is there a specific reason the firewall rules need to be on LAN OUT instead of LAN IN? All the other inter-vlan blocks were done via LAN IN. My understanding is that that the LAN IN means LAN traffic going INTO the firewall... I have been told that generally LAN IN is where rules should be to prevent slamming the firewall. I kind of know very little when it comes to this stuff but i am just trying to understand.
both IN and OUT will work, it is just when blocking people prefer to do it in the IN so the traffic is not entered in the interface and costs unnecessary routing resource before they are dropped (when they go OUT of the interface). When allowing it, as long as it matches the traffic before the "drop all" rule, it will be granted access, so it makes no difference at all.
+1. I am also struggling with wrapping my head around this. My current thinking is this... when we look at the "Networks" tab in the settings, those networks are a part of our LAN. Let's say we have 2 networks, Net1 and Net2, on CIDR blocks 192.168.1.0/24 and 192.168.2.0/24, respectively. If a device on Net1 wants to ping a device on Net2, then the traffic has to travel from the device to the router (UDM), and then from the router to the device on Net2. Without "LAN In" firewall rules, this is allowed because the router will allow the traffic from the device on Net1 to come IN to the router when it is destined for Net2. Let's say that we add a "LAN In" firewall rule that blocks traffic between each of these networks. If the device on Net1 pings the device on Net2, the traffic will flow from the device to the router; when the router sees this ping, it will check its "LAN In" rules and see that it should block this traffic. When we set up a VPN, then our device creates a direct connection to our router. This means that when I ping a device on Net1 or Net2, the physical origin of that ping is the router, whereas in the previous example, the physical origin of the ping was a device on Net1 and that ping needed to travel IN to the router first. If my theory is correct, then when I ping a device on Net1 or Net2, then the router will allow this because there are no firewall rules that prevent the traffic from leaving the router to either of those networks. This is why we need to add "LAN Out" firewall rules when dealing with traffic over a VPN connection. I too am trying to understand this so I may have this wrong. Would appreciate any corrections to what I've said above.
What do we do when we follow your steps and everything looks activated, but you cannot ping any IPs on the network you are trying to VPN into? As soon as I activate my tunnel the laptop says "no internet access". Cant ping the UDMP running the wireguard tunnel or any other devices on the network.
Hey Mac, I have a question for you and your expertise on the topic: My home network has ISPModem -> UDM SE -> Synology NAS. I am currently running Wireguard server on my Synology NAS and everything works fine. Do you recommend switching it to the UDM SE instead?
Testing this on the EA release of v3.x for UDMP today, but it is not allowing me to select port 51820 - if I select any other port it will allow me to hit apply changes but if I select 51820 it throws an error. Any ideas?
Can you do a video how to configure split tunnel with the UDM? There is nothing out there and I know due to research many people having the same question! Thanks!
I setup WG on WAN 1, when my local PC is connected to WG it cannot find any local resources on my network. They are on two different subnets, 192.168.1.0/24 reg network and 192.168.10.0/24 for WG. Any ideas?
@@Androcentus might be firewall rules. I reply to comments as much as I can but I get hundreds a day so some go under the radar. If you want fast response not from just me join the discord
Hello Cody, nice explanation, but I tried to configure and didn't work for me, I have A dreamMachine at work and a Dream Router at Home and when I try to connect now working but is working when I sharing my internet with iPhone. if I use my Mac on my network at home with the Dream Router not working. Any idea?
hey folks,, is there anyway to connect a remote camera over VPN back to an NVR on another network. Kinda getting stuck on this. I set up wireguard client profile on one of these small glinet wifi routers. Its connected and i can see it showing as connected on on the router, but i cant ping anything on my local (remote site) network. The router connects via one of these 5G modems that has gives out its own IP address as well. 5G modem>wan to router
I watched your prior video "Unifi network complete setup 2022". I believe I setup my SE firewall rules as you notated, but with WG, following this setup, I'm unable to browse my local network. Could you do a video showing us this same setup but with the ability to browse our LAN? If we do not have a static WAN IP, and we are running DDNS on the SE, should we adjust our config file to use the DDNS hostname instead for the ENDPOINT address? I must be missing something.
Ok, so I got this setup, side-by-side with the wireguard that is on my Unraid. Letting it do port ...21 instead of ...20 wasn't an issue apparently. Too bad I can't specify my duckdns on the ui setup, so I'll have to change it manually on each client. My problem with my mapped network drives still persists though. I can't reach them through "//server/share" but it'll work with "//ip/share". How can I get it to work with the server name instead?
