How to configure Wireguard VPN on Omada Gateway

Knowledgebase
Configuration Guide
VPN
11-06-2024
20661

Contents

How to Configure Wireguard VPN on Omada Gateway

Objective

Introduction

Configuration for Site-to-Site Wireguard VPN via the web interface in standalone mode

Configuration for Client-to-Site Wireguard VPN via the web interface in standalone mode

Configuration of Site-to-Site Wireguard VPN via Omada Controller

Configuration of Client-to-Site Wireguard VPN via Omada Controller

Conclusion

FAQ

Objective

This article introduces how to configure Wireguard VPN on an Omada gateway.

Introduction

Wireguard VPN can establish a digital connection between a computer and a remote server owned by the VPN provider, creating a point-to-point tunnel that encrypts personal data, masks IP addresses, and allows you to circumvent website blocks and firewalls on the Internet. Using Wireguard VPN, you will have a private, protected, and secure network experience. As a new type of VPN protocol, Wireguard VPN runs at the kernel layer and provides an efficient, secure, simple, and modern VPN solution. Wireguard VPN uses strong encryption technology to ensure data security and provides fast transmission. With all these, Wireguard VPN offers many advantages compared to traditional VPN protocols, including efficient encryption and authentication mechanisms, lightweight protocol design, easy-to-use configuration and management, and fast transmission speeds.

Configuration for Site-to-Site Wireguard VPN via the web interface in standalone mode

Wireguard VPN can be used in site-to-site scenarios between two routers and is suitable for scenarios such as mutual access between devices in the LAN at both ends of the router. Follow the steps below:

Step 1. Configure the Wireguard Server

Go to VPN > Wireguard, and click Add on the right side to configure the Wireguard interface. Specify the Name, and leave MTU and Listen Port as default if there is no special requirement, so do Private Key and Public Key. Fill in the virtual IP of the Wireguard interface in the Local IP Address, which should be an unoccupied IP or an IP outside the LAN segment. Then click OK and copy the Public Key.

The configuration of Wireguard VPN Server.

Step 2. Configure the Wireguard Client

The Wireguard interface configuration on the client is the same as on the server. Refer to Step 1.

Step 3. Configure the Server Peer

Go to VPN > Wireguard, enter the Peers section, and click Add to start configuration. Select the Interface configured in Step 1; fill in the Public Key of the Wireguard interface on the client in Public Key; leave Endpoint and Endpoint Port as blank; fill in the network segment that needs VPN communication, that is, the LAN segment on the client in Allowed Address. Then click OK.

The configuration of Wireguard VPN Server peers.

Step 4. Configure the Client Peer

Compared with the server peer configuration in Step 3, the client peer configuration is slightly different: for Public Key, fill in the Public Key of the Wireguard interface on the server; for Endpoint and Endpoint Port, fill in the WAN IP of the peer router and the Wireguard interface port (the default is 51820). In the site-to-site scenario, if the WANs of both routers use public IP addresses, then the Endpoint and Endpoint Port are needed for only one end; that is, one end needs to initiate the connection actively. Please note that if one router is located behind NAT, that router shall serve as the Client.

The configuration of Wireguard VPN Client peers.

Step 5. Check Status

The VPN tunnel will be established when both peers are configured. Now, you can see the corresponding tunnel information in the status bar, including TX Bytes, RX Bytes, TX Packets, RX Packets, and Last Handshake.

Check the VPN status on the standalone webpage.

Configuration for Client-to-Site Wireguard VPN via the web interface in standalone mode

Wireguard VPN can also be used in client-to-site scenarios between clients and routers. It is suitable for business travelers or temporary staff working remotely from the headquarters via mobile phones or computers. Taking the Omada VPN client as an example, you can follow the steps below to configure the Client-to-Site Wireguard VPN.

Step 1. Configure the Wireguard Server

Go to VPN > Wireguard, and click Add to configure the Wireguard interface. Specify the Name, and leave MTU and Listen Port as default if there is no special requirement, so do Private Key and Public Key. Fill in the virtual IP of the Wireguard interface in the Local IP Address, which should be an unoccupied IP or an IP outside the LAN segment. Then click OK and copy the Public Key.

The position to configure Wireguard in the standalone webpage, including Name/MTU/Listen Port/Private Key/Public Key/Local IP Address/Status.

