Introduction
In this video we will talk about UniFi Wireguard VPN which is a fairly new addition for the UniFi Dream Machine and Dream Machine Pro, starting with UniFi OS version 3.0.20
The UniFi Wireguard VPN Implementation is actually spot on. Its so easy to configure, its fairly customizable and most importantly far more secure than the old L2TP based remote access VPN.
While the UniFi Dream Machine Pro SE and the UniFi Dream Router have been enjoying the wireguard VPN option for a while now, the "Classic" UniFi Dream Machine and Dream Machine Pro are only now starting to see this functionality being brought "down".
The UniFi Wireguard VPN is indeed easy to setup and easy to connect to but the most important portion of setting up a VPN server, in my opinion, is security in the form of at least firewall rules. you need to ask yourself, once a client connects to VPN, do i want this client to gain access to the entire network? My assumption is that answer to this question is no.
With UniFi Wireguard VPN or any other VPN server, Firewall rules needs to be placed in order to manage what can and cannot go through your network and we are going to talk about this in this video. Creating firewall rules in UniFi is also easy to do, you just need to be aware you indeed need them.
After watching this UniFi Wireguard VPN video, I highly recommend you watch my video about my method of creating firewall rules in UniFi and the link to this video will be shown in the end screen of this video. Watching that video will give more perspective on what we are doing with firewall rules in this UniFi Wireguard VPN video.
#unifi #wireguard #vpn
Follow us on twitter: twitter.com/techmeout5
Join our Synology Facebook group: www.facebook.com/groups/synousergroup
Join our Ubiquiti UniFi Facebook group: www.facebook.com/groups/ubntusergroup
Video
Hey there, everyone thank you so much for being here and thank you so much for watching.
Ubiquity has recently released firmware version 3.2.0.20 to the udm pro and udm based models by the way by the time of this recording it's still in release candidates, hopefully by the time you're watching this, it will already already be generally available.
We are starting to see leveling out of features across all unify gateways, but what we are going to talk about specifically in this video is something that I know has been long awaited by the udm pro in udm based users, users and that's wireguardvpn.
This VPN is so easy to configure so easy to connect to it's such a Breeze.
By the way, if you're, using wireguard, VPN or the old l2tp VPN same security, Concepts still apply firewall rules.
Are your friend we're going to talk about everything and we'll see how to configure the wireguard VPN? So, let's go over to the computer? Join me all right guys so we're at the computer- and let's start configuring stuff, so you'll see how easy it is to configure and to connect to I'm already logged in to my udm based device that I have deployed and I've gotten permission to demo on.
So let's go right ahead and go into settings.
Let's go into teleport and VPN VPN server click on create new, obviously we're working with with wireguard.
Let's give this VPN a name: let's call it wireguard now the private game, public key.
Of course you shouldn't expose them or share them.
You don't need to worry about them, specifically in our case, because we're using a vid, a Windows, VPN client that will we will download a configuration file that will include all the necessary information information.
So don't worry about that.
We do need to mention a a port, although you don't need to do any port forwarding in operating systems that are not like Windows like CLI based Linux environments, you might need to manually build the tunnel, but for us.
Luckily, we don't need to deal with this a few more things that I want to customize.
Let's go into advanced and manual I do want to change the subnet for my VPN clients, for my from 192 168.2.1 I'm, going to change this to 55.
This is just my in my specific case.
What works for me! You can of course, decide otherwise.
One more thing that you can, although not mandatory, is change the DNS servers, for example, if you're a vpning in to our environment.
That's, for example, an active directory environment.
You might want to change the DNS servers into your domain.
Controller's IP addresses, for example.
For now we can just use Google's DNS server and, of course we need to add a client, so click on add new client I'm, going to change this to manual I'm, going to give it a name, for example, win 11 and I'm, going to create this user and, as I said before, we need to download a configuration file that we will upload into our wireguard client.
Let's go ahead and click on the client we've created and click on download profile.
