Untangle NG Firewall version 16 and above supports WireGuard® VPN for secure remote access. WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. This article describes how to connect Mobile devices and desktop systems to NG Firewall using the WireGuard app. For site-to-site tunnel configuration see Setting up WireGuard VPN Site-to-Site Connections in NG Firewall.
As a first step, configure a new tunnel profile in the WireGuard app of NG Firewall.
- Navigate to the WireGuard app in NG Firewall
- In the Tunnels tab, click Add
- Enter a Description to help you identify the tunnel
- Choose Roaming tunnel type and click Done
- Click Save to confirm the new tunnel
After you save the new tunnel:
- Click the Gear icon next to the tunnel to reveal the QR code and configuration details.
- Toggle the Configuration file selection and copy the configuration using the copy button.
- Save the contents to a file, or keep it in your clipboard if you have access to the client device.
Alternatively, if you are configuring the WireGuard mobile app for iOS and Android you can take a picture of the QR code from the app.
Setting up the WireGuard App on a device
- Download and install the WireGuard app for your specific device using the following link: https://wireguard.com/install/
- Launch the WireGuard app and click Add Empty Tunnel
- Paste the contents from the configuration that you copied from the server
- Click Save
Alternatively, if you created a text file from the contents, click the Import from file option. Or if you are configuring the WireGuard mobile app, you can use the camera to capture the configuration using the QR image.
To connect the tunnel, click Activate. To disconnect the tunnel, click Deactivate.
Configuring Full Tunnel
WireGuard supports Full Tunnel VPN routing. This means that when the client connects, all Internet traffic routes over the tunnel. This is useful to ensure that the device is fully protected by all security layers of NG Firewall.
To configure full tunnel VPN, modify the Allowed IPs part of the configuration by removing all values and replacing them with "0.0.0.0/0".
Configuring client DNS and network access
In some environments you may prefer to direct DNS requests from VPN clients to a specific host. You may also prefer to restrict what traffic gets routed over the VPN tunnel. These parameters are located in the Settings tab of the the WireGuard App in NG Firewall. By modifying these settings, the roaming profile adjusts to reflect the preferred DNS and AllowedIPs variables.