Step 2. Configure Omada VPN client

Download the Omada VPN client from TP-Link's official website to your PC. Click the link Download for ER7206 | TP-Link for example. Then, launch the client and click Add.

Use Omada VPN client to add VPN Server.

Server Information:

Type: Wireguard VPN; IP: the WAN IP of the peer router, Port: 51820 (fill in the port number if it is not the default value); Public Key: Public Key copied in Step 1.

Fill in Server information, including Profile Name/Type/IP/Public Key.

IP Property:

IP Address is the interface IP address. It is recommended not to use the IP address in the same network segment as DHCP to avoid IP conflicts.

Fill in IP Property, including IP Address/Port.

Click Generate to generate the Public Key of the client and copy this Public Key. For DNS, fill in 8.8.8.8 or a specific DNS.

Click Generate and copy your Public Key.

In the Advanced Options section, Full VPN Traffic is enabled by default, indicating that all client traffic will be forwarded through the VPN tunnel, which is the most common scenario. If needed, you can disable Full VPN Traffic and fill in the LAN IP resources that need to be accessed in Remote Subnets. Then click Confirm.

Step 3. Configure the Server Peer

Go to VPN > Wireguard, enter the Peers section, and click Add to start configuration. Select the Interface configured in Step 1; fill in the Public Key of the Wireguard interface on the client in Public Key; leave Endpoint and Endpoint Port as blank; fill in the network segment that needs VPN communication, that is, the LAN segment on the client in Allowed Address. Then click OK.

The configuration of Wireguard VPN Server peers.

Step 4. Check Status

Click the connect icon to trigger the VPN link.

Click the connect icon in Omada VPN client to trigger the VPN link.

After the tunnel is successfully established, the server status bar will display the corresponding tunnel information, including TX Bytes, RX Bytes, TX Packets, RX Packets, and Last Handshake.

Check the VPN status on the standalone webpage.

Configuration of Site-to-Site Wireguard VPN via Omada Controller

Wireguard VPN can be used in site-to-site scenarios between two routers. It is suitable for scenarios such as mutual access between devices in the LAN at both ends of the router. Follow the steps below:

Step 1. Configure the Wireguard Server

Go to Settings > VPN > Wireguard, and click Create New Wireguard to configure the Wireguard interface. Specify the Name, and leave MTU and Listen Port as default if there is no special requirement, so do Private Key and Public Key. Fill in the virtual IP of the Wireguard interface in the Local IP Address, which should be an unoccupied IP or an IP outside the LAN segment. Then click Apply and copy the Public Key.

Create a new Wireguard.

The position to configure Wireguard in Controller webpage, including Name/Status/MTU/Listen Port/Local IP Address/Private Key.

Step 2. Configure the Wireguard Client

The Wireguard interface configuration on the client is the same as on the server. Refer to Step 1.

Step 3. Configure

Go to Settings > VPN > Wireguard, enter the Peers section, and click Create New Peer to start configuration. Select the Interface configured in Step 1; fill in the Public Key of the Wireguard interface on the client in Public Key; leave Endpoint and Endpoint Port as blank; fill in the network segment that needs VPN communication, that is, the LAN segment on the client in Allowed Address. Then click Apply.

The position to configure peers in the Controller webpage, including Name/Status/Interface/Public Key/Endpoint/Endpoint Port/Allowed Address/Preshared Key/Persistent Keepalive/Comment.

Step 4. Configure the Client Peer

Compared with the server peer configuration in Step 3, the client peer configuration is slightly different: for Public Key, fill in the Public Key of the Wireguard interface on the server; for Endpoint and Endpoint Port, fill in the WAN IP of the peer router and the Wireguard interface port (the default is 51820). In the site-to-site scenario, if the WANs of both routers use public IP addresses, then the Endpoint and Endpoint Port are needed for only one end; that is, one end needs to initiate the connection actively. Please note that if one router is located behind NAT, that router shall serve as the Client.

The configuration of Wireguard VPN Client peers.

Step 5. Check Status

The VPN tunnel will be established when both peers are configured. Go to Insight > VPN Status > Wireguard VPN, and you can see the corresponding tunnel information displayed, including Statistics and Last Handshake.

Check the VPN status in VPN Status.

Configuration of Client-to-Site Wireguard VPN via Omada Controller

Wireguard VPN can also be used in client-to-site scenarios between clients and routers. It is suitable for business travelers or temporary staff working remotely from the headquarters via mobile phones or computers. Taking the Omada VPN client as an example, you can follow the steps below to configure the Client-to-Site Wireguard VPN.

Step 1. Configure the Wireguard Server

Go to Settings > VPN > Wireguard, and click Create New Wireguard to configure the Wireguard interface: specify the Name, and leave MTU and Listen Port as default if there is no special requirement, so do Private Key and Public Key. Fill in the virtual IP of the Wireguard interface in the Local IP Address, which should be an unoccupied IP or an IP outside the LAN segment. Then click Apply and copy the Public Key.

Create a new Wireguard.

The position to configure Wireguard in Controller webpage, including Name/Status/MTU/Listen Port/Local IP Address/Private Key.

Step 2. Configure Omada VPN client

Download the Omada VPN client to your PC from TP-Link’s official website. Click the link Download for ER7206 | TP-Link for example. Then, launch the client and click Add.

Use Omada VPN client to add a VPN Server.

Server Information:

Type: Wireguard VPN; IP: the WAN IP of the peer router, Port: 51820 (fill in the port number if it is not the default value); Public Key: Public Key copied in Step 1.

Fill in Server information, including Profile Name/Type/IP/Public Key.

IP Property:

IP Address is the interface IP address. To avoid IP conflicts, it is recommended that the IP address not be used in the same network segment as DHCP.

Fill in IP Property, including IP Address/Port.

Click Generate to generate the Public Key of the client and copy this Public Key. For DNS, fill in 8.8.8.8 or a specific DNS.

Click Generate and copy your Public Key.

In the Advanced Options section, Full VPN Traffic is enabled by default, indicating that all client traffic is forwarded through the VPN tunnel, which is the most common scenario. If needed, you can disable Full VPN Traffic and fill in the LAN IP resources that need to be accessed in Remote Subnets. Then click Confirm.

Step 3. Configure the Server Peer

Go to Settings > VPN > Wireguard, enter the Peers section, and click Create New Peer to start configuration. Select the Interface configured in Step 1; fill in the Public Key of the Wireguard interface on the client in Public Key; leave Endpoint and Endpoint Port as blank; fill in the interface IP address of the VPN Client in Step 2 in Allowed Address. Then click OK.

The position to configure peers in the Controller webpage, including Name/Status/Interface/Public Key/Endpoint/Endpoint Port/Allowed Address/Preshared Key/Persistent Keepalive/Comment.

Step 4. Check Status

Click the connect icon to trigger the VPN link.

Click the connect icon in Omada VPN client to trigger the VPN link.

After the tunnel is successfully established, the corresponding tunnel information, including Statistics and Last Handshake, will be displayed in Insight > VPN Status > Wireguard VPN.

Check the VPN status in VPN Status.

Conclusion

Now you have configured Wireguard VPN on Omada gateway. Enjoy your network!

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.

FAQ

1. How do I check whether a tunnel is successfully established?

Re. On the web interface in standalone mode, the status bar will record the real-time uplink and downlink traffic and the last handshake; on the controller’s management interface, you can go to Insight > VPN Status > Wireguard VPN to view the real-time uplink and downlink traffic and the last handshake. Both the uplink and downlink traffic and timely updated handshake time indicate a success.

2. Why does the communication fail even if the tunnel has been successfully established?

Re. This problem might be caused by improper Allowed Address configuration. Allowed Address indicates the address range that needs to pass the tunnel, so make sure that the destination address of the peer communication is included in the Allowed Address network segment. In addition, when the Allowed Address is configured as 0.0.0.0/0, that is, all traffic is allowed to enter the tunnel, the source IP during tunnel communication will be converted to the Local IP Address you configured, so ensure that the Local IP Address is within the Allowed Address of the peer Wireguard VPN.

3. Can VPNs of different types be created simultaneously?

Re. Yes. The premise is to ensure that all VPNs' routes (Allowed Address in Wireguard) are different so traffic with the corresponding destination address can enter the corresponding VPN tunnel.

Please Rate this Document

Related Documents