Using WG on the UDM-Pro/SE allow you to access network shared folders on pcs using "//server/share" or is it still "//ip/share" only? I already have a WG on my unraid but remotely I can't access my //server/share shares, so I'm thinking of trying to set this up (while remote) to be able to access the shares already setup.
Not sure what my problem is, but following all your steps I can't reach anything on the remote network, or the internet. Feels like there are some missing routing steps in this video.
Strange, this wireguard setup only works for me if the WG client is connecting from inside the network. If i try to activate the WG client when outside the network the connection fails and DMP shows 0 active clients..
Great vid! I followed along but 1 question. I'm trying to use my pihole (which I use for local DNS) in the wiregaurd VPN. If I specify the pihole 192.x.x.10 I get no name resolution over VPN. If I use default DNS everything works. I'd heard something about pihole not accepting requests for traffic more than 1 hop away. Does this ring a bell with anyone??
I couldn't get this to work...I use starlink and the UDM SE is behind that, funny thing is my iphone client connects to the server on UDM SE even if the server is paused....Regardless I cannot ping my LAN nor VPN gateway...What can be wrong? I wanted this because of the CGNAT issues.
Great Video!!! So then my client could be on a RPi now and connect remotely to my UDM Pro, correct? Just trying to get info before I start the project.
I'm assuming the perf isn't where you want it to be because the UDM needs to be encrypting / decrypting all that traffic. I wonder if it would be faster on a dedicated Linux box with a better CPU
Does internet speed determine the vpn speed because I have 1GB down and 20Mbps up but when I try and use the vpn it is extremely slow like less than 50 Kbps I can't even do anything while connected to it
You don't understand the iperf3 results format, you're not testing in both directions with that command you are issuing (the way it presents the information in the summary is a bit obtuse, but it's basically telling you the same result from the point of view of how long the sender and receiver took to do the job). It is only showing the results for actual data transfer in one direction - from the client device to the server device is the default flow (ie upload). You need to do iperf -R to test performance in the (R)everse direction (download).
Can you help me with something , i using the WG and the vpn is working the only thing i cant ping the pc in the IP Range i can access the isp modem i can ping the gateway but the clients any rules or do i need to change something to work ?
What is the big deal if you do not set up firewall rules for Wireguard? It is a safe tunnel regardless, no? Unless you mess up sharing the private key, what else is to be afraid of?
Thanks for the video which is really helpful but when I go to profiles it doesn't recognise the VPN network range which is 10.0.0.1/24 and says "An error occurred when saving "WireGuard VPN" Port and IP Group. Please use a valid Network Address." This prevents any firewall rules from being added. This is perhaps a new bug in the UI. Has anyone found a way around it?
I have a UDM Pro with Network 7.2.97 firmware, and when I click teleport & VPN, and under the vpn section, it doesn’t show an option for Wireguard. Did they remove Wireguard on the newest version or do I have to install it in the udm pro?
i was tried this with different Clients Macos and Windows but i was not able to connect L2Tp is still working without any problems. in the Wireguard client config is missing the Gatway
After doing this I can't see my NAS in file explorer network locations. Does anyone know why? Also I mapped a drive from my NAS but it is saying disconnected when connected to VPN. I am able to ping the NAS in CMD
I use wiregaurd to vpn into my home network running untangle firewall to access my Synology surveillance station to access the cameras that are on their own subnet. I'm hearing I can't access unifi protect from the unifi protect app over vpn to see my business cams in the same. Is this true. If it is true why does Unifi want us to use their cloud servers to use unifi protect remotely when theres ways to keep this local?
Have you had any DNS issues with 3.0+ on the UDM Pro? Having DNS set at the WAN level or the network level doesn't matter. Pings say ok but sites still sometime hang when trying to resolve. This is with Quad9, Google, or Cloudflare.
I can't get this to work, I have followed the steps over and over and still not working, is there a forum or somewhere to go for help? please please please?
Instead of trying to put in a wan ip, can we just put in our dynamic dns name? I havnt gotten to try and mess with this yet since i have WG on my Unraid. Can I set it up with say port 51821 since I have 51820 on wg on my unraid?
It is generally available since yesterday and rolling out in phases. I think you can nudge your device into finding it by visiting the updates section.
