Configuring WireGuard® VPN tunnels in Micro Edge

Overview

Micro Edge supports WireGuard® VPN to enable devices on local networks to securely access remote resources using a Virtual Private Network. If your VPN connects to a security gateway such as NG Firewall, you can route specific types of Internet traffic over the tunnel for added security, content filtering, user-based access control, and reporting.

WireGuard VPN in Micro Edge supports two types of VPN tunnels:

Client-to-site (Roaming)
The client-to-site tunnel type is useful when there are no local resources behind Micro Edge that need to be accessible from remote networks. This type of tunnel provides the most flexibility by enabling load balancing across multiple WANs for continuous access and optimal path routing. This flexibility is due to the fact that traffic flows in one direction and the remote gateway does not need to know the IP address of the remote endpoint.

Site-to-site (Tunnel)
The site-to-site tunnel type is useful when there are local resources behind Micro Edge that need to be accessible from remote networks. This type of tunnel requires the hostname or IP address of a specific WAN link to be configured on the opposing side of the VPN tunnel.

Adding a client-to-site tunnel with NG Firewall
Before creating a client-to-site VPN tunnel from Micro Edge to NG Firewall, you must configure the Roaming profile in NG Firewall. See Setting up WireGuard VPN on roaming devices for instructions. After you create the roaming profile and copy the profile, you can proceed to add the VPN tunnel in Micro Edge.

To add a Roaming type of WireGuard VPN tunnel:

  1. Navigate to Settings > Network > Interfaces.
  2. Click Add Interface and select Wireguard.
  3. Set an Interface Name to help you identify this VPN tunnel interface.
  4. In Bound to, select any WAN to let Micro Edge choose the best path. In Micro Edge version 6+, this option also enables automatic failover in case the connected WAN goes down.
  5. If you entered the local subnets behind your Micro Edge into the Remote Networks field of the NG Firewall tunnel configuration, you can disable the option to NAT outgoing traffic. This enables NG Firewall to report and set policies based on individual IP addresses behind Micro Edge.
    Note: this type of configuration may require additional licensing on your NG Firewall.
  6. Under Configuration, paste the contents of the Roaming profile. The dialog displays the parsed profile in the associated fields.
  7. Review the information and click Add to confirm the new WireGuard VPN tunnel interface.

Adding a site-to-site tunnel
You can create site-to-site VPN tunnels with other Micro Edge and NG Firewall devices. This type of configuration uses the Tunnel mode with a manual configuration.
To add a Tunnel type of WireGuard VPN tunnel:

  1. Navigate to Settings > Network > Interfaces.
  2. Click Add Interface and select Wireguard.
  3. Set an Interface Name to help you identify this VPN tunnel interface.
  4. In Bound to, select the WAN interface to service the tunnel. The IP address of the selected interface is used to generate a profile for the remote configuration.
  5. Uncheck NAT outgoing traffic if you wish to allow the remote networks to have access to the local networks.
  6. For Wireguard Type (under Local), choose Tunnel.
  7. The Listen port defaults to 51820. If you edit this value make sure your Access Rules permit this port.
  8. The Interface IP address is automatically generated. Make sure this value does not conflict with the interface IP address of the remote side. If there is a conflict, you may edit the IP address. Note that you may use the same subnet, however the IP address must not be part of any other defined subnet on the system. 
  9. The Remote configuration values including the Public Key, Endpoint Address, and Endpoint Listen Port can be copied and pasted from the remote side using the Copy to clipboard button and pasting into the designated Configuration field. The copy and paste feature also configures the Allowed IPs values. 
Public key The key used to encrypt data. Each peer has its own public key.
Endpoint address The public-facing Internet IP address or hostname of the remote side of the tunnel.
Endpoint listen port The UDP port WireGuard uses to transfer tunnel communication to the remote endpoint.
Allowed IP Addresses These are the CIDR-formatted remote subnets of the opposite side of the tunnel. These values determine which addresses to route via the Wireguard interface. 


If the remote side is NG Firewall, see Setting up WireGuard VPN Site-to-Site Connections in NG Firewall for details.

Routing traffic over WireGuard VPN tunnels

WireGuard tunnels enable routing to other local networks in addition to full-tunnel routing for Internet-bound traffic via the remote endpoint. The distinction between local networks and Internet-bound traffic is important because the routing behavior in Micro Edge differs in either case. 

Routing to local networks

Local networks are the remote VPN subnets excluding 0.0.0.0/0 defined in the Allowed IP Addresses tunnel property. Traffic destined to local networks bypasses WAN Rules and sends directly via the tunnel interface.

Routing Internet traffic (full tunnel)

You can direct Internet-bound traffic via WireGuard VPN tunnels. This type of configuration is common with Roaming profiles and requires a designation of 0.0.0.0/0 in the Allowed IP Addresses tunnel property.

To route Internet-bound traffic via a WireGuard tunnel you must configure a WAN Rule to direct traffic via the WAN Policy that corresponds to the VPN tunnel. You can define a variety of conditions based on specific Internet addresses, applications, or protocols. For specific configuration and examples regarding VPN routing, refer to Routing traffic via VPN tunnels.

Follow
Was this article helpful?
2 out of 2 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk