though. I can't reach them through "//server/share" but it'll work with "//ip/share". How can I get it to work with the server name instead?
i couldn't make it work. On my iPhone device, it showed Active, but I don't have internet access while I am using 4G cellular data with VPN activated. I think I will go back to Wireguard hosted on Raspberry pi5.
yes, I use it on my iPhone and I look like I'm perpetually at home. Not only that it keeps me behind my ad blocking, tracking blocking and when I visit sites that register my IP it always just detects my home IP
Can you setup a vpn client so you can connect the unifi udm or udm se to a vpn provider like nordvpn or express vpn and have certain devices go through the vpn just wondering i don't own a unifi udp
How would i do this if i have 2 WG "servers" set up? I already have it setup on mu unraid, but if i try and set it up on my new (not in use yet) udm-p what all would i need to do? Could i use my dynamic dns name instead of a wan ip? How do i "port forward" the port since ots already set to point to my unraid? Or can both listen on that port at once?
If Wireguard works, it's really fast and reliable. However there is no chance to set up a user config if your ISP doesn't give you a static public ip. In that case Wirguard stops working once your WAN IP changes. Would have been great if one could enter the Dyndns domain name instead of a static WAN IP.
Hi Willie, do you know if the Wireguard VPN resolves the issue that the L2TP VPN as? the problem with L2TP is that only allows one connection from the same location? is wireguard allow 2+ connections from the same location?
Hi willie. I’m testing wireguard by using your suggestions. I ran into problems with domain joined windows. The problem is this message: “wireguard May only be used by users who are member of the Builtin Administration group”. Does wireguard only work with non-domain joined PCs?
being part of the built-in admisrtators has nothing to do with being domain joined or not. Every version of Windows ever has had a local administrators group (it is the Built-In Administrators) A user should NOT be an administrators unless they absolutely have to, and even then, should not use their regular day-to-day ID, they should use an elevated ID for exactly that priviliege. Doing so is one thing that will prevent many exploits from even working for the average attacker.
@@cjramseyer makes sense. I wouldn’t want a regular Active Directory user to have elevated admin - agreed. However, I’d like the user to be able to vpn into the corporate network with wireguard. Is there a way to do this. RADIUS offers a magnificent way to allow this with L2TP.
From what I understand, home networks are on private IP behind the public IP which is DHCP address. Its not a huge issue because it shouldn't change often but because its not static it eventually will. Which means you have to edit the wireguard settings again.
Most secure of all VPN options due to how the server does not respond to query requests and only allows connections from the clients you manually setup using this process. The analogy you might use is "I'm going to give you the key to my house. Nobody knows where I live except you now. You can only find my house and the door with this key. If you lose the key you cant find your way to my house. If you share this key I will know about it, and I reserve the right to take the key out of your pocket whenever I choose." You will delete the config file after you install it on your device. Don't keep it, just generate a new one if you ever need to do so.
I am in CGNat cable network. I think Teleport is the only built-in solution for such a need (or other solutions, such as Zerotier, Tailscale, Cloudflare). Teleport is WG based, so it should be efficient and safe, however since server is out of our control, we never know. WG or OVPN servers have to be visible to peers first to establish direct connection. Both WG OVPN, L2TP require opening ports. Teleport not. But both WG and OVPN are great and long-awaited features for fixed/dynamic IP's owners (latter ones with fqdn).
Talking of straight forward!? Anyone got the QRCode to work, even in Light Mode the Android WireGuard App does not can the App, many others saying the same on Ubiquity forums? The QRCode on my OpenVPN Pi server works a charm? I'm not interested in running some digital post process to rework the QRCode link some have been forced to do
Something must have been broken, this was working as shoed in the video. But now since UniFi OS 3.2.5, and Network 8.1.113 it does not long. The VPN client can no longer assess any other subnets.
@@WillieHowe Could be so, but for a long time it worked just as you did in the video. I followed your guide and have had it working. But not it does not.. Firewall rule to allow traffic between specific subnets?
![[UNCUT] บอสพอล แผลงฤทธิ์ บอสพระ-นักร้อง ก. โดนแฉยับ! I คนดังนั่งเคลียร์ I 21 ต.ค. 67](http://i.ytimg.com/vi/XKf6HeftoPI/mqdefault.jpg)
Great video. Hope you did a video on how to allow VPN to access only a particular VLAN but block all other VLANs, it seems like the interface doesn't make this easy to do.