Now, at this point, you can click on create user and apply changes, and now you need to take the file that you've just downloaded and in any way you you see fit transfer this file onto the computer.
You want to connect to your wireguard VPN I'm, going to use just for the demonstration purposes in the easiest way for me is to use Google Drive.
You can use whatever method you see fit all right, so here I am on my client computer, which is located of course somewhere geographically and different than my udm based device I've already downloaded the configuration file that I've uploaded to my Google Drive, and the next thing you need to do on your client device is open up your favorite, a browser and your favorite search provider and search for wireguard first result will take you to this wireguard website.
Click on installation and download the windows.
Installer, of course, we're using a Windows client in this case, I've already downloaded the windows client all right.
Here's, the installer I'll, just double click on it.
Click on yes, foreign, that's it wireguard is installed.
The the next thing that we all we have to do.
All we have left to do sorry is to import our configuration file and here's our file and, as you can see, all the necessary information and configurations have already been imported with this configuration file and once I click activate by the way.
If you remember, if you worked with the old l2tp based vpl, you know that once you click on connect, it takes about 5 10, maybe 15 minutes 30 seconds to get connected with wireguard.
It will take a second or two.
Let's try here it is.
It took I think less than a second we're already connected.
In fact, let's go ahead, bring out a command prompt and let's try to Ping an access point.
I have deployed on that location, and indeed we get a reply, and just so the we can see that I'm connecting from this subnet 99.78.
That's my IP address.
Once I got connected to my wireguard client I got this IP address, which is exactly the one I defined.
So everything looks like is in order and that's how easy it is to configure and connect to wireguard.
It's absolutely amazing.
Now that part is almost a no-brainer.
The part that you need to to invest some brain power into is security and I'm.
Talking about a firewall and firewall rules, now I want to I.
I will add a link in the top right corner to a video I created about generally my method of creating uni firewall rules in unify I'm glad to say that I've gotten a lot of positive comments and I know for a fact that this method has been adopted by several other YouTube Tech creators.
So thank you.
Everyone and I recommend that you watch this video, so I'm going to touch on it just briefly on how I recommend doing firewall rules.
Let's go back to my udm based device and the first thing that you should do.
If you watched the my firewall rules, video the first rule is to create a rule that will block all internal traffic.
Everything and this one will create a starting point that that resembles any other firewall vendors out there PF sense a 40, Gates, Palo alto's.
Nothing is allowed until you go in and Define rules for the traffic that you want to allow I, don't know why UniFi is not taken this route, maybe it's to be more a home user friendly, but just before we'll create the firewall rule, I want you to go into profiles and create a group and I called it RFC 1918, and take note of the subnets that you need to Define in this group.
These are all the internal subnets and what I'm going to do is I'm going to use this group in the firewall rule.
So, let's go back to firewall and security Lan create new rule blend in I'm, going to call it block inter villain, routing I'm going to drop RFC 1918 is the source and also the destination.
Click on apply changes great this rule is created now.
This is only the starting point.
This will only take care of blocking all internet internal traffic.
Now what we want to do is we want to Define what we want to allow VPN clients to access once they're connected I'm, assuming that you don't want VPN clients to automatically gain access to all of the feelings and all of your networks.
So in my case, I have two Networks, the 10.31.80 and the 10.31.99, and this is the the network that I want to allow in this example, VPN clients to gain access to so again, I'm going to go into profiles into groups and I created two groups that I'm going to use.
One is wireguard clients, and this will include the subnet I defined in the wireguard VPN and the other group is VPN allowed subnets, and this will include all the subnets that you want to allow your VPN clients to connect to now.
All we have to do is to go back into firewall and security and create a new rule land in and let's call it VPN to 99 net I'm going to use the action, except for the group I'm going to select wireguard clients and the destination is the VPN allowed? Subnets click on apply, go to the Lan Tab and make sure this rule goes above the block, interference, routing rule because firewall rules are processed from the top to bottom.
