Unifi - Pfsense Site to Site VPN

Hi.

I´m trying to create a Site to Site VPN using wireguard between Unifi Express gateway and Pfsense. I already have the wireguard setup ( or that´s what i think) between the two, in the unifi I confugured as a WG client in both i can see that the connection is OK

WG1183×748 64.6 KB

Also I configured a gateway in Pfsense and a static route redirecting the subnet that is in the side of the unifi through the WG connection.
In the unifi side I try with some firewalls configs and routing and in that side is OK, i can access the subnet of the pfsense from the unifi.

The issue is when i try to reach the subnet of the unifi from pfsense network and when i redirect all the trafic of one device from pfsense to unifi with a firewall rule. I think is something with the rules or firewall of unifi that isn´t allowing incoming traffic from the WG client, but i try with no good results (I´m quite new in the unifi ecosystem)

someone have any clue?

I have not done any testing yet with using WG or any other site to site VPN between UniFi and pfsense. I do have my site to site WG video for pfsense and do make sure you have it properly setup so the static routes point the traffic to go over the VPN. Hope someone else has a suggestion.

Thanks @LTS_Tom !

Actually I see your video 3 times, it was really helpful. Despite I still have de issue. If you have any idea I will be very greatful or maybe some video talking about static routes, firewall rules in unifi.

I’ve got an OpenVPN site to site VPN running between pfSense 2.7.0 (before the split) and a Unifi UDM running the latest firmware. Make sure to set the remote subnets in unifi VPN config it knows where to send traffic. Other than that I don’t have any firewall rules set on the Unifi side. It just points to the OpenVPN server running in pfSense via a public remote IP.

The big gotcha is that later versions of pfSense won’t allow a preshared key style config for OpenVPN and Unifi requires it so that’s why I’m still on 2.7.0

That’s OpenVPN, they deprecated pre-shared keys so it’s unlikely to come back !

Thanks, but the issue is with the traffic from Pfsense to unifi, the other way (unifi to pfsense) is working fine.

I can´t reach the unifi subnet or go to the internet throught unifi if I´m in pfsense. On Pfsense I got an interface with the WG peer, a gateway and a static route to reach the unifi subnet

11182×465 39.3 KB

I´m quite shure it have to be something with routes or firewall rules in unifi because I have other VPN where a unifi UCG Max is the wireguard server and the same pfsense is a client and it works perfect in both ways.

The reason I don´t want to configure the unifi express as WG server is because I don´t want performance issues. I think that running a WG server is more intense than just a client. Do you know if its true?

I also considered using the Unifi as a WG server and pfSense as a client for a site to site setup as a workaround but I don’t fully understand the implications. I run daily 20G backups site to site so I don’t want to throttle speed either. Not sure what a UDM can handle.

I will try it meanwhile found the solution, if you have any ideas, will be very happy to try it and share the results.

Wireguard operates on a peer-to-peer basis and I don’t like the way UniFi labels it as client or server. The compute power for the tunnel is not different based on which device initiates the connection because In a WireGuard peer-to-peer connection, the overall speed is limited by the slowest link or device in the chain. UniFi will have a proper Wireguard setup in the future but right now their implementation is not really that great compared to how pfsense does it.

The speed of

That´s what I undersand, but when I see the unifi approach, it confuses me. Thanks for the clarification.
Do you think that having two wireguard connections in the Unifi Express will impact to the performance? Or it´s better one wireguard and one Teleport’s connections?

I think Teleport uses Wireguard.

That sounds great, Thanks!

hi there

After a lot of failed attempts, I finally got a site-to-site WireGuard VPN between a pfSense box and a UniFi box. I tried a bunch of things that didn’t work, and at this point, I’d probably struggle to give any sort of a step-by-step guide, but I’ll put some of the stumbling blocks and helpful things here.

First off, the video on Lawrence Systems’ YouTube channel on WireGuard VPNs was very helpful. I set up the pfSense side like he has in the video. And conceptually, it helped me understand what was going on.

Before you attempt this, you should write something up like what Lawrence has in the beginning of his video, laying out the different networks and their subnets. Even if you want a “simple” setup without a bunch of extra rules, it can be really hard to keep all the networks straight. (Not doing this slowed me down a bunch.)

Then on the UniFi side, I had to set up the WireGuard VPN as a “VPN Server”. Then you have to kind of fight with the UI in UniFi, which is trying to make something else easy.

In the advanced section, you have to go into “Manual” mode. The field is called “Gateway/Subnet”, that’s where you have to set up the WireGuard network where the address space needs to overlap with what’s in pfSense, but the IP addresses need to be different.

Then you can set up the pfSense box in the “Clients” section of the UniFi interface, and you have to override the key it generates for you.

Don’t try to set up WireGuard as a “VPN Client” if you want traffic to move in both directions.

Don’t try to use the Site-to-Site VPN section because that doesn’t include WireGuard.

Hopefully, in the future, UniFi will add WireGuard to the Site-to-Site VPN section and streamline the interface for setting this sort of thing up.

Anyway, hopefully that helps someone else.

-jachin