Unifi <-> OPNsense/pfSense Wireguard S2S Tunnel

No CommentsPosted inIT
Unifi <-> OPNsense/pfSense Wireguard S2S Tunnel

Many of the guides you can find online only provide you the information to set up a Site to Client (S2C) e.g. your network to a laptop, …

But not this one! The guide below will give you a step-by-step guide on how to set up an actual Site to Site (S2S) Wireguard tunnel between two actual remote sites.

After a bit of searching I figured out how I can accomplish this and so far its working wonderfully without any issues between 2 sites of mine.

Note: in neither of the peers add 0.0.0.0/0 as this will route all traffic to the other site! Unless this is a desired configuration you can ignore this note.

On the OPNsense /pfSense firewall

  1. Create a new WG Tunnel Instance (e.g. WG0)
    • Give it a good name
    • Generate a public key
    • Enter a port e.g. 51820
    • Assign it a tunnel address e.g. 10.255.255.2/30
  2. Create a new WG Peer
    • Give it a good name
    • Public key = Copy from the Unifi WG after private key generation (see Unifi steps)!
    • (Optional) Generate a pre-shared key
    • Allowed IPs add the remote network e.g. 192.168.0.0/24 and the remote tunnel addres of the Unifi controller WG instance e.g. 10.255.255.3/30
    • Set a Keepalive interval e.g. 30 seconds
    • Add this newly created peer to your e.g. WG0 instance
  3. Configure a new interface
    • Interfaces -> Assignments -> Assign a new interface -> select WG0 -> Click add
    • Enable the interface and give it a description
  4. Configure the Firewall rule (simplified to any-any rule for easier tutorial sake)
    • Firewall -> Rules -> Your WG interface -> Add
      • Direction = in
      • TCP/IP version = IPv4
      • Protocol = any
      • Source = any
      • Destination = any
      • Add a description
      • Save
  5. Configure a static route
    • System -> Routes -> Configuration -> Add
      • Network address = 192.168.0.0/24
      • Gateway = Your interface from step 3
      • Add a description
      • Save
  6. Configure Unbound to allow remote NW DNS queries (mandatory if you have DNS and DCs running at the remote site(s))
    • Services -> Unbound DNS -> Access lists -> Add
      • Access List name = e.g. My Unifi site NW
      • Action = Allow
      • Networks = 192.168.0.0/24
      • Add a description
      • Save

On the Unifi controller

  1. Create a new WG Tunnel Client
    • Login to your Unifi Controller -> https://unifi.ui.com/consoles
    • Go to Settings -> VPN -> VPN Client -> Create New
    • Give it a good name
    • Setup = manual
    • Device wizard = wait with this for now as we are going to create later on an associated policy!
    • Content wizard = off
    • Generate a new private and public key pair
    • Tunnel IP = e.g. 10.255.255.3/30
    • Server address = The remote site’s address
    • Public server key = Copy from the opnsense/pfSense WG from step 1!
    • (Optional) Enter a pre-shared key generated on the opnsense/pfSense WG from step 2
    • Set primary DNS = 1.1.1.1
    • Set secondary DNS = 1.0.0.1
    • Apply settings
  2. Create a new Policy
    • Go to Settings -> Policy Engine -> Policies -> Click on “Create new policy”
    • Select Route
    • Give it a good name
    • Type = Policy-Based
    • Interface = Your Wireguard tunnel
    • No kill switch!
      • As this is a S2S tunnel you do not wish to disable the internet on your Unifi site unless this is desired!
    • Source = Your Unifi network e.g. 192.168.0.0/24
    • Destination =
      • 192.168.1.0/24 = remote opensense/pfSense network(s)
      • 10.255.255.2/30 = remote opensense/pfSense Tunnel IP
    • Add
  3. Configure a static route
    • Go to Settings -> Policy Engine -> Policies -> Click on “Create new policy”
    • Select Route
    • Give it a good name
    • Type = Static
    • Device = Gateway
    • Distance = 255, use a high metric number (anything but 1)
    • Destination = 192.168.1.0/24 = remote opensense/pfSense network(s)
    • Add
  4. Create Firewall rules (policies)
    • Rule 1 for the Gateway access
      • Go to Settings -> Policy Engine -> Policies -> Click on “Create new policy”
      • Select Firewall
      • Give it a good name
      • Source zone = External
      • Source type = IP
      • Source IP = you can use a list ->
        • Create new list
        • Give it a good name
        • Type = IPv4
        • IPs to add
          • 192.168.1.0/24 = remote opensense/pfSense network(s)
          • 10.255.255.2/30 = remote opensense/pfSense Tunnel IP
      • Action = Allow
      • Destination zone = Gateway
      • Destination type = Any
      • Destination port = Any
      • IP version = IPv4
      • Protocol = All
      • Connection state = All
      • Schedule = Always
      • Add
    • Rule 2 for the Internal access
      • Go to Settings -> Policy Engine -> Policies -> Click on “Create new policy”
      • Select Firewall
      • Give it a good name
      • Source zone = External
      • Source type = IP
      • Source IP = you can use the created list from rule 1
      • Action = Allow
      • Destination zone = Internal
      • Destination type = Any
      • Destination port = Any
      • IP version = IPv4
      • Protocol = All
      • Connection state = All
      • Schedule = Always
      • Add

That’s it!

You now have successfully set up a S2S Wireguard between two sites.

Unifi Console view

OPNsense view

Sources

Sources I’ve used to come to these results by combining different things and tying them together.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *