Configuring WireGuard® VPN tunnels in Untangle SD-WAN Router

Overview

Untangle SD-WAN Router version 3.0 and above supports WireGuard® VPN to enable devices on local networks to securely access remote resources using a Virtual Private Network. If your VPN connects to a security gateway such as Untangle NG Firewall, you can route specific types of Internet traffic over the tunnel for added security, content filtering, user-based access control, and reporting.

WireGuard VPN in SD-WAN Router supports two types of VPN tunnels:

Client-to-site (Roaming)
The client-to-site tunnel type is useful when there are no local resources behind Untangle SD-WAN Router that need to be accessible from remote networks. This type of tunnel provides the most flexibility by enabling load balancing across multiple WANs for continuous access and optimal path routing. This flexibility is due to the fact that traffic flows in one direction and the remote gateway does not need to know the IP address of the remote endpoint.

Site-to-site (Tunnel)
The site-to-site tunnel type is useful when there are local resources behind Untangle SD-WAN Router that need to be accessible from remote networks. This type of tunnel requires the hostname or IP address of a specific WAN link to be configured on the opposing side of the VPN tunnel.

Adding a client-to-site tunnel with Untangle NG Firewall
Before creating a client-to-site VPN tunnel from Untangle SD-WAN Router to Untangle NG Firewall, you must configure the Roaming profile in NG Firewall. See Setting up WireGuard VPN on roaming devices for instructions. After you create the roaming profile and copy the profile, you can proceed to add the VPN tunnel in SD-WAN Router.

To add a Roaming type of WireGuard VPN tunnel:

  1. Navigate to Settings > Network > Interfaces.
  2. Click Add Interface and select Wireguard.
  3. Set an Interface Name to help you identify this VPN tunnel interface.
  4. In Bound to, select any WAN to let Untangle SD-WAN router choose the best path.
  5. If you entered the local subnets behind your SD-WAN Router into the Remote Networks field of the NG Firewall tunnel configuration, you can disable the option to NAT outgoing traffic. This enables NG Firewall to report and set policies based on individual IP addresses behind SD-WAN Router. Note: this type of configuration may require additional licensing on your NG Firewall.
  6. Under Configuration, paste the contents of the Roaming profile. The dialog displays the parsed profile in the associated fields.
  7. Review the information and click Add to confirm the new WireGuard VPN tunnel interface.
    604-1.png

Adding a site-to-site tunnel
You can create site-to-site VPN tunnels with other SD-WAN Routers and NG Firewall. This type of configuration uses the Tunnel mode with a manual configuration.
To add a Tunnel type of WireGuard VPN tunnel:

  1. Navigate to Settings > Network > Interfaces.
  2. Click Add Interface and select Wireguard.
  3. Set an Interface Name to help you identify this VPN tunnel interface.
  4. In Bound to, select the WAN interface to service the tunnel. The IP address of the selected interface is used to generate the profile for the remote configuration.
  5. Uncheck NAT outgoing traffic to allow the remote networks have access to local networks.
  6. For Wireguard Type (under Local), choose Tunnel.
  7. Use the default values for the Listen port and Interface IP address.
  8. In the Remote configuration enter the Public Key, Endpoint Address, and Endpoint Listen Port that you must obtain from the remote side. Refer to the table below for a description of these parameters.
Public key The key used to encrypt data. Each peer has its own public key.
Listen port The UDP port WireGuard uses on the local endpoint to receive tunnel communication.
Endpoint listen port The UDP port WireGuard uses to transfer tunnel communication to the remote endpoint.
Endpoint address The public-facing Internet IP address or hostname of the remote side of the tunnel.
Allowed IP Addresses These are the CIDR-formatted remote subnets of the opposite side of the tunnel.

After you create the local WireGuard VPN tunnel interface, you can configure the tunnel on the remote side. For SD-WAN Router, repeat the steps above.
If the remote side is Untangle NG Firewall, you can use the copy button in the Local configuration section to paste the profile into the tunnel configuration of NG Firewall. See Setting up WireGuard VPN Site-to-Site Connections in NG Firewall for details.

Enabling Access to the WireGuard Interface
For Tunnel configuration types, it is necessary to permit access to the WireGuard interface using the port specified by the Listen port of the tunnel interface. You can confirm accessibility to the WireGuard tunnel port in Settings > Firewall > Access Rules. The rule must specify where the destination local is True and the destination port is UDP protocol 51820 or whatever port you specify as the Listen port of the tunnel interface.

604-2.png

Important note regarding version 3.0: In this version there is a default Access Rule which is incorrectly configured. Therefore, it is necessary to manually configure an Access Rule per the description above.

Routing traffic over WireGuard VPN tunnels

WireGuard tunnels enable routing to other local networks in addition to full-tunnel routing for Internet-bound traffic via the remote endpoint. The distinction between local networks and Internet-bound traffic is important because the routing behavior in SD-WAN Router differs in either case. 

Routing to local networks

Local networks are the remote VPN subnets excluding 0.0.0.0/0 defined in the Allowed IP Addresses tunnel property. Traffic destined to local networks bypasses WAN Rules and sends directly via the tunnel interface.

Routing Internet traffic (full tunnel)

You can direct Internet-bound traffic via WireGuard VPN tunnels. This type of configuration is common with Roaming profiles and requires a designation of 0.0.0.0/0 in the Allowed IP Addresses tunnel property.

To route Internet-bound traffic via a WireGuard tunnel you must configure a WAN Rule to direct traffic via the WAN Policy that corresponds to the VPN tunnel. You can define a variety of conditions based on specific Internet addresses, applications, or protocols. For specific configuration and examples regarding VPN routing, refer to Routing traffic via VPN tunnels.

Follow
Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk