UniFi Wireguard VPN (And Firewall Rules)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey there everyone thank you so much for being here and thank you so much for watching ubiquity has recently released firmware version 3.2.0.20 to the udm pro and udm based models by the way by the time of this recording it's still in release candidates hopefully by the time you're watching this it will already already be generally available we are starting to see leveling out of features across all unify gateways but what we are going to talk about specifically in this video is something that I know has been long awaited by the udm pro in udm based users users and that's wireguardvpn this VPN is so easy to configure so easy to connect to it's such a Breeze by the way if you're using wireguard VPN or the old l2tp VPN same security Concepts still apply firewall rules are your friend we're going to talk about everything and we'll see how to configure the wireguard VPN so let's go over to the computer join me [Music] all right guys so we're at the computer and let's start configuring stuff so you'll see how easy it is to configure and to connect to I'm already logged in to my udm based device that I have deployed and I've gotten permission to demo on so let's go right ahead and go into settings let's go into teleport and VPN VPN server click on create new obviously we're working with with wireguard let's give this VPN a name let's call it wireguard now the private game public key of course you shouldn't expose them or share them you don't need to worry about them specifically in our case because we're using a vid a Windows VPN client that will we will download a configuration file that will include all the necessary information information so don't worry about that we do need to mention a a port although you don't need to do any port forwarding in operating systems that are not like Windows like CLI based Linux environments you might need to manually build the tunnel but for us luckily we don't need to deal with this a few more things that I want to customize let's go into advanced and manual I do want to change the subnet for my VPN clients for my from 192 168.2.1 I'm going to change this to 55 this is just my in my specific case what works for me you can of course decide otherwise one more thing that you can although not mandatory is change the DNS servers for example if you're a vpning in to our environment that's for example an active directory environment you might want to change the DNS servers into your domain controller's IP addresses for example for now we can just use Google's DNS server and of course we need to add a client so click on add new client I'm going to change this to manual I'm going to give it a name for example win 11 and I'm going to create this user and as I said before we need to download a configuration file that we will upload into our wireguard client let's go ahead and click on the client we've created and click on download profile now at this point you can click on create user and apply changes and now you need to take the file that you've just downloaded and in any way you you see fit transfer this file onto the computer you want to connect to your wireguard VPN I'm going to use just for the demonstration purposes in the easiest way for me is to use Google Drive you can use whatever method you see fit all right so here I am on my client computer which is located of course somewhere geographically and different than my udm based device I've already downloaded the configuration file that I've uploaded to my Google Drive and the next thing you need to do on your client device is open up your favorite a browser and your favorite search provider and search for wireguard first result will take you to this wireguard website click on installation and download the windows installer of course we're using a Windows client in this case I've already downloaded the windows client all right here's the installer I'll just double click on it click on yes foreign that's it wireguard is installed the the next thing that we all we have to do all we have left to do sorry is to import our configuration file and here's our file and as you can see all the necessary information and configurations have already been imported with this configuration file and once I click activate by the way if you remember if you worked with the old l2tp based vpl you know that once you click on connect it takes about 5 10 maybe 15 minutes 30 seconds to get connected with wireguard it will take a second or two let's try here it is it took I think less than a second we're already connected in fact let's go ahead bring out a command prompt and let's try to Ping an access point I have deployed on that location and indeed we get a reply and just so the we can see that I'm connecting from this subnet 99.78 that's my IP address once I got connected to my wireguard client I got this IP address which is exactly the one I defined so everything looks like is in order and that's how easy it is to configure and connect to wireguard it's absolutely amazing now that part is almost a no-brainer the part that you need to to invest some brain power into is security and I'm talking about a firewall and firewall rules now I want to I I