Wireguard S2S VPN for UMR
UMR’s Site-to-Site VPN (WireGuard) feature is designed to help you securely connect two or more remote networks over the internet. Site-to-Site VPN on UMR can be widely applied in multi-site LAN-to-LAN networking, remote branch to HQ integration, secure data transfer for industrial IoT environments, simple and low-maintenance internal VPN networks and remote surveillance deployment.
Important! WireGuard Site-to-Site VPN (as well as in IPSec VPN) supports bidirectional communication between networks. Devices on the remote LAN can access the UMR LAN and vice versa.
- WireGuard S2S VPN on UMR does not require the UMR to have a public IP address.
- However, the remote peer (UniFi Cloud Gateway or third-party VPN server) must have a publicly routable IP.
- If the remote peer is also behind CG-NAT (as is common with mobile SIM-based connections), it will not be able to accept incoming VPN connections and the tunnel cannot be established.
Configuration Methods
UMR supports WireGuard Site-to-Site (S2S) VPN configuration using two methods:
-
Automated Configuration
Used for establishing a VPN tunnel with a UniFi Cloud Gateway that has a public IP address. -
Manual Configuration
Used to create a VPN tunnel with third-party routers or VPN servers that have a publicly routable IP. This method also applies to UniFi Consoles where automated configuration is not feasible (e.g., devices behind NAT with port forwarding enabled).
Automated Configuration
Prerequisites
- A UniFi Cloud Gateway with a public IP.
- UniFi Network version 8.1 or later.
- UniFi Console and UMR must be under the same account.
Setup Steps
- Log in to Mobility Manager, then go to Mobile Routing > Settings > VPN > Site-to-Site VPN.
- Under Setup, choose UniFi Cloud Gateway, then select the Cloud Gateway to connect to.
- Under Network Configuration, select the Remote Network(s) you want to connect to and click Add.
- Click Save.
You can assign the device in your profile, or assign the profile through its device panel. To do this:
- Navigate to Devices, select the UMR, then go to Settings in its device panel.
- Under VPN Connect, select the Site-to-Site VPN profile.
- Click Apply Changes to establish the VPN connection to the UniFi Cloud Gateway.
Manual Configuration
Step 1: Configure WireGuard on the UniFi Gateway or 3rd party WireGuard Server
- Create a new WireGuard Server (not S2S).
- In the WireGuard server settings, create a client profile for UMR (Clients > Add Client).
- Under Authorization, select Manual.
- Click Download Configuration File and keep it secure.
- Enable Remote Client Networks and add the UMR LAN address (e.g., 192.168.105.0/24).
- Click Add.
- Configure the remaining settings as needed.
- Click Apply Changes.
Step 2: Configure WireGuard on UMR
- In UMR Settings, create a new VPN Client (not S2S).
- Configure the following:
- VPN Type: WireGuard
- Device Assignment: Select your UMR
-
Setup: You can choose to upload the configuration file, or Manual Setup.
- Upload: Upload the file that you previously downloaded from UniFi Gateway
-
Manual Setup: Copy and paste the following values from the WireGuard configuration file previously downloaded from UniFi or 3rd party WireGuard Server:
- Private Key
- Tunnel IP: Use the "Interface IP/Address" field from the config file
- Server Address: Use the "Server Address/Endpoint" field from the config file
- Public Server Key: Use the "PublicKey" field from the config file
- Pre-shared Key (optional): This value must match between WireGuard client and server. Specify it if present in the configuration file. Skip if not configured on the server side
- Maximum Transmission Unit (MTU): Keep as 1420
- Remote Network: Add the UniFi/ 3rd party WireGuard Server remote network (e.g., 192.168.0.1/24).
- Click Apply to establish the connection.