Skip to main content
Verbozh

Configurer Wireguard sur un UCG Ubiquiti

·428 words·3 mins
Table of Contents

Configuring WireGuard on a Ubiquiti UCG
#

I recently migrated my home network infrastructure to a Ubiquiti UCG Ultra. Everything works great, the UniFi interface is pleasant to use, but I wanted VPN access to my local network from outside. OpenVPN feels heavy, and I use WireGuard everywhere else. Good news: since UniFi OS 3.x, WireGuard is natively supported on UCG devices.

The problem is that official documentation remains quite sparse on this topic. So I spent a few hours figuring out how everything fits together. Here’s what I learned.

Enabling the WireGuard server
#

In the UniFi Network interface, head to Settings then VPN. Create a new VPN server and choose WireGuard. The interface automatically generates server keys and lets you define the tunnel subnet. I kept the default 10.0.0.1/24, works perfectly fine.

The default port is 51820, make sure your firewall allows UDP on this port. On the UCG it’s normally handled automatically, but if you have custom rules it might block traffic.

Adding clients
#

This is where UniFi really simplifies things. Click “Add Client”, give it a name, and the system generates a QR code plus a configuration file. On iOS or Android with the official WireGuard app, scan the QR and you’re done in thirty seconds.

For a Linux client, grab the conf file and place it in /etc/wireguard/:

sudo mv client.conf /etc/wireguard/wg0.conf
sudo wg-quick up wg0


I find this much cleaner than the manual configuration we had to do on EdgeRouter before.

## Accessing the local network

By default the tunnel only routes traffic destined for the VPN subnet. If you want access to your complete LAN, you need to modify "Allowed IPs" on the client side to include your local network, like 192.168.1.0/24. In the UniFi interface you can also check the option to route all traffic through the VPN, handy when you're on a sketchy public WiFi.

One thing that cost me some time: if you have multiple VLANs, check your inter-VLAN firewall rules. WireGuard traffic arrives on a dedicated interface and must be explicitly allowed to reach your other networks.

## Performance and stability

After two weeks of daily use, I'm impressed. Connection establishes almost instantly, throughput is excellent, and I haven't had any random disconnections. Compared to my old OpenVPN setup on a Raspberry Pi, it's night and day in terms of latency.

The only limitation is that you can't do site-to-site WireGuard directly from the UniFi interface yet. For that you need to SSH in and configure manually, which somewhat breaks Ubiquiti's "everything in the GUI" philosophy.