Wonder if anyone can help. I recently moved from a pfsense firewall to Unifi (a UCG Fibre) and am generally very happy with it. I currently have a site-to-site VPN set up to a remote site that currently uses a pfsense router (the Unifi has a WireGuard server set up connected to WireGuard on the pfsense). I am looking to change the router on the remote side to Unifi as well. I’d like to continue using WireGuard as my site to site VPN.
I know Unifi does not currently support WireGuard under the “Site to Site VPN” option in the router UI. I also know I could use Site Magic if I connected both routers to ui.com, but I’d prefer not to do this.
I’ve seen mention online that this can be manual set up using WireGuard server in the Unifi UI on one side and WIreGuard client on the other - however I can’t get the static routing / policy based routing to work. Has anyone got this working who is able to share the steps? Any help much appreciated.
PS @LTS_Tom - If this is something you’d be interest in doing a video on, given the increasing number of people moving to Unifi, that would be awesome!
On my to do list. I was waiting to see if UniFi would update how Wireguard works and have it build the routes but I don’t think they are going to do that any time soon.
The solution is to build the WG between the two sites and then go to the policy manager Create Policy choose Route → Gateway → Interface (choose the WG interface) → Destination put in the subnet for the other site.
On the side when I am using the wireguard vpn client, when I set up the policy based route, the client vpn is moved from the VPN firewall sone to the external zone. How do I allow traffic from the remote side to my lan?
When I set up the wireguard client under the VPN client section in Unifi, it places the wireguard client in the VPN Zone (so far so good). When I then set up a policy based route, the wireguard vpn interface is then automatically moved to the external firewall zone
Thanks. The issue I’m having is that I want to allow traffic into my network from the remote side of the VPN. How do I create a rule with the VPN as the source when the VPN is in the external zone?
The outbound from the UniFI firewall through the VPN goes out External. Inbound hosts connecting to the VPN come in via the VPN. To limit what a VPN user can do you created a rule with the VPN as the source.
Setting up a UniFi site-to-site WireGuard tunnel without Site Magic definitely gives you more control, but it also means you have to be precise with allowed IPs and routing. I’ve found that most issues come down to missing static routes or overlapping subnets. Once the peer configs and firewall rules are clean, WireGuard itself is usually rock solid.
