***Update*** All is working now. It seems like my AT&T modem was somehow reset to routing mode instead of passthrough mode, which caused double NAT. When I put the modem into passthrough mode again and powered off everything (modem and UDM) for 10 minutes my UDM now has the modem’s public IP. I recreated the VPN server and client and it worked immediately. THANK YOU TO ALL WHO HELPED! This sub is awesome!
******
Some background…When I first setup my UDM SE almost a year ago, I actually had a Wireguard VPN working with the help of either Mactelecom or Crosstalk Solutions videos (can’t remember which). I was able to connect from a remote Wifi network to my home Wifi network and everything worked great on both my iPhone and Mac.
Now today, none of that works anymore. The only difference is that I’m trying to connect over cellular from my iPhone instead of another Wifi network…if that makes any difference. So I decided to start over. I created the new Wireguard VPN and client using Mactelecom’s latest video since it was pretty recent and there have been several UDM OS and Network updates over the past year. The actual setup went as easy and smooth as in Cody’s video, but after connecting it just doesn’t work. What I mean by that is, on my iPhone, when I enable VPN, it says that it is connected and I see the Data Sent values but I don’t see any Data Received which I thought I used to see when it worked a year ago. The iPhone doesn’t have any network connectivity. On the UDM SE, under Network > Settings > VPN > VPN Settings, the page never shows any Active Clients. On the Network > Clients page, I never see any VPN clients either. One strange thing I noticed is that when it worked a year ago, I had a firewall rule in place called Allow Wireguard Server (Accept, Internet Local, UDP) that I vaguely remember creating from one of the old videos. I’ve since disabled this rule since VPN didn’t work with or without it. But the new videos don’t mention any need for firewall rules so are they not necessary anymore? I can’t determine if I’m connected but being blocked by some firewall rule or if I’m just not connected at all (and my iPhone’s VPN connection is just lying to me).
My network has a Default (trusted) LAN and several other VLANs (camera, guest, IoT). The standard firewall rules are in place that allow all access from Default to all other VLANs but no access across the untrusted VLANs. My subnet for the Wireguard server is different from Default and other LAN subnets. My assumption is that my VPN connection would be coming into the Default LAN and should have free access to all other restricted VLANs, just like I’m at home. Is this assumption incorrect? Any ideas on how to troubleshoot?
Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
Please post your clients config „Allowed IPs“ line.
But not receiving data is an indication for a faulty public IP in the config. If using dyndns, check that it resolves to your current public ip of the udmp.
Do you have another router infront of the udmp or does it have a direct connection to a modem? (Double NAT is what I’m asking about)
WireGuard on the client will show active, even though there is no tunnel established.
Do you have a custom DNS? I ran into a similar issue a while ago.
https://www.reddit.com/r/Ubiquiti/s/Er3mCvrsAU
What provides your DNS on your home network? I have a PiHole that is my DNS server and I need to manually set my DNS server in Wireguard on my phone for it to work. I typically use a split tunnel when I am out and about purely for the ad blocking.
Out of curiosity, does the destination host/ip address in your WireGuard profile of the end device match with the actual current public up address of your dream machine?
I have a wireguard and OpenVPN setup which I was just messing around to making sure they work, and both worked. without even watching a video I’ve made them work. That’s how simple Ubiquiti made it. No you don’t need anyfl firewall rules. I don’t have many and I have my default network accessible to all vlans. I’m connected everyday to my von as I use it for the adblocking on some sites. I don’t know what else to tell you but to check your Network segments and firewall rules.
Thanks for the reply!
Client “Allowed IPs” = 192.168.3.1/32, 192.168.3.2/32, 0.0.0.0/0
The public IP thing was another question I had. Because my “Server Address” is selectable from a drop-down which is also a 192.168.x.x address. But that’s not public is it? I thought all 192.168.xx.xx were internal LAN address, similar to the 10.0.xx.xx IPs. My Internet service is AT&T fiber and the modem is what has a public IP, correct? I can see my AT&T modem’s IP address and it’s definitely public. And the AT&T app sees my UDM and is giving the same address as what’s in the drop down above. My modem *should* be in pass-through (bridge) mode since I have it’s Wifi turned off and want the UDM to do all the firewall and routing. But looking at my modem’s config page, IP Passthrough seems to be off. Could that be the issue? The AT&T modem has only one device connected to it…my UDM SE. I just don’t understand how my VPN client on my iPhone could find my UDM with a 192.168.xx.xx address.