Thank you very much for the tutorial, it worked right away BUT im having an issue when try to allow the Wireguard network to access my Plex server on my QNAP. Plex port should be 32400 but when I add that port to the "Allow rule" I am creating I get "An error occurred when saving "Allow Wireguard to Plex" Firewall Rule. Your changes could not be applied based on your existing port settings." and dont let me save it. Any ideas? I am creating pretty much the sabe rule like allow to NAS but just adding the port in the destination.
What about obfuscation? Can someone tell me when the UDM Pro has support for shadowsocks? I can not access my VPN on most networks right now due to the easily identifiable traffic...
I'm able to connect to the VPN but, I'm unable to access my computer. I can access any other devices like cameras on the LAN but not the computer/NAS. Any idea?
Hi Cody. I'd love to follow along, but I'm unable to delete my existing L2TP VPN to create a new NetGuard-based one. My UDM is running 2.4.27 and don't see any option for adding another or deleting the existing. Is my device unsupported or am I missing the obvious somewhere to delete it? Thanks!!!!
I must be a bonehead. I have a UDM pro that says it is up to date as of today (1/3/2023) , but I can't find the Wireguard options. Am I missing something?
Hi Cody, thanks for your video, it helps me a lot to setup the WG VPN. However, I have an issue regarding the gateway IP while connecting through WG VPN on client's computer. I did drop all inter-vlan traffic / ping between the devices by the firewall rules. However, I found that it is still able to PING, even access through browser, to all vlan's gateway (which is the UDM PRO login page) during VPN connection. Do I need to setup or add anything in the profile / rules to prevent the VPN user get ping / access to the login page?
Hi Cody,@@MactelecomNetworks , thank you for you video. It`s very useful. But I have the same issue with ping GW and access WebUI UDM. In your setup you blocked all traffic to RFC1819 which incudes GW. So could you ping your UDM? I tested all LAN IN\OUT\LOCAL and for me looks like you could not prevent WG VPN client from accessing UDM web interface or ssh.
can you enable or use MFA for vpn users using this method or do you have to use L2TP? I am primarily asking about remote desktop workers no so much mobile users
Hey Cody, great informative videos. I have a UDMB running 3.0.20 and have created a Wireguard VPN, but cannot access any of my LAN devices like you. Any thoughts.
am i the only one where this wire guard vpn on unifi is spotty at best. the OPEN VPN is rock solid but i can Rarely get the WireGuard to produce a handshake.
I don't understand, how are you getting such slow speeds with a gigabit connection? I just tried wireguard on an Asus AX-88U router, it capped out at 600 mbps because without NAT acceleration, that's all the router can do. It's a 1.8 ghz quad core. UDM SE is a 1.7 ghz quad core. Something doesn't seem right...
Yo, does no one use the "old Dream Machine" anymore? Not the suped-up Cisco Look-a-like, Looks like Unifi is going to pass this one by on the wireguard update. The VPN struggle is real
My guy never misses. I'm the number 1 fan that you never knew you had.
Thanks mom
I'm hoping for Wireguard to come to USG. It's a great VPN protocol with very low overhead. Currently running Tailscale on my Synology for this.
There is a miss here. Followed this to the 't' and still cannot access my NAS from VPN.
Well done Cody. Perfectly timed for a project Im working on. Thanks!
is there a specific reason the firewall rules need to be on LAN OUT instead of LAN IN? All the other inter-vlan blocks were done via LAN IN. My understanding is that that the LAN IN means LAN traffic going INTO the firewall... I have been told that generally LAN IN is where rules should be to prevent slamming the firewall. I kind of know very little when it comes to this stuff but i am just trying to understand.
I had the same question. I previously had a rule setup to block all VLAN traffic between each other, so I was not able to initially get to my NAS.
@@mychaelhouck2404 +1. I also saw a video where a guy was using regular UDM and hist firewall rules were working fine with LAN-IN. Very strange.....
both IN and OUT will work, it is just when blocking people prefer to do it in the IN so the traffic is not entered in the interface and costs unnecessary routing resource before they are dropped (when they go OUT of the interface). When allowing it, as long as it matches the traffic before the "drop all" rule, it will be granted access, so it makes no difference at all.