Another word we need to create is the opposite of the world that we've just created so lend in 99 net 2 VPN, because traffic needs to be allowed in both ways, so Source will be VPN allowed, subnets destination, wireguard, clients, click on apply, go back to the firewall to the land, tab so and make sure this rule goes above the block inter villain, routing rule.
So if we have configured everything just right, what will end up what we will end up with is VPN clients connecting to our wire guard VPN and cannot access any resources on the internal Lan.
In our example, it's this subnet, but they will be able to access everything on this subnet.
Let's give it a try.
Alright, let's go back to our client.
Let's disconnect, and now let's do an ipconfig we can see.
We only have our internal Ln IP address, let's again connect to our VPN again that took less than a second and now let me try to Ping the same address.
I I tried to Ping before and I've gotten pin replies if I scroll up it's this address.
Let's try it again now now I am not getting pin reply, but now let me grab an IP address of a client on the 99 subnet and let's try to paint that one all right I've got an IP address.
Let's try to Ping 10.31 Dot 99.168 and we do get pin reply.
That means that our firewall rules are doing exactly what we ask them to do.
I hope guys that you found this video useful and I especially hope you liked my way of doing the viral rules to protect or to manage traffic once a client's VPN in and in the end screen.
The absolute end of this video I will link to both my unify firewall rules, video and another video I created on the old l2tp VPN, but again in this video I'm talking about a VPN rules.
Sorry firewall rules for VPN guys, if you like this video, please give it a like it will help me a lot.
Please subscribe and I will see you all in the next video bye.
Everyone.
FAQs
What are the firewall rules for WireGuard? ›
Firewall rules must pass traffic on WAN to the WireGuard Listen Port for a tunnel if remote WireGuard peers will initiate connections to this firewall. The protocol is always UDP, and the default port is 51820 .
What port does UniFi WireGuard use? ›After enabling WireGuard and specifying a port (UDP 51820 by default), add a Client and share the configuration file with your desired recipient. Once the recipient has installed the WireGuard program or mobile app, they can import the configuration and easily remotely access the UniFi network at any time.
Is WireGuard a firewall? ›WireGuard Ⓡ VPN solves that by routing them through NG Firewall, where all of the same in-office network policies and protections are provided via a fast yet secure encrypted tunnel directly between your network and the user.
How do I set up WireGuard firewall rules in Linux? ›- Step 1: Setting up NAT firewall rules ↑ ...
- Step 2: Accept all traffic created by wg0 interface ↑ ...
- Step 3: Configuring FORWARD rules ↑ ...
- Step 4: Open WireGuard UDP port # 51194 ↑ ...
- Step 5: Command to remove WireGuard iptables rules ↑ ...
- Step 6: Turn on IP forwarding on Linux ↑
VPN firewall rules allow you to set traffic limits for users and hosts who are connected through SSL VPN and IPsec tunnels. See SSL VPN Server and SSL VPN Client if you need help to configure VPN connections and SSL VPN accounts.
How should firewall rules be configured? ›- Use Monitor Mode To Watch Current Traffic. Monitor current traffic for which IP addresses and ports are used — and validate that they are needed; not everything requires internet access. ...
- Create Deny Any/Any Rules. ...
- Be Specific and Purposeful With Rules. ...
- Protect The Perimeter.
| Protocol | Port Number |
|---|---|
| UDP | 5514 |
| TCP | 8080 |
| TCP | 443 |
| TCP | 8443 |
Recommended MTU for overlay networking
WireGuard sets the Don't Fragment (DF) bit on its packets, and so the MTU for WireGuard on AKS needs to be set to 60 bytes below (or 80 bytes for IPv6) the 1400 MTU of the underlying network to avoid dropped packets.
WireGuard uses only UDP, due to the potential disadvantages of TCP-over-TCP. Tunneling TCP over a TCP-based connection is known as "TCP-over-TCP", and doing so can induce a dramatic loss in transmission performance (a problem known as "TCP meltdown").
What is the best firewall for WireGuard? ›We recommend using firewalld on WireGuard Endpoints, and nftables on WireGuard Gateways. Technically, behind the scenes, all Linux firewalls use the netfilter kernel subsystem — firewalld, UFW, nftables, iptables, etc are all just “front ends” to netfilter.
Why not to use WireGuard? ›
User-authentication using username/password or a SIM card with EAP. It is extensible that new cryptographic primitives can be added. WireGuard does not have that. That means WireGuard will break at some point, because one of the cryptographic primitives will weaken or entirely break at some point.
Can WireGuard be hacked? ›VPN services can be hacked, but it's extremely difficult to do so. Most premium VPNs use OpenVPN or WireGuard protocols in combination with AES or ChaCha encryption – a combination almost impossible to decrypt using brute force attacks.
How to easily configure WireGuard? ›- Sign up with UpCloud. ...
- Deploy a new cloud server. ...
- Installing WireGuard. ...
- IP forwarding. ...
- Configuring firewall rules. ...
- Generating private and public keys. ...
- Generate server config. ...
- Starting WireGuard and enabling it at boot.
When you start your WireGuard interface up, this command will direct systemd-resolved to use the DNS server at 9.9. 9.9 (or at 149.112. 112.112 , if 9.9. 9.9 is not available) to resolve queries for any domain name.
What is the difference between peer and interface in WireGuard? ›WireGuard facilitates communication between two peers. In order for you to communicate with a peer, you must have a virtual WireGuard interface. Your interface must be configured with your private key and your peer's public key. The peer's interface must be configured with your public key and their private key.
Should VPN be in firewall or behind firewall? ›VPN allows you to access the restricted sites with a secure connection, while firewall can only create a layer of restrictions that you have accessed. Firewalls use your choice to block access to certain sites. While using a VPN, one can access the same site over a long period of time.
How do I stop my VPN from blocking my firewall? ›- Switch server / IP address.
- Change the VPN protocol or port.
- Use obfuscation (stealth protocols)
- Use SmartDNS.
- Get a dedicated IP address.
- Change DNS servers.
- In the Google Cloud console, go to the VPN tunnels page. Go to VPN tunnels.
- Click the VPN tunnel that you want to use.
- In the VPN gateway section, click the name of the VPC network. ...
- Click the Firewall rules tab.
- Click Add firewall rule. ...
- Click Create.
- Source IP address(es)
- Destination IP address(es)
- Destination port(s)
- Protocol (TCP, ICMP, or UDP, etc.)
- Block by default. Block all traffic by default and explicitly enable only specific traffic to known services. ...
- Allow specific traffic. ...
- Specify source IP addresses. ...
- Specify the destination IP address. ...
- Specify the destination port. ...
- Examples of dangerous configurations.
What ports need to be open for IPSec VPN? ›
IPSec VPN. IPSec VPN is a layer 3 protocol that communicates over IP protocol 50, Encapsulating Security Payload (ESP). It might also require UDP port 500 for Internet Key Exchange (IKE) to manage encryption keys, and UDP port 4500 for IPSec NAT-Traversal (NAT-T).
Do I need to open ports for UniFi controller? ›In most cases, there is no need to allow any ports through the firewall. However, if you have a firewall that is restricting outbound traffic, you'll need to allow the following ports outbound to your controller IP address: UDP 3478 Port used for STUN. TCP 8080 Port used for device and controller communication.
What ports should be open on my firewall? ›| Service/Protocol | Ports | TCP/IP Protocol |
|---|---|---|
| HTTP/HTTPS (Web) | 80, 443 | TCP |
| POP3 (Email) | 110, 995 | TCP |
| IMAP (Email) | 143, 993 | TCP |
| WebDAV | 2077, 2078 | TCP |
The default MTU value of OpenVPN is 1500 and for WireGuard it is 1420. If you have issues with certain websites or your VPN connection occasionally drops, try changing the MTU value.
What MTU should I use for VPN? ›Gateway MTU versus system MTU
Configure your peer VPN gateway to use an MTU of no greater than 1460 bytes. We recommend a value of 1460 bytes because that matches the default MTU setting for Google Cloud virtual machine (VM) instances.
Any VPN, whether or not it connects over DX, uses an MTU of 1500, regardless of other settings.
What are the cons of WireGuard? ›- Deep Packet Inspection. WireGuard does not focus on obfuscation. ...
- TCP Mode. ...
- Hardware Crypto. ...
- Roaming Mischief. ...
- Identity Hiding Forward Secrecy. ...
- Post-Quantum Secrecy. ...
- Denial of Service. ...
- Unreliable Monotonic Counter.
Which port should i use with Wireguard to attain best combination of speed and privacy? Best to use the default 443, if not use 80. Both are standards and your traffic is encrypted anyway. 443 is not the default port for WireGuard - it's listed because some networks allow traffic on port 443 and block the other ports.
Does WireGuard need a public IP address? ›The Peer – or server – configuration requires the server's public key, which is added here. The Endpoint is where you tell WireGuard where to find the server. Nothing will work without this one! That would require the server's public IP – or it's domain name – followed by the port you've chosen.
What tunneling protocol does WireGuard use? ›The WireGuard VPN protocol establishes an encrypted tunnel for all your internet traffic. While most VPN protocols use AES-256 encryption, WireGuard uses newer, ChaCha20 authenticated encryption. Both methods are symmetrical forms of encryption, but ChaCha20 has a shorter key.
What is better than WireGuard? ›
OpenVPN is supported by more routers than WireGuard, and it also can operate with TCP, which offers more stable connections than UDP, and is generally better for remote connections as well.
Is WireGuard better than IPsec? ›IPsec and WireGuard VPNs are comparable performance-wise across most platforms, with WireGuard being slightly faster. WireGuard itself has conducted an in-depth performance study, comparing the throughput and latency in IPsec and WireGuard connections with similar encryption options on a powerful Linux computer.
Can WireGuard VPN be detected? ›UDP: WireGuard uses UDP as its transport protocol. There is no standard port and typically WireGuard is detected through heuristics.
Does WireGuard hide your IP? ›When you connect to our VPN server via WireGuard, your device can only see the IP address 10.2. 0.2, and the website you visit can only see the public IP address of our VPN server. Your true IP address remains secure and private, just as it would with OpenVPN.
What is the bandwidth limit for WireGuard? ›Its upper limit is set to 10 MBbs via the ul rate 10mbit part of the command.
Which is more secure OpenVPN or WireGuard? ›Both WireGuard and OpenVPN are secure protocols, but WireGuard is considered more secure due to its use of modern cryptographic protocols and its smaller codebase. WireGuard also has fewer attack surfaces than OpenVPN.
How do I make WireGuard undetectable? ›- Choose a Quality VPN. ...
- Change the VPN's IP Address. ...
- Change the VPN Protocol. ...
- Use Obfuscation Features. ...
- Use TCP Port 443. ...
- Use a Dedicated IP Address. ...
- Use Tor over VPN. ...
- Use Mobile Data.
WireGuard is a modern VPN designed for usability, performance, and security. WireGuard uses state-of-the-art cryptography and provides end-to-end encryption for connection between devices.
Why is WireGuard so slow? ›Your Internet provider may limit the speed on certain ports. To change it, open the Mullvad app settings, then click on VPN settings. Scroll down and click on WireGuard settings and set the port to Automatic, 51820 or 53 and see which works best for you.
How do I test my WireGuard connection? ›To check if WireGuard Server is working properly
Then open the WireGuard app, import the WireGuard configuration from QR code. Enable the connection, check if the phone has Internet access and whether its IP address is the IP of your WireGuard Server.
