How to Run WireGuard on Ubiquiti (UniFi) Devices

Published onby Iron

Running WireGuard on a Ubiquiti device is a great way to enhance your network security and privacy. WireGuard is known for its speed and simplicity, making it a perfect match for Ubiquiti's efficient networking gear. This guide will walk you through the process of setting up WireGuard on a UniFi device, step-by-step.

Let's dive in!

Table of Contents

What is WireGuard?

WireGuard is a fast, lightweight VPN protocol. It’s simple, uses modern cryptography, and is much easier to configure than older protocols like OpenVPN or IPsec. It works directly within the Linux kernel, so it offers better performance and low latency.

With WireGuard on your UniFi device, you can create secure, private connections to your home or business network from anywhere in the world. It's great for remote access, secure browsing, or connecting branch offices.

Why Use WireGuard on UniFi Devices?

  • Speed: Faster than OpenVPN, thanks to its efficient design.
  • Simplicity: Minimal configuration. No need for certificate management.
  • Security: Uses modern cryptographic principles for encryption and authentication.
  • Efficiency: Works directly in the Linux kernel, resulting in better performance.

What You’ll Need

  • UniFi Device: UDM, UDM Pro, or any device that supports custom scripts and SSH access.
  • WireGuard Software: WireGuard is a kernel-based VPN, but it requires some additional scripts to configure on UniFi devices.
  • Access to SSH: You’ll need to access the device via SSH to run commands.
  • A Backup Plan: It's always a good idea to back up your device before making changes.

Step 1: Enable SSH on Your UniFi Device

To access your UniFi device, you need to enable SSH. Here’s how you do it:

  1. Log in to your UniFi Controller.
  2. Go to Settings > System.
  3. Scroll down to the Device SSH Authentication section.
  4. Enable SSH, then set a username and password.

Note: Make sure you have the SSH username and password handy. You’ll need it later.

Step 2: Connect to Your UniFi Device via SSH

Now that SSH is enabled, it’s time to log in to the device.

  1. Open a terminal (Linux/Mac) or PowerShell (Windows).
  2. Type the following command to connect to your UniFi device (replace "IP_ADDRESS" with the actual IP address of your UniFi device):
    ssh username@IP_ADDRESS
    
  3. When prompted, enter your SSH password.

You are now connected to the command line interface of your UniFi device.

Step 3: Install WireGuard

Unlike regular Linux distros, UniFi devices run a custom Linux version. Installing WireGuard requires a few extra steps.

  1. Update the Package List:

    apt-get update
    
  2. Install WireGuard:

    apt-get install wireguard
    

Note: If the "apt-get" command does not work, you may need to use a script to manually add support for WireGuard. UDM devices have limited support for package installations, so a workaround might be necessary.

  1. Check the Installation:
    wg
    

If the command runs without errors, WireGuard is installed.

Step 4: Configure WireGuard

Now that WireGuard is installed, it’s time to set it up. This requires generating private and public keys for both the server (your UniFi device) and the clients.

  1. Generate WireGuard Keys:

    umask 077
    
    wg genkey | tee privatekey | wg pubkey > publickey
    

    This will create two files: "privatekey" and "publickey". Keep the private key secure.

  2. Create the Configuration File: Create the WireGuard configuration file in "/etc/wireguard/wg0.conf":

    nano /etc/wireguard/wg0.conf
    
  3. Add the Following Configuration:

    
    [Interface]
    
    PrivateKey = <your-server-private-key>
    
    Address = 10.0.0.1/24
    
    ListenPort = 51820
    
    [Peer]
    
    PublicKey = <client-public-key>
    
    AllowedIPs = 10.0.0.2/32
    
    • Replace "" with the contents of the "privatekey" file.
    • Replace "" with the client’s public key.

Tip: The "Address" is the WireGuard network IP. It can be any subnet, but 10.0.0.0/24 is a common choice.

Step 5: Start WireGuard

  1. Bring Up the WireGuard Interface:

    wg-quick up wg0
    
  2. Check the Status:

    wg
    

If everything is working correctly, you should see details about the WireGuard interface and peers.

Step 6: Make WireGuard Auto-Start on Boot

To make sure WireGuard runs when your UniFi device reboots, follow these steps.

  1. Create a Script in "/etc/rc.local":

    nano /etc/rc.local
    
  2. Add the Following:

    #!/bin/bash
    
    /usr/bin/wg-quick up wg0
    
     exit 0
    
  3. Make It Executable:

    chmod +x /etc/rc.local
    
  4. Test Reboot: Reboot your device to make sure WireGuard starts automatically.

    reboot
    
  5. Check Status After Reboot:

    wg
    

If the WireGuard interface is up, it’s working as expected.


Step 7: Configure Your Client Devices

To connect your laptop, phone, or other devices to the WireGuard VPN, you’ll need to configure each client.

  1. Generate Client Keys (on a separate machine):

    wg genkey | tee client_privatekey | wg pubkey > client_publickey
    
  2. Update WireGuard Configuration on UniFi Device: Add a new peer section to "/etc/wireguard/wg0.conf":

    
    [Peer]
    
    PublicKey = <client-public-key>
    
    AllowedIPs = 10.0.0.2/32
    
  3. Apply the Changes:

      wg-quick down wg0
      
      wg-quick up wg0
    

Step 8: Configure Port Forwarding

If you want to access WireGuard from outside your network, you need to forward port 51820 on your router or UniFi Gateway.

  1. Log in to Your UniFi Controller.
  2. Go to Settings > Firewall & Security.
  3. Set up a port forwarding rule to forward port 51820 to the internal IP of your UDM/UDM Pro.

Troubleshooting Tips

  • Check the Logs:

    dmesg | grep wireguard
    
  • Restart WireGuard:

    wg-quick down wg0
    
    wg-quick up wg0
    
  • Port Issues: Ensure port 51820 is not being blocked by your ISP or firewall.

Final Thoughts

Running WireGuard on Ubiquiti devices like the UDM or UDM Pro gives you a fast, modern, and secure VPN. While the setup requires a bit of command-line magic, it's a one-time process that pays off with better network security.

By using UniFi’s powerful hardware, combined with WireGuard’s lightweight design, you can create a high-speed VPN that's easy to maintain. And if you’d rather avoid self-hosting, you can check out services like UniHosted, where we handle VPN configurations as part of our hosted controller solutions. If you would like me to personally walk you through UniHosted, you can schedule a call with me here.

We host UniFi Controllers in the Cloud

Are you ready to take your UniFi Network to the next level? Deploy a UniFi Cloud Controller in minutes and manage your network from anywhere.

Deploy Now

Free tier available

Get the best support

Join 1660+ customers

No credit card required