+1. I am also struggling with wrapping my head around this. My current thinking is this... when we look at the "Networks" tab in the settings, those networks are a part of our LAN. Let's say we have 2 networks, Net1 and Net2, on CIDR blocks 192.168.1.0/24 and 192.168.2.0/24, respectively. If a device on Net1 wants to ping a device on Net2, then the traffic has to travel from the device to the router (UDM), and then from the router to the device on Net2. Without "LAN In" firewall rules, this is allowed because the router will allow the traffic from the device on Net1 to come IN to the router when it is destined for Net2. Let's say that we add a "LAN In" firewall rule that blocks traffic between each of these networks. If the device on Net1 pings the device on Net2, the traffic will flow from the device to the router; when the router sees this ping, it will check its "LAN In" rules and see that it should block this traffic.
When we set up a VPN, then our device creates a direct connection to our router. This means that when I ping a device on Net1 or Net2, the physical origin of that ping is the router, whereas in the previous example, the physical origin of the ping was a device on Net1 and that ping needed to travel IN to the router first. If my theory is correct, then when I ping a device on Net1 or Net2, then the router will allow this because there are no firewall rules that prevent the traffic from leaving the router to either of those networks. This is why we need to add "LAN Out" firewall rules when dealing with traffic over a VPN connection.
I too am trying to understand this so I may have this wrong. Would appreciate any corrections to what I've said above.
It's only available for UDM flavors. Not if you have a UXG.
UXG - no auto VPN (IPSec site to site) or Wireguard. Why release it if you aren't going to support it properly.
Oh shucks. Just reading this. So I am USG. Was hoping to do site to site VPN with Wireguard.
only UDM SE, no UDM, no UDM PRO
What do we do when we follow your steps and everything looks activated, but you cannot ping any IPs on the network you are trying to VPN into? As soon as I activate my tunnel the laptop says "no internet access". Cant ping the UDMP running the wireguard tunnel or any other devices on the network.
same here. I cant find any solution on the internet so far for this either.
@@Moorb4 Same here - Client installed on MacOS. I cannot access any servers on the local LAN, the remote LAN, or the Internet.
**Cries in UDM Pro v1.12.33
Hey Mac, I have a question for you and your expertise on the topic:
My home network has ISPModem -> UDM SE -> Synology NAS. I am currently running Wireguard server on my Synology NAS and everything works fine.
Do you recommend switching it to the UDM SE instead?
Exactly what I've been waiting for
Thanks Cody. Another great video.
Why did you use LAN OUT instead of LAN IN rules? Would the results be the same if you had?
I tested all LAN IN\OUT\LOCAL and for me looks like you couldn`t prevent WG VPN client from accessing UDM web interface or ssh. Could you?
Good news, i've had to do the hacky solution via SSH to my UDM Pro up till now.
Now they just need to get that UDM Pro update done...
Testing this on the EA release of v3.x for UDMP today, but it is not allowing me to select port 51820 - if I select any other port it will allow me to hit apply changes but if I select 51820 it throws an error. Any ideas?
I dont have option for Wireguard VPN, is this a beta firmware?
Can you do a video how to configure split tunnel with the UDM? There is nothing out there and I know due to research many people having the same question! Thanks!
I setup WG on WAN 1, when my local PC is connected to WG it cannot find any local resources on my network. They are on two different subnets, 192.168.1.0/24 reg network and 192.168.10.0/24 for WG. Any ideas?
Have the same issue, but this guy doesn't reply to issues...
@@Androcentus might be firewall rules. I reply to comments as much as I can but I get hundreds a day so some go under the radar. If you want fast response not from just me join the discord
Very useful info. Would be nice to get a UDM Pro update so I can implement this and retire the Raspi4 i've got currently servicing this feature
I'm in the exact same situation, still running an old rpi3 that is starting to show it's age. Hoping we can this update for UDM Pro soon.
If you enable the early access update channel for the UDM Pro you can update the latest version with this feature now!
Why does not Unifi create an interface to block access to RFC1918 so we could enable it by default?
Cody, did you have to create a WireGuard network before building out the WG server shown in this video?
Hello Cody, nice explanation, but I tried to configure and didn't work for me, I have A dreamMachine at work and a Dream Router at Home and when I try to connect now working but is working when I sharing my internet with iPhone. if I use my Mac on my network at home with the Dream Router not working. Any idea?
