Ultimate guide to setting up UniFi wireguard VPN for secure connectivity

Published onby Iron (edited on )

WireGuard is simple to configure, yet it provides industry-leading encryption and privacy. With WireGuard, you can access your local devices, manage your UniFi network remotely, and browse the web securely, all through a single tunnel. It’s like having a secret passage to your home network.

Let's dive in!

Table of Contents

What is WireGuard?

WireGuard is a next-gen VPN protocol. It offers lightning-fast speeds, robust security, and requires fewer system resources. Unlike OpenVPN or IPSec, which have thousands of lines of code, WireGuard is a lean and mean 4,000-line beast. Fewer lines mean fewer bugs, and fewer bugs mean fewer vulnerabilities.

Why Use WireGuard?

  • Speed: Faster than OpenVPN and IPSec.
  • Lightweight: Runs on just 4,000 lines of code.
  • Simplicity: No complex cryptographic setups.
  • Cross-Platform: Works on Linux, Windows, macOS, iOS, and Android.
  • Battery Friendly: Perfect for mobile devices.

If you’re setting up a VPN, WireGuard is a no-brainer. And if you have UniFi devices, the process is even easier.

Prerequisites

Before diving into the setup, make sure you have these essentials ready:

  • UniFi Console (Dream Machine, UDM-Pro, or similar)
  • Latest Firmware on your UniFi console
  • Admin Access to UniFi Site Manager or local controller
  • SSH Access to your console (optional, but useful for debugging)

Make sure your UniFi OS and Controller are updated to the latest version. This ensures compatibility with WireGuard VPN.

Step 1: Update Your UniFi Console

To avoid unnecessary headaches, ensure your UniFi Console is running the latest version of UniFi OS. Updates often include bug fixes, performance improvements, and new features — like VPN compatibility.

How to update your UniFi Console:

  1. Log in to UniFi Site Manager at unifi.ui.com.
  2. Click SettingsSystemUpdates.
  3. Check if there’s an available update. If so, click Update.
  4. Wait for the system to update and reboot.

Once done, you’re ready to configure WireGuard.

Step 2: Configure the WireGuard VPN on UniFi

Now, it’s time for the main event — configuring WireGuard on your UniFi system.

Create a WireGuard VPN

  1. Access UniFi Controller: Log into the UniFi controller.
  2. Go to Settings: Click the gear icon on the sidebar.
  3. Create New Network:
    • Click NetworksCreate New Network.
    • Name your network (e.g., "WireGuard VPN").
    • Purpose: Select Remote User VPN.
  4. VPN Type: Choose WireGuard.
  5. Set Up VPN Parameters:
    • Server Address: Use your public IP or DDNS address.
    • Port: Default is 51820. You can change this for security.
    • IP Range: Set this as 10.10.10.1/24 (or a unique IP range that doesn’t conflict with your LAN).
    • DNS Server: Use 8.8.8.8 or 1.1.1.1.
  6. Generate Keys: Click Generate Key Pair.
  7. Save Changes: Click Apply Changes to save the VPN settings.

Congratulations, you now have a WireGuard VPN server running on your UniFi console. Next, let’s configure the client devices.

Step 3: Add VPN Clients

With WireGuard, each connected device needs a unique "peer" configuration. We’ll generate unique keys for each client.

  1. Access VPN Network: In UniFi, go to NetworksWireGuard VPN.
  2. Add Client:
    • Click Add Client.
    • Client Name: Name your client (e.g., "iPhone VPN" or "John's Laptop").
    • Public Key: Generate this using the WireGuard app on the client device.
    • Allowed IPs: Use 0.0.0.0/0 to send all traffic through the VPN.
    • Save the Client Configuration.
  3. View QR Code: Click View QR Code to get a scannable code for easy setup on mobile devices.

Step 4: Connect Your Devices

Now that your VPN server and client are configured, let’s connect your devices.

Connect an iPhone or Android

  1. Install WireGuard from the app store:
  2. Open the app and Add Tunnel.
  3. Scan QR Code: Use the QR code from your UniFi controller.
  4. Tap Activate. You’re connected!

Connect a Windows or macOS Device

  1. Download and install WireGuard for Windows or macOS.
  2. Click Add TunnelImport from QR Code or File.
  3. Scan the QR code or import the file.
  4. Connect to the VPN.

Step 5: Advanced Configuration (Optional)

Here’s how to level up your WireGuard VPN.

Port Forwarding

If your UniFi device is behind a router, forward the WireGuard port (default 51820) to your console.

  1. Log in to your router.
  2. Port Forward: Forward 51820 to your UniFi Console.

Split Tunneling

Split tunneling allows you to send only specific traffic through the VPN.

  • Allowed IPs: Change this from 0.0.0.0/0 to 192.168.1.0/24 to access only local devices.
  • This keeps your general internet traffic outside of the VPN for better speed.

Troubleshooting Tips

If you run into issues, here are some things to check.

Can’t Connect to VPN?

  • Make sure WireGuard port 51820 is open.
  • Check if the client’s key matches the server.
  • Reboot the UniFi console.

Client Connects but Can’t Access Network?

  • Check that Allowed IPs is set to 0.0.0.0/0.
  • Check for any firewall rules blocking VPN traffic.

DNS Issues?

  • Make sure DNS is set to 8.8.8.8 or 1.1.1.1.
  • If DNS still doesn’t resolve, manually set DNS in the client device.

Security Best Practices

  • Change Default Port: Use a random port instead of 51820.
  • Use Strong Keys: WireGuard generates keys automatically, but you can rotate them for extra security.
  • Disable Unused Clients: Revoke access to devices that no longer need VPN.

Frequently Asked Questions

1. Can I run multiple VPNs on UniFi?

Yes, you can have multiple VPN networks configured simultaneously.

2. How many clients can connect at once?

UniFi limits connections based on your hardware. A UDM-Pro can support up to 100 clients.

3. Can I view connected clients?

Yes, you can see connected clients under NetworksWireGuard VPN.

Final Thoughts

With UniFi and WireGuard, you can create a secure, fast VPN that gives you private access to your network from anywhere. Whether you’re working remotely or accessing files at home, WireGuard keeps your connection safe and fast.

If you want to avoid hosting your own UniFi Controller, check out UniHosted. It’s a cloud-based service that hosts your UniFi controller with automatic updates and easy access from anywhere.

If you would like me to personally walk you through UniHosted, you can schedule a call with me here.

We host UniFi Controllers in the Cloud

Are you ready to take your UniFi Network to the next level? Deploy a UniFi Cloud Controller in minutes and manage your network from anywhere.

Deploy Now

Free tier available

Get the best support

Join 1660+ customers

No credit card required