I´m trying to create a Site to Site VPN using wireguard between Unifi Express gateway and Pfsense. I already have the wireguard setup ( or that´s what i think) between the two, in the unifi I confugured as a WG client in both i can see that the connection is OK
Also I configured a gateway in Pfsense and a static route redirecting the subnet that is in the side of the unifi through the WG connection.
In the unifi side I try with some firewalls configs and routing and in that side is OK, i can access the subnet of the pfsense from the unifi.
The issue is when i try to reach the subnet of the unifi from pfsense network and when i redirect all the trafic of one device from pfsense to unifi with a firewall rule. I think is something with the rules or firewall of unifi that isn´t allowing incoming traffic from the WG client, but i try with no good results (I´m quite new in the unifi ecosystem)
I have not done any testing yet with using WG or any other site to site VPN between UniFi and pfsense. I do have my site to site WG video for pfsense and do make sure you have it properly setup so the static routes point the traffic to go over the VPN. Hope someone else has a suggestion.
Actually I see your video 3 times, it was really helpful. Despite I still have de issue. If you have any idea I will be very greatful or maybe some video talking about static routes, firewall rules in unifi.
I’ve got an OpenVPN site to site VPN running between pfSense 2.7.0 (before the split) and a Unifi UDM running the latest firmware. Make sure to set the remote subnets in unifi VPN config it knows where to send traffic. Other than that I don’t have any firewall rules set on the Unifi side. It just points to the OpenVPN server running in pfSense via a public remote IP.
The big gotcha is that later versions of pfSense won’t allow a preshared key style config for OpenVPN and Unifi requires it so that’s why I’m still on 2.7.0
Thanks, but the issue is with the traffic from Pfsense to unifi, the other way (unifi to pfsense) is working fine.
I can´t reach the unifi subnet or go to the internet throught unifi if I´m in pfsense. On Pfsense I got an interface with the WG peer, a gateway and a static route to reach the unifi subnet
I´m quite shure it have to be something with routes or firewall rules in unifi because I have other VPN where a unifi UCG Max is the wireguard server and the same pfsense is a client and it works perfect in both ways.
The reason I don´t want to configure the unifi express as WG server is because I don´t want performance issues. I think that running a WG server is more intense than just a client. Do you know if its true?
I also considered using the Unifi as a WG server and pfSense as a client for a site to site setup as a workaround but I don’t fully understand the implications. I run daily 20G backups site to site so I don’t want to throttle speed either. Not sure what a UDM can handle.
Wireguard operates on a peer-to-peer basis and I don’t like the way UniFi labels it as client or server. The compute power for the tunnel is not different based on which device initiates the connection because In a WireGuard peer-to-peer connection, the overall speed is limited by the slowest link or device in the chain. UniFi will have a proper Wireguard setup in the future but right now their implementation is not really that great compared to how pfsense does it.
That´s what I undersand, but when I see the unifi approach, it confuses me. Thanks for the clarification.
Do you think that having two wireguard connections in the Unifi Express will impact to the performance? Or it´s better one wireguard and one Teleport’s connections?
That sounds great, Thanks!