Unifi WireGuard VPN setup

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

everyone Cody from Mac Telecom networks in unify 3.0.13 ubiquity added wire guard support So in this video we're going to set up wireguard we're going to create some firewall rules and we'll also do some iperf tests to see the speeds if you're wanting to support my channel the best way to do that is to hit the Subscribe button we're trying to hit a hundred thousand subscribers and if you'd like to hire me for Network Consulting you can visit my website in the description below so there's a few reasons why we would want to use wireguard the first one is speed with wireguard we get higher speeds than we would with the l2tp VPN built in to unify and the second one is we're able to use it with cgnat or double Nat so it makes it very easy to implement into your network also wire guard within unify is very easy to set up so let's get that done the first thing we need to do we need to click on the settings wheel in our unifier Network console and then we need to go over to teleport and VPN under VPN we can see a couple different options teleport does have a back end of wire guard but we're we're not going to be using teleport we're going to go down to VPN server and then create new and here we can see wireguard and l2tp we will do speed comparisons between them but I'm going to give it a network name I'll just call it wireguard so WG test here we have our private key and then we have our public key and then it's asking us which server address we want to go over so which Wan connection I'm going to put in my Wan 2 connection but you could also enter it manually if you'd like and we need to specify a port number so I'm just going to use the default wire guard Port which is 51820 before we add a client we're going to go under the advanced because I want to switch the subnet that this is running over so currently the Gateway is 192.168.2.1 I'm going to put this at 200.1 and it's going to be a slash 24. now it says name server and we're going to want to enable this so we could resolve host addresses and I'm going to put it at 1.1.1.1 and 8.8.8.8 you could use whichever you want if you have an internal DNS server you could put that in here and then we'll do apply changes now back in the wireguardvpn configurations we're going to add a client this is going to be an auto-generated client and you could do manual if you'd like I'll give it a name of Kodi and then we're going to download the profile and then press create user so with that user profile downloaded we either need to email it to the person we want to use this wireguard tunnel or do it through something like signal and I would do it through signal as it's encrypted but we need to import the tunnel into the wireguard client and this is just the wire guard client for Windows you could do it for iPhone and Android or Mac as well and I'll put the link down below to that so we're going to want to import the tunnel and I'll just grab the download from my downloads file now I've opened up the wireguard profile within the wireguard client we could see that the status is inactive we could see the public key the address that we're given so 192.168.200.3 the DNS servers the public key the allowed IPS and then we could see the endpoint so let's activate this so let's activate the wire guard VPN I am on my backup internet that isn't connected to my udm SE so we are truly vpning in so let's press activate and now we can see that the wire guard tunnel is activated so let's try to to get to some resources on my network like my Synology Nas now bringing up a command prompt we should be able to get to my Synology now so let's ping 192.168.10.220. and you can see that the Ping replies are coming back to us the issue with this we could hit everything right now we could hit all my cameras and we could hit everything on my management Network all my unified devices so if we tried to hit a camera we'll ping 192.168.30.122 which is my AI 360. that will go through as well so we need to create some firewall rules but before we do that let's do a perf test and a speed test so I've speed test brought up and I'm going to press go alright and the results were 51.19 megabits per second down and 33.37 up the connection that I'm connected to is a gigabit by 30 or 40 upload speed so this is decent for a VPN now my laptop has an iperf server running on it so let's run a test so the computer I'm running in iperf test on is connected directly by ethernet at one gigabit so let's run the iperf test so we're getting 85.3 megabits per second down and up which is pretty good for a VPN and we will test with the l2tp I quickly created an l2tp VPN Let's test the iperf so I'll just press up and then press enter all right and we are getting 52.8 down and 52.7 up which is about 30 megabits per second less than the wireguard VPN so the last thing we need to do we need to create some firewall rules to block the wire guard VPN from accessing other devices that we want really I would only want this to access my NASA will create a rule for that so the first thing we need to do we need to create a profile for the wire guard VPN subnet so we'll go over to profiles we'll scroll down and then we'll create a new Port IP group I'm going to call this WG VPN and this is going to be an ipv4 subnet we'll put in the IP of the wire guard subnet so 192.168.200.0 24 and then we'll press add and apply changes now we need to create two firewall rules so we'll go to firewall and security we'll go to create new rule and for the type it's going to be Lan out I'm going to call this block WG to Networks we're going to drop the traffic and then our source is going to be a port IP group of that new wireguard VPN IP group the destination is going to be a port group of RFC 1918 I've already had that created in other firewall rules but I'll show you what that looks like so this is the RFC 1918 group and this is a white paper based on ipv4 private addresses the first one is 192.1680.0.16 the second one is 172.16.0.0.12 and the last one is 10.0.0.08 so we're still connected to the wireguardvpn now if we bring up a command prompt we shouldn't be able to hit my Synology now so I'll ping 192.168.10.220 and we can see that the Ping replies aren't going through I'll also try to hit that camera again at 192.168.30.122 so now we're completely blocked off of every single subnet so we need to create an allow rule to allow the wireguardvpn access to my Synology Nas so we'll go back to the settings wheel click on firewall and security and then create new rule the type is going to be a lan out the action will be to accept the source is going to be the poor group of the wire guard VPN and then the destination we're just going to have it as an IP address of 192.168.10.220 and press apply changes even though we created the firewall rule of allow wire guard to NAS it is below the block wire guard to all my other networks so what we need to do we need to grab this Rule and put it above the block now if we go back to our Command Prompt we should be able to hit my Synology Nas and you can see that the Ping replies are going through and we'd be able to get to any resource on that Nas so that's going to be it for this tutorial on setting up wireguard with unify 3.0.13 it's fairly straightforward to do I was expecting the speeds to be a little bit higher but for a VPN that's not too bad if you have any questions about this video please leave it in the comments below if you like this video hit the Thumbs Up Button if you're new here please subscribe and hit the Bell icon alright thanks

Info

Channel: Mactelecom Networks

Views: 81,552

Rating: undefined out of 5

Keywords: ubiquiti networks, wireguard vpn, wireguard setup, wireguard vpn setup, unifi wireguard, unifi wireguard server, unifi wireguard vpn, unifi wireguard dream machine pro, unifi wireguard setup, wireguard unifi udm pro, wireguard unifi dream machine

Id: zGwZGZyAKNs

Channel Id: undefined

Length: 7min 42sec (462 seconds)

Published: Tue Nov 29 2022