I don’t think I do. My Network > Internet > DNS Server has Auto checked.
Um, I’m not sure. My DNS Server field has “Auto” checked.
I’m not seeing anything labeled destination. In my Wireguard VPN client on the iPhone, there are only three fields with IP addresses. Under the INTERFACE section there’s Addresses and DNS servers. Both contain 192.168.3.xx addresses. The DNS servers field contains the same one address that I specified on the Wireguard Server Gateway host field on the UDM. The only other field containing addresses is under the PEER section labeled Allowed IPs which contains the addresses I mentioned above.
I see nothing in the client configuration that points to my UDM’s server address.
In addition to 192.168.3.1/32 and 192.168.3.2/32 you would need to add any subnet or device ip you want to reach to that particular line. You can remove the 0.0.0.0/0.
192.168.x.x is a private lan ip and will never be used in the public space.
Yes your AT&T device is in routing mode instead of modem aka passthrough, which would be needed for this to function without headaches. It could’ve been a firmwareupdate the reactivated the routing mode.
In the Wireguard client on your phone, change the DNS server to the IP your UDM is at.
Sorry, I might not have been specific enough, I meant the address or name at „endpoint“. Does that match with your UDMs public address or its DynDNS-Name?
I put my AT&T modem back in passthrough mode. One thing that seemed odd was that the modem recognized my UDM and had its IP address, but the last two hexadecimal digits in the MAC address is wrong. My UDM says the last two digits is “25” and the AT&T modem says it’s “2d”. So when I re-enabled passthrough mode on the modem, I edited the pre-populated MAC address and changed it to “25”. Then rebooted the modem and the UDM. Still it’s not working and the UDM is not recognizing a VPN connection.
Just thought I’d point out that I’m testing this by turning off Wifi on my phone and trying to connect to VPN via cellular (T-Mobile). But if I leave Wifi on and connect, the VPN connection works and the phone actually has connectivity and the UDM shows it and I get a push notification from the UDM saying that a VPN connection was made. But I’m assuming that this is because I’m already on my home Wifi. I really want it to work over cellular and a different Wifi network…I just don’t have another Wifi network to test with.
Thank you for your help. It seems I had two issues: 1) My modem had been reverted to routing mode and 2) I didn’t shutdown my modem or UDM long enough for it to get a new *public* IP. Once I did a proper shutdown and power off of everything and waited 10 minutes, my UDM SE now has my modems public IP address and my VPN is now working! I’ll post an update.
Do you mean change it to my Wireguard Server address? I just tried that and it still didn’t work. Again, all the IP address in the Wireguard client on my phone are private IPs (192.168.xx.xx) which I don’t see how they can ever be found from the public Internet. Unless there is something encrypted in the Public key fields that tells my VPN client how to get to my AT&T modem’s public address…
So that’s weird…when I enable VPN the endpoint field is some gobbledygook of brackets and hex values. but now when I look at the same field with VPN disabled, then yes, the address and port number match what’s specified as my Server Address host/port fields (192.168.1.70:51820). What I don’t understand is how does a device on the Internet get to my AT&T modem (to be passed to my UDM) with just a private 192.168.xx.xx address? Is the real public IP address encoded in the “Public key” field or something?
Under peer in the Wireguard client you should see Endpoint. That should be the public facing IP of your home network. Allowed IPs could vary depending on whether you are doing a split tunnel or full tunnel.
Under interface you should have addresses as what your UDM assigns to Wireguard clients to be identified on your home network. DNS servers should be set to what hands out DNS on your home network, your UDM.
If you think the endpoint value is wrong, manually change it to the correct one. When you added the interface to your iPhone, did you manually type everything in? Or did you scan the QR code/import the config file?
Interesting, I also tested it to reproduce that behavior. I have a public ip address and use dyn-dns btw.
When that von profile is deactivated, endpoint shows the dyn-dns name plus the portnumber. When I activate it the dyn-dns name changes to the current public ipv4 address of my UDMSE, as intended.
So in your case the „gobblewobble“ is the public IPv6-Address of your gateway. Now it would be interesting to see if that IPv6 in the WireGuard profile matches the gateway ipv6 of your udm, you can check its current public ip in the main page of the unifi dashboard.