Untangle NG Firewall version 16 and above supports WireGuard® VPN for secure remote access. WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. This article describes how to set up site-to-site VPN tunnels using WireGuard in NG Firewall. To configure mobile devices and desktop systems using the WireGuard app, refer to Setting up WireGuard VPN on mobile devices and desktops.
Install the WireGuard VPN app in the NG Firewall administration. Note that the WireGuard VPN app is included in the NG Firewall Complete subscription.
In the WireGuard App settings, review the Local Networks in the Remote Client Configuration. The local networks specify which subnets get exported in the configuration of VPN tunnels. These subnets become accessible to remote clients in VPN tunnels.
For more details on WireGuard settings refer to the WireGuard wiki.
Adding a Tunnel
WireGuard VPN Tunnels use the following parameters:
|Endpoint Type||Either Static or Roaming. For site-to-site tunnels, use Static.|
|Endpoint IP Address||The Internet IP Address of the remote NG Firewall host.|
|Endpoint Port||The port of the remote endpoint (default is 51820).|
|Remote Public Key||The Public Key of the remote endpoint.|
|Remote Peer IP Address||The VPN Tunnel IP address of the remote endpoint.|
|Remote Networks||The remote subnets you need to access through the VPN tunnel.|
|Monitor IP Address||An IP address on the remote network used to test tunnel status. In most cases this should be the Remote Peer IP Address.|
To simplify the configuration of VPN Tunnels, NG Firewall enables you to Copy and Paste these parameters when setting up WireGuard VPN tunnels.
You can copy the configuration in the Tunnel configuration for each endpoint from the Status page of the WireGuard app.
- In the Tunnels tab, click Add to create a tunnel.
- In the Description field, Paste the configuration from the remote endpoint.
- Review the automatically populated fields for accuracy.
- Modify the Description if necessary.
- Enter a Monitor IP Address. The remote peer IP address is recommended.
- Click Done.
- Click Save to confirm the new tunnel.
- Repeat these steps on the remote endpoint.
You can verify that the tunnels are connecting from the Status tab. If the tunnels connect successfully, you can see Bytes In and and Bytes Out data and a timestamp of the last handshake.