Virtual Private Network
The source material this page replaces covers OpenVPN on OpenWrt. This series uses WireGuard throughout. WireGuard is built into the Linux kernel, natively supported by UniFi, significantly faster than OpenVPN, and considerably simpler to configure. There is no reason to use OpenVPN for new deployments.
This network uses WireGuard for two distinct purposes:
Roaming client access: connecting the Kubuntu desktop, phones, and laptops to the home network from anywhere. When away from the primary site, devices tunnel back through Prevernal and appear on the internal network as if they were local. The desktop WireGuard client configuration was covered in the Desktop Network section.
Inter-site connectivity: connecting the three sites together so the 10.1.x.x, 10.2.x.x, and 10.3.x.x subnets are mutually routable. This is what allows the desktop at the primary site to reach the NAS at another site, or management traffic to flow between all three.
This page covers the server-side configuration of both.
WireGuard fundamentals on UniFi
Navigate to Settings > VPN and switch to the VPN Server tab. Click Create New and choose WireGuard as the connection type. UniFi handles key generation automatically. The resulting configuration file is what gets distributed to clients.
Two separate WireGuard server instances are created on Prevernal: one for roaming clients and one for the inter-site tunnels. They use different ports and different address ranges to keep the two use cases cleanly separated.
Roaming client VPN
Server configuration on Prevernal
Navigate to Settings > VPN > VPN Server > Create New.
| Setting | Value |
|---|---|
| Name | Roaming Clients |
| Type | WireGuard |
| Server Address | Auto-populated from WAN IP or DDNS hostname |
| Port | 51820 (or a non-default port for obscurity) |
| Gateway / Subnet | 10.1.254.1/24 |
| DNS Server | 10.1.0.x (internal Unbound resolver) |
| Pre-shared Key | Auto-generated (leave enabled) |
The gateway subnet 10.1.254.0/24 is a dedicated range for VPN clients within the primary site’s address space. It does not conflict with any of the named VLANs from the network design.
Once saved, UniFi displays the server’s public key and QR code for client configuration.
DDNS for the VPN endpoint
If the WAN IP changes (typical for residential connections), configure DDNS so the VPN endpoint hostname stays stable. Navigate to Settings > Internet > Dynamic DNS and configure a DDNS provider.
The VPN client configuration files reference the DDNS hostname rather than the IP address. When the IP changes, the DDNS record updates and existing tunnels re-establish automatically.
Adding roaming clients
Under the WireGuard server configuration, click Add Client. Name each client descriptively: desktop, phone, laptop.
For each client, UniFi generates a unique configuration file containing:
[Interface]
PrivateKey = <client private key>
Address = 10.1.254.x/32
DNS = 10.1.0.x
[Peer]
PublicKey = <Prevernal public key>
PresharedKey = <preshared key>
AllowedIPs = 10.1.0.0/16, 10.2.0.0/16, 10.3.0.0/16
Endpoint = vpn.yourdomain.net:51820
PersistentKeepalive = 25
The AllowedIPs line controls split tunnelling. The default from UniFi is 0.0.0.0/0 (full tunnel, all traffic through VPN). For roaming clients that only need access to internal resources, restrict it to the three site subnets as shown above. Edit the downloaded configuration file before importing it on the client.
The desktop client configuration and import process was covered in the Desktop Network section. For mobile clients, import the configuration by scanning the QR code shown in the UniFi interface.
Firewall rules for roaming clients
UniFi automatically creates the firewall rules needed for the WireGuard server. Verify in Settings > Firewall & Security > Firewall Rules that rules permitting inbound UDP on the WireGuard port exist.
To restrict what roaming VPN clients can access (for example, preventing VPN clients from accessing the Visitor VLAN), add LAN In rules:
Name: Block VPN clients from Visitor VLAN
Action: Drop
Source: Network = WireGuard VPN (10.1.254.0/24)
Destination: Network = Visitor (10.1.90.0/24)
By default, VPN clients on 10.1.254.x can reach all internal VLANs. Add explicit block rules for any VLANs that VPN clients should not access.
Inter-site VPN
The inter-site VPN connects Prevernal, Vernal, and Estival so their subnets are mutually routable. This is configured differently from the roaming client VPN: it uses the UniFi Site-to-Site VPN feature rather than the Remote User VPN.
Overview
The topology is hub-and-spoke with Prevernal as the hub:
Vernal ──── WireGuard ──── Prevernal ──── WireGuard ──── Estival
All inter-site traffic routes through Prevernal. Direct Vernal-to-Estival tunnels are optional but not configured here for simplicity. Traffic from Vernal to Estival hops through Prevernal.