I can confirm that this works with the UXG pro. I have it set up and working great with a Hostifi controller and a UXG Pro updated to version 3.0.7
Easy to setup up but doesn't allow access to any of the local network resources same with the Open VPN implementation sadly no idea how to fix it. Seems to be a problem for a lot of people from what I have gathered. If you have any insights into how to allow access to the LAN resources using the Wireguard or Open VPN Unifi implementations that would be great as all it seems to do is allow you to access the internet which kind of defeats the point.
Same here...I spent hours with my ISP to finally setup and log in to my UDM pro and now I cannot reach anything. :D Maybe its a firewall issue? Or wireguard alloweip issue?
In my case, I am successfull connected, received the ip correctectly, but no internet traffic is running after wireguard is active (connected), it's with no internet aparently after connected. 😞 (using udm-pro in 04/2024)
Great video, can you explain the double nat forwarding please, I have this issue.
Most insurance companies require 2FA/MFA for businesses, Any solution to that with Unifi WireGuard by chance?
Hey Willie, any idea what configuration changes to make on the client to allow it to access local resources in addition to the VPN?
Hello Willie, hope you are doing well. Does this mean that if I setup WireGuard VPN Server to my Unifi Dream Machine SE, and also install the WireGuard app on a client like an iPhone, any internet traffic (browsing, etc.) from my iPhone is routed to WireGuard VPN?
I have a UDM behind a Unifi Edge... WAN coming into the UDM from the Edge. I assume the endpoint should be the public address of the Edge, which then needs to forward the incoming session to the UDM interface, not having much luck. The UDM LAN IP range is x.x.2.x, but the Wireguard config auto assigned an address in the x.x.4.x range, not sure if thats the issue?
I don't get it, do we need to have something like Mullvad or something? If so... where's that step?
When connected via the Wireguard VPN is it possible to access local resources by hostname (DNS) rather than IP address? OP Would you consider making a video on this topic?
@@LorneCash Yes you can. If you have a DNS server internally that can resolve those names and you hand it out to the wire guard clients.
followed this exactly and when activated, the internet cuts off...deactivate wireguard and internet comes back...shouldn't the config file ensure the internet is maintained?
I am facing exactly this behavior (client side: the internet cuts off after the client is connected), any success to resolve it?
@@dnorbertosantana This must be a dead channel - I have the same problem but I think this guy no longer replies to his posts.
Just throwing this here... possibly a default route issue? You may have to add a static route for traffic to not go throuh vpn.
How do you configure what internal ip addresses you can access for example a camera network or a network a NAS is on?
I'm a novice at this, but I would think the UDM handles inter-VLAN routing natively. I would think you'd need to have firewall rules in place of you didn't want the VPN network to have access to other networks.
Firewall rules
Hey Willie great video. Quick question…I have a gl-ax1800 travel router that supports wireguard vpn. I hoping to set my travel router up as a client, then be able to connect my device (phone, laptop, etc) to the travel router and have all of my device traffic go through the vpn to my home network. Or is that more of a site-to-site vpn?
Routers can be setup as a client -- haven't tried it to the UniFi wire guard but if you do let me know how it works.
Ok, so I got this setup, side-by-side with the wireguard that is on my Unraid. Letting it do port ...21 instead of ...20 wasn't an issue apparently. Too bad I can't specify my duckdns on the ui setup, so I'll have to change it manually on each client. My problem with my mapped network drives still persists though. I can't reach them through "//server/share" but it'll work with "//ip/share". How can I get it to work with the server name instead?
i couldn't make it work. On my iPhone device, it showed Active, but I don't have internet access while I am using 4G cellular data with VPN activated. I think I will go back to Wireguard hosted on Raspberry pi5.
Does this allow the client to be able to use the internet through the unifi internet so the client looks like they come from the unifi network?
yes, I use it on my iPhone and I look like I'm perpetually at home. Not only that it keeps me behind my ad blocking, tracking blocking and when I visit sites that register my IP it always just detects my home IP
Does the unifi dream router support this? And is it any good for 250/500/1000Mbps speeds?
Can you setup a vpn client so you can connect the unifi udm or udm se to a vpn provider like nordvpn or express vpn and have certain devices go through the vpn just wondering i don't own a unifi udp
How would i do this if i have 2 WG "servers" set up? I already have it setup on mu unraid, but if i try and set it up on my new (not in use yet) udm-p what all would i need to do?
Could i use my dynamic dns name instead of a wan ip?
How do i "port forward" the port since ots already set to point to my unraid? Or can both listen on that port at once?
Why is Wire guard needed? Is this only used to VPN into Unifi console remotely?
