UniFi Gateway - WireGuard VPN Client

WireGuard VPN Client is found in the VPN section of your UniFi Network Application that allows you to connect the UniFi Gateway to a VPN provider and send internet traffic from devices over the VPN.

For more details on setting up OpenVPN instead of WireGuard, see OpenVPN Client.


How does it work?

The WireGuard VPN Client connection to the VPN provider can be set up by uploading a configuration file or by manually filling in the settings. If possible, we recommend to obtain a configuration file from the VPN provider for automatic configuration. 

When using manual configuration, the client's private key can be automatically generated or a base64 key can be manually entered. The public key from the server is obtained from the VPN provider.

Note: The client's public key is generated automatically based on the private key.

How can I send traffic over the VPN?

After uploading the configuration file or manually filling the settings, apply the changes and the VPN Client connection will automatically establish. Traffic from devices is not automatically sent over the VPN however.

To send traffic from devices over the VPN, add a Traffic Route.

Configuration File Validation

The content of the configuration file is validated to determine if it is correct. The WireGuard configuration file can be opened with a text editor and looks similar to:

PrivateKey = aBcDeFgHiJkLmNaBcDeFgHiJkLmNaBcDeFgHiJkLmNa=
Address =

PublicKey = aBcDeFgHiJkLmNaBcDeFgHiJkLmNaBcDeFgHiJkLmNa=
PresharedKey = aBcDeFgHiJkLmNaBcDeFgHiJkLmNaBcDeFgHiJkLmNa=
AllowedIPs =,,
Endpoint =
  • PrivateKey - This is a base64 key, for example 44 characters long as shown above.
  • Address - This is the IPv4 tunnel address including the prefix length (typically /32). 
  • DNS - This is the IPv4 address of the DNS server.
  • PublicKey - This is a base64 key, for example 44 characters long as shown above.
  • PresharedKey - This is an optional base64 key, for example 44 characters long as shown above.
  • AllowedIPs - These are either comma-separated IPv4 addresses or networks including the prefix length. The network indicates the default route.
  • Endpoint - This is the IPv4 address or hostname of the WireGuard server followed by the port (51820 by default). 

WireGuard States

When configuring the WireGuard VPN Client using either the file or by manually filling in the states, there are three states:

  • Not Established - This is the starting state before applying the changes.
  • Connecting - The connection to the server is being established. 
  • Connected - The connection to the server is established.

If the state does not move from Connecting to Connected, then there is an issue with the authentication or the server is not reachable. WireGuard will keep trying to set up the VPN until a connection is established. We recommend to check whether the keys and server matches the information provided by the VPN provider. If so, we recommend to contact the VPN provider for more information. 

Frequently Asked Questions

1. Which VPN Client types are supported on UniFi Gateways?
Both WireGuard and OpenVPN are supported.
2. Which VPN providers are supported?
Any provider that supports WireGuard will work.
3. My VPN provider does not have a configuration file. What should I do?
Your VPN provider should be able to provide you with the keys and other information needed to connect. The options can then be manually filled in.
Was this article helpful?
20 out of 79 found this helpful