Why is WireGuard so fast? ›
A combination of extremely high-speed cryptographic primitives and the fact that WireGuard lives inside the Linux kernel means that secure networking can be very high-speed. It is suitable for both small embedded devices like smartphones and fully loaded backbone routers.
What is the IP address range for WireGuard? ›This means that for any traffic routed to the interface within an IP address in the range of 192.168. 200.0 to 192.168. 200.255, WireGuard will encrypt and reroute the traffic over a “real” network interface to the “real” remote address of 203.0.
What are the minimum requirements for WireGuard server? ›Note: The most recent free version of WireGuard is significantly more resource-efficient, requiring no more than 512MB of RAM and one virtual CPU. However, if you wish to connect more than three devices, we strongly recommend that you switch to a paid plan.
Does WireGuard encrypt DNS? ›Introduction. The plan in this guide is to create a secure WireGuard VPN which has its own embedded DNSCrypt DNS resolver, this ensures that all connections including DNS requests made by the user are tunnelled through the VPS and is encrypted end to end.
Is WireGuard a VPN or proxy? ›WireGuard is a modern VPN Protocol used by many VPN companies as it provides a more secure and faster browsing experience.
What is the difference between public and private key WireGuard? ›WireGuard uses something called a private key and a public key. The private key is private and should never be shared with anyone else, but the public key on the other hand is what your device use to authenticate with our servers and is similar to a username.
How do I add an IP address to WireGuard? ›Go to Config > Network > Hostname and select the last option on the page, Use Manually Specified Address. Fill in the IP/Hostname field with the IP address you would like WireGuard to use as the endpoint.
What kind of rules does a firewall need? ›Firewall rules frequently consist of a source address, source port, destination address, destination port, and an action that determines whether to Allow or Deny the packet. In the following firewall ruleset example, the firewall is never directly accessed from the public network.
Can WireGuard use TCP 443? ›WireGuard explicitly does not support tunneling over TCP, due to the classically terrible network performance of tunneling TCP-over-TCP.
What are Layer 7 firewall rules? ›Where most firewall rules only inspect headers at layer 3 (IP address), 4 (Transport), and 5 (Port), a layer 7 rule inspects the payload of packets to match against known traffic types.
What is level 7 firewall rule? ›
Layer 7 firewalls are more advanced than layer 3 firewalls. They can look into the contents of data packets coming into and out of your business's network to determine whether they are malicious. If a data packet contains malware, the layer 7 firewall can reject it.
What are the 3 main criteria used in firewalls rules? ›These criteria include source or destination IP addresses, ports, protocols, and services. Depending on the type of firewall, the rules may also dictate which users or groups have access to specific applications or where certain data is allowed to travel within the network.
Which ports should you block on your firewall? ›- MS RPC TCP, UDP Port 135.
- NetBIOS/IP TCP, UDP Port 137-139.
- SMB/IP TCP Port 445.
- Trivial File Transfer Protocol (TFTP) UDP Port 69.
- System log UDP Port 514.
Here are some examples of firewall rules for common use cases: Enable internet access for only one computer in the local network and block access for all others.
What is the max number of firewall rules? ›The maximum number of limitations that can be inserted in a policy or rule is 1024. Also, the number of exception rules configured in one policy may affect how many rules can get inserted.
Which is better OpenVPN TCP or WireGuard? ›Both OpenVPN and WireGuard are really secure open-source VPN protocols, if properly implemented. However, WireGuard is newer and faster than OpenVPN, because it was designed with modern devices and processors in mind. It is also easier to maintain.
Is WireGuard better than TCP? ›WireGuard TCP and Stealth
UDP is faster, while TCP is more reliable, but the main advantage of TCP over UDP is that it can evade government censorship by running over TCP port 443, which is the port used by HTTPS. However, we developed custom implementations of WireGuard that overcome this limitation.
Whereas IPsec offers many encryption options, many of which can be insecure if incorrectly configured, WireGuard limits the available choices to modern, secure encryption methods.