If Wireguard works, it's really fast and reliable. However there is no chance to set up a user config if your ISP doesn't give you a static public ip. In that case Wirguard stops working once your WAN IP changes. Would have been great if one could enter the Dyndns domain name instead of a static WAN IP.
Nice video Willie. Thanks 😊 You got my 'like', of course.
Hi Willie, do you know if the Wireguard VPN resolves the issue that the L2TP VPN as? the problem with L2TP is that only allows one connection from the same location? is wireguard allow 2+ connections from the same location?
I haven't tried but I would assume so.
@@WillieHowe well it’s time to set up a lab and test 👍 thanks anyway. Keep the good content flowing 👏👏👏
Can you edit the public ip to a ddns domain so it always stays up to date?
Hi willie. I’m testing wireguard by using your suggestions. I ran into problems with domain joined windows. The problem is this message: “wireguard May only be used by users who are member of the Builtin Administration group”. Does wireguard only work with non-domain joined PCs?
being part of the built-in admisrtators has nothing to do with being domain joined or not. Every version of Windows ever has had a local administrators group (it is the Built-In Administrators) A user should NOT be an administrators unless they absolutely have to, and even then, should not use their regular day-to-day ID, they should use an elevated ID for exactly that priviliege. Doing so is one thing that will prevent many exploits from even working for the average attacker.
@@cjramseyer makes sense. I wouldn’t want a regular Active Directory user to have elevated admin - agreed. However, I’d like the user to be able to vpn into the corporate network with wireguard. Is there a way to do this. RADIUS offers a magnificent way to allow this with L2TP.
What was that warning about NAT all about?
From what I understand, home networks are on private IP behind the public IP which is DHCP address. Its not a huge issue because it shouldn't change often but because its not static it eventually will. Which means you have to edit the wireguard settings again.
How do you enable \\ smb name searches from here?
if we have a dynamic public ip address, how can we do ? It seems that we have to put the ip, not a public fqdn
Edit the file and put your fqdn
How secure is this? As there is no authentication if someone get's a hold of the config file it contains all of the keys needed to connect?
Most secure of all VPN options due to how the server does not respond to query requests and only allows connections from the clients you manually setup using this process. The analogy you might use is "I'm going to give you the key to my house. Nobody knows where I live except you now. You can only find my house and the door with this key. If you lose the key you cant find your way to my house. If you share this key I will know about it, and I reserve the right to take the key out of your pocket whenever I choose." You will delete the config file after you install it on your device. Don't keep it, just generate a new one if you ever need to do so.
how is this for clients with CG-nat connections, i dont run into that often but it can be tricky
I am in CGNat cable network. I think Teleport is the only built-in solution for such a need (or other solutions, such as Zerotier, Tailscale, Cloudflare). Teleport is WG based, so it should be efficient and safe, however since server is out of our control, we never know. WG or OVPN servers have to be visible to peers first to establish direct connection. Both WG OVPN, L2TP require opening ports. Teleport not. But both WG and OVPN are great and long-awaited features for fixed/dynamic IP's owners (latter ones with fqdn).
Talking of straight forward!? Anyone got the QRCode to work, even in Light Mode the Android WireGuard App does not can the App, many others saying the same on Ubiquity forums? The QRCode on my OpenVPN Pi server works a charm? I'm not interested in running some digital post process to rework the QRCode link some have been forced to do
Anyone managed to use Preshared Key?? I'm not able to use PSK in wireguard config in UDM
Something must have been broken, this was working as shoed in the video. But now since UniFi OS 3.2.5, and Network 8.1.113 it does not long. The VPN client can no longer assess any other subnets.
May need a firewall rule. Otherwise I've also had some clients that are having issues.
@@WillieHowe Could be so, but for a long time it worked just as you did in the video. I followed your guide and have had it working. But not it does not..
Firewall rule to allow traffic between specific subnets?
@@trieb Yes -- create a LAN IN rule that allows the subnet from your wireguard to access whatever subnets you want.
@@WillieHowe I am having the same issue, can you give us more details to fix it? (using udm-pro)
does this work with edgerouter?
No
Perhaps someone can help me: I cannot ping anything on my LAN when I establish the VPN. Are there some firewall rules that I need to configure?
Same problem here, Have you found a solution yet?
I have the same problem. Unable to ping anything local or on Internet once I'm successfull connected.
The same problem is happening here. Any solution?
In the WireGuard client, Edit the config. Uncheck the box that says "Block untunneled traffic (kill-switch)" and then save it. That worked for me.
@@jimmortoniii Not for me😥