VPN Setup
WireGuard VPN Configuration
Section titled “WireGuard VPN Configuration”UniFi Gateway Settings
Section titled “UniFi Gateway Settings”VPN Type: WireGuardName: vpn-srv-zrh-01Server Address: 192.168.1.100 (WAN1)Port: 51820Alternate Address: vpn.microsoftlab.ch (for clients)
Gateway/Subnet: 10.60.60.1/24Usable IPs: 253IP Range: 10.60.60.2 - 10.60.60.254
DNS Server 1: 10.30.30.15DNS Server 2: 10.30.30.10Configured Clients
Section titled “Configured Clients”| Name | Interface IP |
|---|---|
| HP Elitebook | 10.60.60.2 |
Client Configuration (Example)
Section titled “Client Configuration (Example)”[Interface]PrivateKey = <client-private-key>Address = 10.60.60.2/32DNS = 10.30.30.15, 10.30.30.10MTU = 1280
[Peer]PublicKey = ruj9vpJW/PaYvkBLdztqBdcoh0VQpBy+m5Qduxmxv1k=AllowedIPs = 10.1.1.1/24, 10.10.10.0/24, 10.30.30.0/24, 10.40.40.0/22, 10.50.50.0/24, 10.60.60.1/32Endpoint = vpn.microsoftlab.ch:51820AllowedIPs Explanation
Section titled “AllowedIPs Explanation”| Network | Purpose |
|---|---|
| 10.1.1.1/24 | Default VLAN (UniFi devices) |
| 10.10.10.0/24 | Management VLAN |
| 10.30.30.0/24 | Server VLAN |
| 10.40.40.0/22 | Client VLAN |
| 10.50.50.0/24 | DMZ VLAN |
| 10.60.60.1/32 | VPN Gateway only |
Note: Split tunnel configuration - only internal traffic goes through VPN.
Port Forwarding (ISP Router)
Section titled “Port Forwarding (ISP Router)”Required for external VPN access:
External Port: 51820Protocol: UDPInternal IP: 192.168.1.100 (UniFi Gateway WAN)Internal Port: 51820NAT Loopback Issue
Section titled “NAT Loopback Issue”When connecting from inside the network using the external DNS name (vpn.microsoftlab.ch), NAT loopback may not work on all ISP routers.
Workaround
Section titled “Workaround”Use internal DNS or IP when inside the network, external DNS when outside.