will add a link in the top right corner to a video I created about generally my method of creating uni firewall rules in unify I'm glad to say that I've gotten a lot of positive comments and I know for a fact that this method has been adopted by several other YouTube Tech creators so thank you everyone and I recommend that you watch this video so I'm going to touch on it just briefly on how I recommend doing firewall rules let's go back to my udm based device and the first thing that you should do if you watched the my firewall rules video the first rule is to create a rule that will block all internal traffic everything and this one will create a starting point that that resembles any other firewall vendors out there PF sense a 40 Gates Palo alto's nothing is allowed until you go in and Define rules for the traffic that you want to allow I don't know why UniFi is not taken this route maybe it's to be more a home user friendly but just before we'll create the firewall rule I want you to go into profiles and create a group and I called it RFC 1918 and take note of the subnets that you need to Define in this group these are all the internal subnets and what I'm going to do is I'm going to use this group in the firewall rule so let's go back to firewall and security Lan create new rule blend in I'm going to call it block inter villain routing I'm going to drop [Music] RFC 1918 is the source and also the destination click on apply changes great this rule is created now this is only the starting point this will only take care of blocking all internet internal traffic now what we want to do is we want to Define what we want to allow VPN clients to access once they're connected I'm assuming that you don't want VPN clients to automatically gain access to all of the feelings and all of your networks so in my case I have two Networks the 10.31.80 and the 10.31.99 and this is the the network that I want to allow in this example VPN clients to gain access to so again I'm going to go into profiles into groups and I created two groups that I'm going to use one is wireguard clients and this will include the subnet I defined in the wireguard VPN and the other group is VPN allowed subnets and this will include all the subnets that you want to allow your VPN clients to connect to now all we have to do is to go back into firewall and security and create a new rule land in and let's call it VPN to 99 net I'm going to use the action except for the group I'm going to select wireguard clients and the destination is the VPN allowed subnets click on apply go to the Lan Tab and make sure this rule goes above the block interference routing rule because firewall rules are processed from the top to bottom another word we need to create is the opposite of the world that we've just created so lend in 99 net 2 VPN because traffic needs to be allowed in both ways so Source will be VPN allowed subnets destination wireguard clients click on apply go back to the firewall to the land tab so and make sure this rule goes above the block inter villain routing rule so if we have configured everything just right what will end up what we will end up with is VPN clients connecting to our wire guard VPN and cannot access any resources on the internal Lan in our example it's this subnet but they will be able to access everything on this subnet let's give it a try alright let's go back to our client let's disconnect and now let's do an ipconfig we can see we only have our internal Ln IP address let's again connect to our VPN again that took less than a second and now let me try to Ping the same address I I tried to Ping before and I've gotten pin replies if I scroll up it's this address let's try it again now now I am not getting pin reply but now let me grab an IP address of a client on the 99 subnet and let's try to paint that one all right I've got an IP address let's try to Ping 10.31 Dot 99.168 [Music] and we do get pin reply that means that our firewall rules are doing exactly what we ask them to do I hope guys that you found this video useful and I especially hope you liked my way of doing the viral rules to protect or to manage traffic once a client's VPN in and in the end screen the absolute end of this video I will link to both my unify firewall rules video and another video I created on the old l2tp VPN but again in this video I'm talking about a VPN rules sorry firewall rules for VPN guys if you like this video please give it a like it will help me a lot please subscribe and I will see you all in the next video bye everyone [Music] [Music]
Info
Channel: Tech Me Out
Views: 19,418
Rating: undefined out of 5
Keywords: UniFi Wireguard VPN, ubiquiti networks, unifi vpn setup, unifi remote user vpn, ubiquiti unifi, wireguard vpn, unifi wireguard, unifi wireguard server, unifi wireguard dream machine pro, lawrencesystems, udm pro, ubiquiti unifi vpn setup, wireguard setup, unifi wireguard setup, wireguard unifi udm pro, wireguard unifi dream machine, udm pro firewall rules, udm pro wireguard, unifi dream machine, unifi dream machine pro, unifi vpn, unifi remote user vpn setup, home network
Id: XgiuOEwIXBs
Channel Id: undefined
Length: 14min 10sec (850 seconds)
Published: Sun Apr 30 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.