How to Run WireGuard on Ubiquiti (UniFi) Devices
Published onby Iron
Running WireGuard on a Ubiquiti device is a great way to enhance your network security and privacy. WireGuard is known for its speed and simplicity, making it a perfect match for Ubiquiti's efficient networking gear. This guide will walk you through the process of setting up WireGuard on a UniFi device, step-by-step.
Let's dive in!

Table of Contents
- What is WireGuard?
- Why Use WireGuard on UniFi Devices?
- What You’ll Need
- Step 1: Enable SSH on Your UniFi Device
- Step 2: Connect to Your UniFi Device via SSH
- Step 3: Install WireGuard
- Step 4: Configure WireGuard
- Step 5: Start WireGuard
- Step 6: Make WireGuard Auto-Start on Boot
- Step 7: Configure Your Client Devices
- Step 8: Configure Port Forwarding
- Troubleshooting Tips
- Final Thoughts
What is WireGuard?
WireGuard is a fast, lightweight VPN protocol. It’s simple, uses modern cryptography, and is much easier to configure than older protocols like OpenVPN or IPsec. It works directly within the Linux kernel, so it offers better performance and low latency.
With WireGuard on your UniFi device, you can create secure, private connections to your home or business network from anywhere in the world. It's great for remote access, secure browsing, or connecting branch offices.
Why Use WireGuard on UniFi Devices?
- Speed: Faster than OpenVPN, thanks to its efficient design.
- Simplicity: Minimal configuration. No need for certificate management.
- Security: Uses modern cryptographic principles for encryption and authentication.
- Efficiency: Works directly in the Linux kernel, resulting in better performance.
What You’ll Need
- UniFi Device: UDM, UDM Pro, or any device that supports custom scripts and SSH access.
- WireGuard Software: WireGuard is a kernel-based VPN, but it requires some additional scripts to configure on UniFi devices.
- Access to SSH: You’ll need to access the device via SSH to run commands.
- A Backup Plan: It's always a good idea to back up your device before making changes.
Step 1: Enable SSH on Your UniFi Device
To access your UniFi device, you need to enable SSH. Here’s how you do it:
- Log in to your UniFi Controller.
- Go to Settings > System.
- Scroll down to the Device SSH Authentication section.
- Enable SSH, then set a username and password.
Note: Make sure you have the SSH username and password handy. You’ll need it later.
Step 2: Connect to Your UniFi Device via SSH
Now that SSH is enabled, it’s time to log in to the device.
- Open a terminal (Linux/Mac) or PowerShell (Windows).
-
Type the following command to connect to your UniFi device (replace "IP_ADDRESS" with the actual IP address of your UniFi device):
ssh username@IP_ADDRESS
- When prompted, enter your SSH password.
You are now connected to the command line interface of your UniFi device.
Step 3: Install WireGuard
Unlike regular Linux distros, UniFi devices run a custom Linux version. Installing WireGuard requires a few extra steps.
-
Update the Package List:
apt-get update
-
Install WireGuard:
apt-get install wireguard
Note: If the "apt-get" command does not work, you may need to use a script to manually add support for WireGuard. UDM devices have limited support for package installations, so a workaround might be necessary.
- Check the Installation:
wg
If the command runs without errors, WireGuard is installed.
Step 4: Configure WireGuard
Now that WireGuard is installed, it’s time to set it up. This requires generating private and public keys for both the server (your UniFi device) and the clients.
-
Generate WireGuard Keys:
umask 077 wg genkey | tee privatekey | wg pubkey > publickey
This will create two files: "privatekey" and "publickey". Keep the private key secure.
-
Create the Configuration File: Create the WireGuard configuration file in "/etc/wireguard/wg0.conf":
nano /etc/wireguard/wg0.conf
-
Add the Following Configuration:
[Interface] PrivateKey = <your-server-private-key> Address = 10.0.0.1/24 ListenPort = 51820 [Peer] PublicKey = <client-public-key> AllowedIPs = 10.0.0.2/32
- Replace "
" with the contents of the "privatekey" file. - Replace "
" with the client’s public key.
- Replace "
Tip: The "Address" is the WireGuard network IP. It can be any subnet, but 10.0.0.0/24 is a common choice.
Step 5: Start WireGuard
-
Bring Up the WireGuard Interface:
wg-quick up wg0
-
Check the Status:
wg
If everything is working correctly, you should see details about the WireGuard interface and peers.
Step 6: Make WireGuard Auto-Start on Boot
To make sure WireGuard runs when your UniFi device reboots, follow these steps.
-
Create a Script in "/etc/rc.local":
nano /etc/rc.local
-
Add the Following:
#!/bin/bash /usr/bin/wg-quick up wg0 exit 0
-
Make It Executable:
chmod +x /etc/rc.local
-
Test Reboot: Reboot your device to make sure WireGuard starts automatically.
reboot
-
Check Status After Reboot:
wg
If the WireGuard interface is up, it’s working as expected.
Step 7: Configure Your Client Devices
To connect your laptop, phone, or other devices to the WireGuard VPN, you’ll need to configure each client.
-
Generate Client Keys (on a separate machine):
wg genkey | tee client_privatekey | wg pubkey > client_publickey
-
Update WireGuard Configuration on UniFi Device: Add a new peer section to "/etc/wireguard/wg0.conf":
[Peer] PublicKey = <client-public-key> AllowedIPs = 10.0.0.2/32
-
Apply the Changes:
wg-quick down wg0 wg-quick up wg0
Step 8: Configure Port Forwarding
If you want to access WireGuard from outside your network, you need to forward port 51820 on your router or UniFi Gateway.
- Log in to Your UniFi Controller.
- Go to Settings > Firewall & Security.
- Set up a port forwarding rule to forward port 51820 to the internal IP of your UDM/UDM Pro.
Troubleshooting Tips
-
Check the Logs:
dmesg | grep wireguard
-
Restart WireGuard:
wg-quick down wg0 wg-quick up wg0
-
Port Issues: Ensure port 51820 is not being blocked by your ISP or firewall.
Final Thoughts
Running WireGuard on Ubiquiti devices like the UDM or UDM Pro gives you a fast, modern, and secure VPN. While the setup requires a bit of command-line magic, it's a one-time process that pays off with better network security.
By using UniFi’s powerful hardware, combined with WireGuard’s lightweight design, you can create a high-speed VPN that's easy to maintain. And if you’d rather avoid self-hosting, you can check out services like UniHosted, where we handle VPN configurations as part of our hosted controller solutions. If you would like me to personally walk you through UniHosted, you can schedule a call with me here.
We host UniFi Controllers in the Cloud
Are you ready to take your UniFi Network to the next level? Deploy a UniFi Cloud Controller in minutes and manage your network from anywhere.
Free tier available
Get the best support
Join 1660+ customers
No credit card required