I did everything like you did in the video, I can only ping the NAS i can't access it's folders. Help?
hey folks,, is there anyway to connect a remote camera over VPN back to an NVR on another network. Kinda getting stuck on this. I set up wireguard client profile on one of these small glinet wifi routers. Its connected and i can see it showing as connected on on the router, but i cant ping anything on my local (remote site) network. The router connects via one of these 5G modems that has gives out its own IP address as well. 5G modem>wan to router
I watched your prior video "Unifi network complete setup 2022". I believe I setup my SE firewall rules as you notated, but with WG, following this setup, I'm unable to browse my local network. Could you do a video showing us this same setup but with the ability to browse our LAN? If we do not have a static WAN IP, and we are running DDNS on the SE, should we adjust our config file to use the DDNS hostname instead for the ENDPOINT address? I must be missing something.
I also have the same problem, after the WG is connected, I cannot access the target intranet device.
@@alexdu7779 You need to set the same submask for the wireguard network, eg: if your primary network is /24 then your WG network should be /24 too.
@@TeoFaot done that, both my wireguard and default network are /24
@@TeoFaot So with that being said my primary LAN is a /22... Looking at the wireguard I can't pick a /22 so it won't work in this type of setup?
Great stuff, as always; how do you do site-to-site VPN with Wireguard between two dream machines?
Did you ever get this going? Wireguard site to site?
Ok, so I got this setup, side-by-side with the wireguard that is on my Unraid. Letting it do port ...21 instead of ...20 wasn't an issue apparently. Too bad I can't specify my duckdns on the ui setup, so I'll have to change it manually on each client. My problem with my mapped network drives still persists though. I can't reach them through "//server/share" but it'll work with "//ip/share". How can I get it to work with the server name instead?
Do we need to do port portward when setting up the wireguard vpn?
Using WG on the UDM-Pro/SE allow you to access network shared folders on pcs using "//server/share" or is it still "//ip/share" only? I already have a WG on my unraid but remotely I can't access my //server/share shares, so I'm thinking of trying to set this up (while remote) to be able to access the shares already setup.
Say hello to UDM Pro& UDM users =))) Waiting for 2.X update....
Hello UDM pro users your time is coming soon :)
@@MactelecomNetworks Hope soon is soon :)
Saved my live :) Thank you for that...
Not sure what my problem is, but following all your steps I can't reach anything on the remote network, or the internet. Feels like there are some missing routing steps in this video.
Strange, this wireguard setup only works for me if the WG client is connecting from inside the network. If i try to activate the WG client when outside the network the connection fails and DMP shows 0 active clients..
Great vid! I followed along but 1 question. I'm trying to use my pihole (which I use for local DNS) in the wiregaurd VPN. If I specify the pihole 192.x.x.10 I get no name resolution over VPN. If I use default DNS everything works. I'd heard something about pihole not accepting requests for traffic more than 1 hop away. Does this ring a bell with anyone??
Can you implement Wireguard with site to site VPN?
Yes
I couldn't get this to work...I use starlink and the UDM SE is behind that, funny thing is my iphone client connects to the server on UDM SE even if the server is paused....Regardless I cannot ping my LAN nor VPN gateway...What can be wrong? I wanted this because of the CGNAT issues.
Hi I got the USG-3P. The option for wireguard is not available for me. Does that mean it wont work on it?
So how does this WireGuard VPN differ from using the Teleport feature? I’m confused on which one to use to VPN into my network. TIA
Great Video!!! So then my client could be on a RPi now and connect remotely to my UDM Pro, correct? Just trying to get info before I start the project.
I'm assuming the perf isn't where you want it to be because the UDM needs to be encrypting / decrypting all that traffic. I wonder if it would be faster on a dedicated Linux box with a better CPU
Does internet speed determine the vpn speed because I have 1GB down and 20Mbps up but when I try and use the vpn it is extremely slow like less than 50 Kbps I can't even do anything while connected to it
Great video! In your opinion how does the UniFi Network VPN compare to the UID One-click VPN?
Is there a simple way to set this up to where a vpn client can resolve endpoints via hostname, and still be able to ping their local network as well?
You don't understand the iperf3 results format, you're not testing in both directions with that command you are issuing (the way it presents the information in the summary is a bit obtuse, but it's basically telling you the same result from the point of view of how long the sender and receiver took to do the job). It is only showing the results for actual data transfer in one direction - from the client device to the server device is the default flow (ie upload). You need to do iperf -R to test performance in the (R)everse direction (download).
