FAQ Wireguard - omada-dev/omada-sdn GitHub Wiki

FAQ - Omada and Wireguard VPN

During creation of this document, following omada and router version was used:

omada version	router	firmware	build version
5.9.31	er605 v2	2.1.2	2.1.2 Build 20230313 Rel.41632

Note: Currently at the time of writting only few omada routers support wireguard. This guide was written based on examples tested with er605 v2 and current firmware 2.1.2 Build 20230313 Rel.41632.

• FAQ - Omada and Wireguard VPN
• Omada Wireguard VPN description
  • Simple wireguard server
    • Setup wireguard server in Omada
      • Additional notes about interface configuration
    • Setup wireguard peers in Omada
      • Additional notes about peer configuration

Router: er605 v2 Router firmware: 2.1.2 Build 20230313 Rel.41632

Omada Wireguard VPN description

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography developed by Jason A. Donenfeld. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

Simple wireguard server

Wireguard is still considered as new protocol and many are confused by how to configure it as server or client on omada sdn. Wireguard is peer based protocol where many peers can be added. Simple wireguard server is for a use case where a user wants to have access to local network. Let's make simple basic overview of how I will configure simple wireguard server:

• Peers can have access to local network
• Peers can use router to route all traffic or just local network

Setup wireguard server in Omada

1. Navigate to "Settings" -> "VPN" -> "Wireguard"

2. Create new wireguard interface by clicking button "Create New Wireguard"

3. You will see now "Create New Wireguard" page with MTU and Listen Port already set to default values and private key is generated automaticaly. Please ensure MTU is set correct according to your network settings.

   Set name, as example: wg0 Set local IP Address: 178.16.123.1

   Additional notes about interface configuration

   I read a lot of confusion regarding which address should be used and indeed many suggest to use local network's address like 192.168.0.1 which is of course totaly wrong. Wireguard interface requires own address and best in its own subnet. As example, your omada LAN is 192.168.0.1/24, maybe you use some openvpn or vlan's in as example 10.1.2.1/24. In this case, it is good to use some private 178.16.x.x address for wireguard.

   Note: If you use double nat, please ensure to open and redirect "Listen Port" (UDP) to your omada router

Setup wireguard peers in Omada

1. Navigate to peers and click button "Create New Peer"

   Additional notes about peer configuration

   • Interface: in screenshot wg0 is used, but if you have more than one interface, here you can assign peer to differnt wireguard interfaces.

   • Leave "Endpoint" empty. Leaving it empty means that you do not restrict only specific endpoint ip, but any ip which is exactly what most need for mobile devices where IP address changes

     • If your peer has static IP, then you can should set it as endpoint.
     • Omada does NOT support hostname under "Endpoint" field, IP address use is mandatory at the time of writting of current document. If your peer has dynamic IP then omada's current implementation is sadly very poor at the time of writting current document. Workaround is to leave endpoint point

   • Leave "Endpoint Port" empty if that port is not reachable (as example on mobile connection). It means any port which you set in your mobile device's config can be used, wireguard's default port is UDP port 51820.

   • "Persistent Keepalive": In most cases you do not want to use persistant keepalive. This setting in wireguard is in my opinion one which is wrongly interpreted by most normal users. If you do not know that you need it, try always 0 first instead of default value of sending keepalives every 25 seconds which is considered good but not optimal value.

   • "Public key" is a public key of your peer. If you do not have public key for your peer, you can create public key and private key files with: wg genkey | tee privatekey | wg pubkey > publickey

     • for more info about key generation, please read "Key generation part" of official "Quick Start"
     • sadly tp-link's implementation does not provide a button to create new key for new peer

   • "Preshared key" is optional but provides higher security without any significant loss in performance. I generally use it always if possible.