Cloud Gateways Switching WiFi Camera Security Door Access Integrations Accessory Tech Identity
User
Sign Up UniFi Site Manager
Help Center Help Articles Professional Support Professional Integrators Community RMA & Warranty Downloads Tech Specs
User
Sign Up UniFi Site Manager
Help Center Help Articles Professional Phone Support Professional Integrators Community RMA & Warranty Downloads Tech Specs
Cloud Gateways Switching WiFi Camera Security Door Access Integrations Accessory Tech Identity

Social

Facebook Twitter Youtube Instagram

Company

Careers Contact Us Investors

Training

Courses Calendar Trainers Become a Trainer

Tools

WiFiman UISP Design Center
  1. Ubiquiti Help Center
  2. UniFi
  3. Mobility

Wireguard S2S VPN for UMR

UMR’s Site-to-Site VPN (WireGuard) feature is designed to help you securely connect two or more remote networks over the internet. Site-to-Site VPN on UMR can be widely applied in multi-site LAN-to-LAN networking, remote branch to HQ integration, secure data transfer for industrial IoT environments, simple and low-maintenance internal VPN networks and remote surveillance deployment.

Important!  WireGuard Site-to-Site VPN (as well as in IPSec VPN) supports bidirectional communication between networks. Devices on the remote LAN can access the UMR LAN and vice versa.

  • WireGuard S2S VPN on UMR does not require the UMR to have a public IP address.
  • However, the remote peer (UniFi Cloud Gateway or third-party VPN server) must have a publicly routable IP.
  • If the remote peer is also behind CG-NAT (as is common with mobile SIM-based connections), it will not be able to accept incoming VPN connections and the tunnel cannot be established.

Configuration Methods

UMR supports WireGuard Site-to-Site (S2S) VPN configuration using two methods:

  • Automated Configuration
    Used for establishing a VPN tunnel with a UniFi Cloud Gateway that has a public IP address.
  • Manual Configuration
    Used to create a VPN tunnel with third-party routers or VPN servers that have a publicly routable IP. This method also applies to UniFi Consoles where automated configuration is not feasible (e.g., devices behind NAT with port forwarding enabled).

Automated Configuration

Prerequisites

  • A UniFi Cloud Gateway with a public IP.
  • UniFi Network version 8.1 or later.
  • UniFi Console and UMR must be under the same account.

Setup Steps

  1. Log in to Mobility Manager, then go to Mobile Routing > Settings > VPN > Site-to-Site VPN.
  2. Under Setup, choose UniFi Cloud Gateway, then select the Cloud Gateway to connect to.
  3. Under Network Configuration, select the Remote Network(s) you want to connect to and click Add.
  4. Click Save.

You can assign the device in your profile, or assign the profile through its device panel. To do this:

  1. Navigate to Devices, select the UMR, then go to Settings in its device panel.
  2. Under VPN Connect, select the Site-to-Site VPN profile.
  3. Click Apply Changes to establish the VPN connection to the UniFi Cloud Gateway.

Manual Configuration

Step 1: Configure WireGuard on the UniFi Gateway or 3rd party WireGuard Server

  1. Create a new WireGuard Server (not S2S).
  2. In the WireGuard server settings, create a client profile for UMR (Clients > Add Client).
    1. Under Authorization, select Manual.
    2. Click Download Configuration File and keep it secure.
    3. Enable Remote Client Networks and add the UMR LAN address (e.g., 192.168.105.0/24).
    4. Click Add.
  3. Configure the remaining settings as needed.
  4. Click Apply Changes.

Step 2: Configure WireGuard on UMR

  1. In UMR Settings, create a new VPN Client (not S2S).
  2. Configure the following:
    1. VPN Type: WireGuard
    2. Device Assignment: Select your UMR
    3. Setup: You can choose to upload the configuration file, or Manual Setup.
      1. Upload: Upload the file that you previously downloaded from UniFi Gateway
      2. Manual Setup: Copy and paste the following values from the WireGuard configuration file previously downloaded from UniFi or 3rd party WireGuard Server:
        1. Private Key
        2. Tunnel IP: Use the "Interface IP/Address" field from the config file
        3. Server Address: Use the "Server Address/Endpoint" field from the config file
        4. Public Server Key: Use the "PublicKey" field from the config file
        5. Pre-shared Key (optional): This value must match between WireGuard client and server. Specify it if present in the configuration file. Skip if not configured on the server side
        6. Maximum Transmission Unit (MTU): Keep as 1420
        7. Remote Network: Add the UniFi/ 3rd party WireGuard Server remote network (e.g., 192.168.0.1/24).
  3. Click Apply to establish the connection.
Was this article helpful?