Well will have to do another test when I get back home
Can you help me with something , i using the WG and the vpn is working the only thing i cant ping the pc in the IP Range i can access the isp modem i can ping the gateway but the clients any rules or do i need to change something to work ?
What is the big deal if you do not set up firewall rules for Wireguard? It is a safe tunnel regardless, no? Unless you mess up sharing the private key, what else is to be afraid of?
Is this not available on the UDM pro? Why would they only release it to the SE?
Thanks for the video which is really helpful but when I go to profiles it doesn't recognise the VPN network range which is 10.0.0.1/24 and says "An error occurred when saving "WireGuard VPN" Port and IP Group. Please use a valid Network Address." This prevents any firewall rules from being added. This is perhaps a new bug in the UI. Has anyone found a way around it?
Is there a way to allow a WireGuard client acces to only two-three Websites?
I have a UDM Pro with Network 7.2.97 firmware, and when I click teleport & VPN, and under the vpn section, it doesn’t show an option for Wireguard. Did they remove Wireguard on the newest version or do I have to install it in the udm pro?
i was tried this with different Clients Macos and Windows but i was not able to connect L2Tp is still working without any problems.
in the Wireguard client config is missing the Gatway
DreamRouter and this is not working corrently, i can conenct and access the internet but no access to local devices. no firewall rules.
After doing this I can't see my NAS in file explorer network locations. Does anyone know why? Also I mapped a drive from my NAS but it is saying disconnected when connected to VPN. I am able to ping the NAS in CMD
I use wiregaurd to vpn into my home network running untangle firewall to access my Synology surveillance station to access the cameras that are on their own subnet. I'm hearing I can't access unifi protect from the unifi protect app over vpn to see my business cams in the same. Is this true. If it is true why does Unifi want us to use their cloud servers to use unifi protect remotely when theres ways to keep this local?
I'm running the latest OS version and I do not see the Wiregaurd option. Any ideas?
Have you had any DNS issues with 3.0+ on the UDM Pro? Having DNS set at the WAN level or the network level doesn't matter. Pings say ok but sites still sometime hang when trying to resolve. This is with Quad9, Google, or Cloudflare.
Does WireGuard do split tunnel or full tunnel VPN and how do you specify which one?
Allowed IP list needs to be 0.0.0.0/0 for full tunnel, for split tunnels you just type in the IP addresses into the allowed IP list
the downloaded profile is not working for me, WIreguard keeps saying invalid tunnel name, not sure what I am doing wrong
I don't have this Teleport & VPN option in my settings..
if i am in a cg-nat situation and i don't have a fixed public ip, can wireguard still bypass cgnat?
I'm having the same issue - I can't get it working behind CGNAT
@@tobydavy2052 Same here, this guy falsely stated that it would work with cgnat, it does not.
I can't get this to work, I have followed the steps over and over and still not working, is there a forum or somewhere to go for help? please please please?
Doesn’t work for me. I’ve tried lan out and lan local. WG VPN can still ping across vlan’s
Instead of trying to put in a wan ip, can we just put in our dynamic dns name? I havnt gotten to try and mess with this yet since i have WG on my Unraid.
Can I set it up with say port 51821 since I have 51820 on wg on my unraid?
@mactelecom you are sure that wireguard will work with cgnat like starlink?
On the Ubiquiti documentation I personally haven’t tried it yet
Do you know if there will ever be support for Wiregard site to site? Does that exist?
For those without a static ip on their WAN, will this continue to work?
Do you manually have to setup port forwarding for the wireguard port?
Any idea on when 3.0 is being released on the official channel for UDME Se. I don’t feel like switching to the beta releases.
It is generally available since yesterday and rolling out in phases. I think you can nudge your device into finding it by visiting the updates section.
Thank you very much for the tutorial, it worked right away BUT im having an issue when try to allow the Wireguard network to access my Plex server on my QNAP. Plex port should be 32400 but when I add that port to the "Allow rule" I am creating I get "An error occurred when saving "Allow Wireguard to Plex" Firewall Rule. Your changes could not be applied based on your existing port settings." and dont let me save it. Any ideas? I am creating pretty much the sabe rule like allow to NAS but just adding the port in the destination.
Nice and clean explanation.
Cannot get my VPN client (192.168.3.2) to SMB into a LAN client (192.168.1.48). No idea what's wrong
only the UDM can run a wireguard server? can the UDR do it?
What about obfuscation? Can someone tell me when the UDM Pro has support for shadowsocks? I can not access my VPN on most networks right now due to the easily identifiable traffic...
