Guillaume Hérail

Ramblings in Frenglish

WireGuard on your EdgeRouter

Posted on — Jan 9, 2021

I use WireGuard as my personal VPN. My dedicated server is my main peer to which I connect my phone, laptop and my router. Setting up WireGuard on Android or Ubuntu is pretty straightforward though it is a bit different on an EdgeRouter from Ubiquiti.

The EdgeRouters are running EdgeOS which is a fork of Vyatta, a specialized distribution based on Debian. Vyatta provides a command line interface that resembles the one you can find on a Juniper or Cisco device. It means that the whole configuration is done via the command line in a standard way. For instance, to set the IP on an interface, you would use:

set interfaces ethernet eth1 address 192.168.1.1/24
commit

EdgeOS supports IPSec by default though I still have nightmares of troubleshooting IPSec configurations and WireGuard is so easy to set up and use that I needed to find a way to make it work on my device.

Luckily, WireGuard itself has a solution for it: wireguard-vyatta-ubnt!

The installation is pretty straightforward. First, make sure your router is running the latest EdgeOS version. You can then head to the latest release and copy the link to the latest stable release for your device. Once done, connect to the EdgeRouter via ssh and do the following:

curl -L https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/... -O

sudo dpkg -i PACKAGE.deb

Let’s pause for a minute and draw what we’re about to configure:

+--------------+                                      +------------------+
|              |wg.server.com                         |                  |
|    Server    +--------------------------------------+    EdgeRouter    |
|              |192.168.254.254/24    192.168.254.1/24|                  |
+--------------+                                      +--------+---------+
                                                               |
                                                               |
                                                    +----------+-----------+
                                                    |     Home Network     |
                                                    |    192.168.1.0/24    |
                                                    +----------------------+

Our EdgeRouter has our home network behind it and is about to connect to our server. Here we will use 192.168.254.0/24 as the network between the server and the EdgeRouter.

You can now start configuring your interface. Start by creating a private key on your router in /config/auth/wg.key. This directory is persisted across upgrades and reboots.

wg genkey | tee /config/auth/wg0/private | wg pubkey > /config/auth/wg0/public
cat /config/auth/wg.public
<COPY THE CONTENT>

Now, on the server you are about to connect to, add the public key your just copied with the Allowed IPs this router is responsible for:

[Interface]
Address = 192.168.254.254/24
SaveConfig = False
ListenPort = 51234
PrivateKey = <REDACTED>

# My new EdgeRouter
[Peer]
PublicKey = <THE PUBLIC KEY YOU JUST COPIED>
AllowedIPs = 192.168.1.0/24,192.168.254.1/24

Now back to the EdgeRouter:

set interfaces wireguard wg0 address 192.168.254.1/24
set interfaces wireguard wg0 peer <PUBLIC KEY OF THE SERVER> allowed-ips 192.168.254.0/24
set interfaces wireguard wg0 peer <PUBLIC KEY OF THE SERVER> endpoint 'wg.server.com:51234'
set interfaces wireguard wg0 private-key /config/auth/wg0/private
commit
save

Voilà, your router is now connected, try and ping each other!

This is day 7/100 of #100DaysToOffLoad!