Configuring WireGuard® VPN tunnels in Micro Edge

Overview

Micro Edge version 3.0 and above supports WireGuard® VPN to enable devices on local networks to securely access remote resources using a Virtual Private Network. If your VPN connects to a security gateway such as NG Firewall, you can route specific types of Internet traffic over the tunnel for added security, content filtering, user-based access control, and reporting.

WireGuard VPN in Micro Edge supports two types of VPN tunnels:

Client-to-site (Roaming)
The client-to-site tunnel type is useful when there are no local resources behind Micro Edge that need to be accessible from remote networks. This type of tunnel provides the most flexibility by enabling load balancing across multiple WANs for continuous access and optimal path routing. This flexibility is due to the fact that traffic flows in one direction and the remote gateway does not need to know the IP address of the remote endpoint.

Site-to-site (Tunnel)
The site-to-site tunnel type is useful when there are local resources behind Micro Edge that need to be accessible from remote networks. This type of tunnel requires the hostname or IP address of a specific WAN link to be configured on the opposing side of the VPN tunnel.

Adding a client-to-site tunnel with NG Firewall
Before creating a client-to-site VPN tunnel from Micro Edge to NG Firewall, you must configure the Roaming profile in NG Firewall. See Setting up WireGuard VPN on roaming devices for instructions. After you create the roaming profile and copy the profile, you can proceed to add the VPN tunnel in Micro Edge.

To add a Roaming type of WireGuard VPN tunnel:

1. Navigate to Settings > Network > Interfaces.
2. Click Add Interface and select Wireguard.
3. Set an Interface Name to help you identify this VPN tunnel interface.
4. In Bound to, select any WAN to let Micro Edge choose the best path.
5. If you entered the local subnets behind your Micro Edge into the Remote Networks field of the NG Firewall tunnel configuration, you can disable the option to NAT outgoing traffic. This enables NG Firewall to report and set policies based on individual IP addresses behind Micro Edge. Note: this type of configuration may require additional licensing on your NG Firewall.
6. Under Configuration, paste the contents of the Roaming profile. The dialog displays the parsed profile in the associated fields.
7. Review the information and click Add to confirm the new WireGuard VPN tunnel interface.
   

Adding a site-to-site tunnel
You can create site-to-site VPN tunnels with other Micro Edge and NG Firewall devices. This type of configuration uses the Tunnel mode with a manual configuration.
To add a Tunnel type of WireGuard VPN tunnel:

1. Navigate to Settings > Network > Interfaces.
2. Click Add Interface and select Wireguard.
3. Set an Interface Name to help you identify this VPN tunnel interface.
4. In Bound to, select the WAN interface to service the tunnel. The IP address of the selected interface is used to generate the profile for the remote configuration.
5. Uncheck NAT outgoing traffic to allow the remote networks have access to local networks.
6. For Wireguard Type (under Local), choose Tunnel.
7. Use the default values for the Listen port and Interface IP address.
8. In the Remote configuration enter the Public Key, Endpoint Address, and Endpoint Listen Port that you must obtain from the remote side. Refer to the table below for a description of these parameters.

After you create the local WireGuard VPN tunnel interface, you can configure the tunnel on the remote side. For Micro Edge, repeat the steps above.
If the remote side is NG Firewall, you can use the copy button in the Local configuration section to paste the profile into the tunnel configuration of NG Firewall. See Setting up WireGuard VPN Site-to-Site Connections in NG Firewall for details.

Routing traffic over WireGuard VPN tunnels

WireGuard tunnels enable routing to other local networks in addition to full-tunnel routing for Internet-bound traffic via the remote endpoint. The distinction between local networks and Internet-bound traffic is important because the routing behavior in Micro Edge differs in either case. 

Routing to local networks

Local networks are the remote VPN subnets excluding 0.0.0.0/0 defined in the Allowed IP Addresses tunnel property. Traffic destined to local networks bypasses WAN Rules and sends directly via the tunnel interface.

Routing Internet traffic (full tunnel)

You can direct Internet-bound traffic via WireGuard VPN tunnels. This type of configuration is common with Roaming profiles and requires a designation of 0.0.0.0/0 in the Allowed IP Addresses tunnel property.

To route Internet-bound traffic via a WireGuard tunnel you must configure a WAN Rule to direct traffic via the WAN Policy that corresponds to the VPN tunnel. You can define a variety of conditions based on specific Internet addresses, applications, or protocols. For specific configuration and examples regarding VPN routing, refer to Routing traffic via VPN tunnels.