Thanks, Helped a lot
Great video, one MAJOR problem though. Wireguard won't run unless the user is administrator privileges. That is a show stopper
So USG PRO doesn’t have this option ? Ubiquity common how come ????
I'm able to connect to the VPN but, I'm unable to access my computer. I can access any other devices like cameras on the LAN but not the computer/NAS. Any idea?
for me the same
Those speeds on WireGuard aren’t great. Assuming the workload of end users is only browsing
Hi Cody. I'd love to follow along, but I'm unable to delete my existing L2TP VPN to create a new NetGuard-based one. My UDM is running 2.4.27 and don't see any option for adding another or deleting the existing. Is my device unsupported or am I missing the obvious somewhere to delete it? Thanks!!!!
For wireguard your console needs to be at Unifi os 3.0
I must be a bonehead. I have a UDM pro that says it is up to date as of today (1/3/2023) , but I can't find the Wireguard options. Am I missing something?
So it’s not out for UDM pro yet. Need to wait till the UDM pro is at firmware version 3.x
Hi Cody, thanks for your video, it helps me a lot to setup the WG VPN. However, I have an issue regarding the gateway IP while connecting through WG VPN on client's computer. I did drop all inter-vlan traffic / ping between the devices by the firewall rules. However, I found that it is still able to PING, even access through browser, to all vlan's gateway (which is the UDM PRO login page) during VPN connection. Do I need to setup or add anything in the profile / rules to prevent the VPN user get ping / access to the login page?
I believe you need to create rules under LAN OUT to drop VPN traffic
Hi Cody,@@MactelecomNetworks , thank you for you video. It`s very useful. But I have the same issue with ping GW and access WebUI UDM. In your setup you blocked all traffic to RFC1819 which incudes GW. So could you ping your UDM? I tested all LAN IN\OUT\LOCAL and for me looks like you could not prevent WG VPN client from accessing UDM web interface or ssh.
can you enable or use MFA for vpn users using this method or do you have to use L2TP? I am primarily asking about remote desktop workers no so much mobile users
Does it matter if the wan ip address is not static?
I setup wireguard but on my devices leaks my real ip. How do i hide/change it?
Hey Cody, great informative videos. I have a UDMB running 3.0.20 and have created a Wireguard VPN, but cannot access any of my LAN devices like you. Any thoughts.
You may have to add firewall rules to allow you VPN to certain subnets
Why using LAN Out rules instead of classic LAN In rules?
i am still waiting on an answer to this question too...
Sweet video Cody !!
Businesses won’t create 100 profiles, and I don’t see any radius option.
Do we have to open port 51820 UDP if not in bridge mode on router to make it work?
Okay find Carolyn Vuitton
No you don't.
how to block the access of the WG to the UDM interfaces of other VLANs? The LAN LOCAL Rule seams not to work here
Same issue here, did you figure this out?
Thanks very much for this video. Is there also an option to do site to site VPN using Wireguard with CK managing it?
I don’t believe so as of right now
Well done, thanks!
What version of UniFi OS is used for this? I use UDM Pro v1.12.33 (Official) and dont have the option of WireGuard, only L2TP.
Unifi os 3.0 only on the UDM se and UDR coming to the UDM pro soon
Do you a public IP for home router for this?
am i the only one where this wire guard vpn on unifi is spotty at best. the OPEN VPN is rock solid but i can Rarely get the WireGuard to produce a handshake.
Dude never takes a breath, great videos though
I don't understand, how are you getting such slow speeds with a gigabit connection? I just tried wireguard on an Asus AX-88U router, it capped out at 600 mbps because without NAT acceleration, that's all the router can do. It's a 1.8 ghz quad core. UDM SE is a 1.7 ghz quad core. Something doesn't seem right...
It may have been my test results but I checked with multiple other people and they were getting the same.
I’ll retest and post a short on my finding
Yo, does no one use the "old Dream Machine" anymore? Not the suped-up Cisco Look-a-like, Looks like Unifi is going to pass this one by on the wireguard update. The VPN struggle is real
There is something wrong with your speeds, I get close to 500Mbps when using the UDM SE as a Wireguard Server.
Could be possible I twill test again I was expecting more
Is there any way to use UDM Pro for vpn to replace something like nordvpn to keep all traffic hidden? For torrenting etc..
Not yet. It will be available in a new update soon