How to configure Wireguard VPN on Omada Gateway
Contents
How to Configure Wireguard VPN on Omada Gateway
Configuration for Site-to-Site Wireguard VPN via the web interface in standalone mode
Configuration for Client-to-Site Wireguard VPN via the web interface in standalone mode
Configuration of Site-to-Site Wireguard VPN via Omada Controller
Configuration of Client-to-Site Wireguard VPN via Omada Controller
Objective
This article introduces how to configure Wireguard VPN on an Omada gateway.
Introduction
Wireguard VPN can establish a digital connection between a computer and a remote server owned by the VPN provider, creating a point-to-point tunnel that encrypts personal data, masks IP addresses, and allows you to circumvent website blocks and firewalls on the Internet. Using Wireguard VPN, you will have a private, protected, and secure network experience. As a new type of VPN protocol, Wireguard VPN runs at the kernel layer and provides an efficient, secure, simple, and modern VPN solution. Wireguard VPN uses strong encryption technology to ensure data security and provides fast transmission. With all these, Wireguard VPN offers many advantages compared to traditional VPN protocols, including efficient encryption and authentication mechanisms, lightweight protocol design, easy-to-use configuration and management, and fast transmission speeds.
Configuration for Site-to-Site Wireguard VPN via the web interface in standalone mode
Wireguard VPN can be used in site-to-site scenarios between two routers and is suitable for scenarios such as mutual access between devices in the LAN at both ends of the router. Follow the steps below:
Step 1. Configure the Wireguard Server
Go to VPN > Wireguard, and click Add on the right side to configure the Wireguard interface. Specify the Name, and leave MTU and Listen Port as default if there is no special requirement, so do Private Key and Public Key. Fill in the virtual IP of the Wireguard interface in the Local IP Address, which should be an unoccupied IP or an IP outside the LAN segment. Then click OK and copy the Public Key.
Step 2. Configure the Wireguard Client
The Wireguard interface configuration on the client is the same as on the server. Refer to Step 1.
Step 3. Configure the Server Peer
Go to VPN > Wireguard, enter the Peers section, and click Add to start configuration. Select the Interface configured in Step 1; fill in the Public Key of the Wireguard interface on the client in Public Key; leave Endpoint and Endpoint Port as blank; fill in the network segment that needs VPN communication, that is, the LAN segment on the client in Allowed Address. Then click OK.
Step 4. Configure the Client Peer
Compared with the server peer configuration in Step 3, the client peer configuration is slightly different: for Public Key, fill in the Public Key of the Wireguard interface on the server; for Endpoint and Endpoint Port, fill in the WAN IP of the peer router and the Wireguard interface port (the default is 51820). In the site-to-site scenario, if the WANs of both routers use public IP addresses, then the Endpoint and Endpoint Port are needed for only one end; that is, one end needs to initiate the connection actively. Please note that if one router is located behind NAT, that router shall serve as the Client.
Step 5. Check Status
The VPN tunnel will be established when both peers are configured. Now, you can see the corresponding tunnel information in the status bar, including TX Bytes, RX Bytes, TX Packets, RX Packets, and Last Handshake.
Configuration for Client-to-Site Wireguard VPN via the web interface in standalone mode
Wireguard VPN can also be used in client-to-site scenarios between clients and routers. It is suitable for business travelers or temporary staff working remotely from the headquarters via mobile phones or computers. Taking the Omada VPN client as an example, you can follow the steps below to configure the Client-to-Site Wireguard VPN.
Step 1. Configure the Wireguard Server
Go to VPN > Wireguard, and click Add to configure the Wireguard interface. Specify the Name, and leave MTU and Listen Port as default if there is no special requirement, so do Private Key and Public Key. Fill in the virtual IP of the Wireguard interface in the Local IP Address, which should be an unoccupied IP or an IP outside the LAN segment. Then click OK and copy the Public Key.
Step 2. Configure Omada VPN client
Download the Omada VPN client from TP-Link's official website to your PC. Click the link Download for ER7206 | TP-Link for example. Then, launch the client and click Add.
Server Information:
Type: Wireguard VPN; IP: the WAN IP of the peer router, Port: 51820 (fill in the port number if it is not the default value); Public Key: Public Key copied in Step 1.
IP Property:
IP Address is the interface IP address. It is recommended not to use the IP address in the same network segment as DHCP to avoid IP conflicts.
Click Generate to generate the Public Key of the client and copy this Public Key. For DNS, fill in 8.8.8.8 or a specific DNS.
In the Advanced Options section, Full VPN Traffic is enabled by default, indicating that all client traffic will be forwarded through the VPN tunnel, which is the most common scenario. If needed, you can disable Full VPN Traffic and fill in the LAN IP resources that need to be accessed in Remote Subnets. Then click Confirm.
Step 3. Configure the Server Peer
Go to VPN > Wireguard, enter the Peers section, and click Add to start configuration. Select the Interface configured in Step 1; fill in the Public Key of the Wireguard interface on the client in Public Key; leave Endpoint and Endpoint Port as blank; fill in the network segment that needs VPN communication, that is, the LAN segment on the client in Allowed Address. Then click OK.
Step 4. Check Status
Click the connect icon to trigger the VPN link.
After the tunnel is successfully established, the server status bar will display the corresponding tunnel information, including TX Bytes, RX Bytes, TX Packets, RX Packets, and Last Handshake.
Configuration of Site-to-Site Wireguard VPN via Omada Controller
Wireguard VPN can be used in site-to-site scenarios between two routers. It is suitable for scenarios such as mutual access between devices in the LAN at both ends of the router. Follow the steps below:
Step 1. Configure the Wireguard Server
Go to Settings > VPN > Wireguard, and click Create New Wireguard to configure the Wireguard interface. Specify the Name, and leave MTU and Listen Port as default if there is no special requirement, so do Private Key and Public Key. Fill in the virtual IP of the Wireguard interface in the Local IP Address, which should be an unoccupied IP or an IP outside the LAN segment. Then click Apply and copy the Public Key.
Step 2. Configure the Wireguard Client
The Wireguard interface configuration on the client is the same as on the server. Refer to Step 1.
Step 3. Configure
Go to Settings > VPN > Wireguard, enter the Peers section, and click Create New Peer to start configuration. Select the Interface configured in Step 1; fill in the Public Key of the Wireguard interface on the client in Public Key; leave Endpoint and Endpoint Port as blank; fill in the network segment that needs VPN communication, that is, the LAN segment on the client in Allowed Address. Then click Apply.
Step 4. Configure the Client Peer
Compared with the server peer configuration in Step 3, the client peer configuration is slightly different: for Public Key, fill in the Public Key of the Wireguard interface on the server; for Endpoint and Endpoint Port, fill in the WAN IP of the peer router and the Wireguard interface port (the default is 51820). In the site-to-site scenario, if the WANs of both routers use public IP addresses, then the Endpoint and Endpoint Port are needed for only one end; that is, one end needs to initiate the connection actively. Please note that if one router is located behind NAT, that router shall serve as the Client.
Step 5. Check Status
The VPN tunnel will be established when both peers are configured. Go to Insight > VPN Status > Wireguard VPN, and you can see the corresponding tunnel information displayed, including Statistics and Last Handshake.
Configuration of Client-to-Site Wireguard VPN via Omada Controller
Wireguard VPN can also be used in client-to-site scenarios between clients and routers. It is suitable for business travelers or temporary staff working remotely from the headquarters via mobile phones or computers. Taking the Omada VPN client as an example, you can follow the steps below to configure the Client-to-Site Wireguard VPN.
Step 1. Configure the Wireguard Server
Go to Settings > VPN > Wireguard, and click Create New Wireguard to configure the Wireguard interface: specify the Name, and leave MTU and Listen Port as default if there is no special requirement, so do Private Key and Public Key. Fill in the virtual IP of the Wireguard interface in the Local IP Address, which should be an unoccupied IP or an IP outside the LAN segment. Then click Apply and copy the Public Key.
Step 2. Configure Omada VPN client
Download the Omada VPN client to your PC from TP-Link’s official website. Click the link Download for ER7206 | TP-Link for example. Then, launch the client and click Add.
Server Information:
Type: Wireguard VPN; IP: the WAN IP of the peer router, Port: 51820 (fill in the port number if it is not the default value); Public Key: Public Key copied in Step 1.
IP Property:
IP Address is the interface IP address. To avoid IP conflicts, it is recommended that the IP address not be used in the same network segment as DHCP.
Click Generate to generate the Public Key of the client and copy this Public Key. For DNS, fill in 8.8.8.8 or a specific DNS.
In the Advanced Options section, Full VPN Traffic is enabled by default, indicating that all client traffic is forwarded through the VPN tunnel, which is the most common scenario. If needed, you can disable Full VPN Traffic and fill in the LAN IP resources that need to be accessed in Remote Subnets. Then click Confirm.
Step 3. Configure the Server Peer
Go to Settings > VPN > Wireguard, enter the Peers section, and click Create New Peer to start configuration. Select the Interface configured in Step 1; fill in the Public Key of the Wireguard interface on the client in Public Key; leave Endpoint and Endpoint Port as blank; fill in the interface IP address of the VPN Client in Step 2 in Allowed Address. Then click OK.
Step 4. Check Status
Click the connect icon to trigger the VPN link.
After the tunnel is successfully established, the corresponding tunnel information, including Statistics and Last Handshake, will be displayed in Insight > VPN Status > Wireguard VPN.
Conclusion
Now you have configured Wireguard VPN on Omada gateway. Enjoy your network!
Get to know more details of each function and configuration please go to Download Center to download the manual of your product.
FAQ
1. How do I check whether a tunnel is successfully established?
Re. On the web interface in standalone mode, the status bar will record the real-time uplink and downlink traffic and the last handshake; on the controller’s management interface, you can go to Insight > VPN Status > Wireguard VPN to view the real-time uplink and downlink traffic and the last handshake. Both the uplink and downlink traffic and timely updated handshake time indicate a success.
2. Why does the communication fail even if the tunnel has been successfully established?
Re. This problem might be caused by improper Allowed Address configuration. Allowed Address indicates the address range that needs to pass the tunnel, so make sure that the destination address of the peer communication is included in the Allowed Address network segment. In addition, when the Allowed Address is configured as 0.0.0.0/0, that is, all traffic is allowed to enter the tunnel, the source IP during tunnel communication will be converted to the Local IP Address you configured, so ensure that the Local IP Address is within the Allowed Address of the peer Wireguard VPN.
3. Can VPNs of different types be created simultaneously?
Re. Yes. The premise is to ensure that all VPNs' routes (Allowed Address in Wireguard) are different so traffic with the corresponding destination address can enter the corresponding VPN tunnel.