Configuring the Prevernal-to-Vernal tunnel
On Prevernal, navigate to Settings > VPN > Site-to-Site VPN > Create New.
| Setting | Value |
|---|---|
| Name | Prevernal to Vernal |
| Type | WireGuard |
| Local WAN IP | Auto |
| Remote Endpoint | Vernal’s WAN IP or DDNS hostname |
| Remote Port | 51821 (use a different port from roaming clients) |
| Local Subnets | 10.1.0.0/16 |
| Remote Subnets | 10.2.0.0/16 |
| Pre-shared Key | Generate a unique key |
On Vernal, create the mirror configuration:
| Setting | Value |
|---|---|
| Name | Vernal to Prevernal |
| Type | WireGuard |
| Local WAN IP | Auto |
| Remote Endpoint | Prevernal’s WAN IP or DDNS hostname |
| Remote Port | 51821 |
| Local Subnets | 10.2.0.0/16 |
| Remote Subnets | 10.1.0.0/16 |
| Pre-shared Key | Same key as above |
Configuring the Prevernal-to-Estival tunnel
Repeat the process for Estival, using 51822 as the port and 10.3.0.0/16 as Estival’s subnet.
Routing between sites
Once the tunnels are established, add static routes so traffic to Estival from Vernal (and vice versa) knows to route through Prevernal.
On Vernal, add a static route:
Destination: 10.3.0.0/16
Next hop: 10.1.0.1 (Prevernal's Core VLAN address via the tunnel)
On Estival, add a static route:
Destination: 10.2.0.0/16
Next hop: 10.1.0.1 (Prevernal's Core VLAN address via the tunnel)
Prevernal already knows about both remote subnets via its two tunnel configurations and does not need additional static routes.
Firewall rules for inter-site traffic
UniFi does not automatically create firewall rules for site-to-site VPN traffic. Add rules to permit traffic between sites.
Navigate to Settings > Firewall & Security > Firewall Rules. Add rules in LAN In on each router:
On Prevernal: allow traffic from remote sites
Name: Allow traffic from Vernal subnet
Action: Accept
Source: IP Address/Subnet = 10.2.0.0/16
Destination: Any
Name: Allow traffic from Estival subnet
Action: Accept
Source: IP Address/Subnet = 10.3.0.0/16
Destination: Any
On Vernal: allow traffic from Prevernal and Estival
Name: Allow traffic from Prevernal subnet
Action: Accept
Source: IP Address/Subnet = 10.1.0.0/16
Destination: Any
Name: Allow traffic from Estival subnet
Action: Accept
Source: IP Address/Subnet = 10.3.0.0/16
Destination: Any
On Estival: mirror the above for 10.1.0.0/16 and 10.2.0.0/16.
Verifying the VPN configuration
Roaming client test
Connect the Kubuntu desktop’s WireGuard VPN from an external network (mobile hotspot or a different internet connection):
nmcli con up home
# Test reachability across all three sites
ping -c3 10.1.0.1 # Prevernal Core
ping -c3 10.2.0.1 # Vernal Core
ping -c3 10.3.0.1 # Estival Core
# Test internal DNS resolution through the tunnel
dig server.yourdomain.net +short
# Check WireGuard interface
sudo wg show
Inter-site connectivity test
From the desktop at the primary site, test reachability to other sites’ subnets:
ping -c3 10.2.0.1 # Vernal Core gateway
ping -c3 10.3.0.1 # Estival Core gateway
From the router SSH session on Prevernal:
ssh prevernal
wg show # Should show active peers for each inter-site tunnel
ping 10.2.0.1
ping 10.3.0.1
Check the handshake times in wg show. A recent handshake (within the last few minutes) confirms the tunnel is active and traffic is flowing.
Keepalive settings
WireGuard tunnels go idle when there is no traffic. For inter-site tunnels that need to be always ready, enable PersistentKeepalive in the UniFi site-to-site configuration. A value of 25 seconds is standard and maintains the tunnel through NAT without significant bandwidth overhead.
For roaming client tunnels, the keepalive is set in the client configuration file as shown in the configuration example above.
WireGuard’s security model is one of its strengths: if a client has the correct keys, it can connect. If it does not, its packets are silently dropped. There are no authentication negotiation failures to log, no handshake errors. Debugging a connection that does not work means verifying that both sides have the correct public keys and that the firewall permits UDP traffic on the configured port.