Wireguard VPN

[Donald]

I have gotten the Wireguard VPN to work with my Unifi router when my Windows laptop was at home and the Unifi network was at church. I could PING devices on the Unifi network from my Windows laptop at home.

But the real user will be an iMac user at their house. They cannot seem to get it to work. Not sure why. I don't have an iMac to try myself.

I am asking if they already have a VPN running.

 

[DanDeLaVega]

I would suggest you look at Tailscale. It uses the wireguard protocol, but makes the connection setup very easy.

You can install it on each machine that you want to connect to, and Tailscale automatically makes a vpn tunnel to each device on your “tailnet.” You can also reach devices that don’t have it installed directly by using subnet routing.

I use it for tech support at my parents’ house. I have a machine there for off-site backups, and Tailscale lets me connect to their machines through my machine as if I’m on their lan.

If you look into Tailscale, I recommend you read up on these items - advertise subnet routes, accept routes, and MagicDNS.

 

[mk378]

This will be greatly simplified if the church LAN is a different IP subnet than the iMac user's home LAN. Then they would have a /24 route to church machines, and still use their regular ISP and/or VPN for everything else. There is nothing wrong with raw Wireguard if one of the ends has a public IP address for the incoming encrypted packets.

 

[Donald]

This will be greatly simplified if the church LAN is a different IP subnet than the iMac user's home LAN. Then they would have a /24 route to church machines, and still use their regular ISP and/or VPN for everything else. There is nothing wrong with raw Wireguard if one of the ends has a public IP address for the incoming encrypted packets.

The church has many VLANs. The lowest one is 192.168.2.0. Most home networks are either 192.168.0.0 or 192.168.1.0.

 

[mk378]

Yes but the lady at home should only have access to one of them, and preferably only the one machine that she will be working on.

My point still stands that when things "don't work" you need to actively investigate and rule out potential causes, not just guess.

 

[OVERKILL]

I have gotten the Wireguard VPN to work with my Unifi router when my Windows laptop was at home and the Unifi network was at church. I could PING devices on the Unifi network from my Windows laptop at home.

But the real user will be an iMac user at their house. They cannot seem to get it to work. Not sure why. I don't have an iMac to try myself.

I am asking if they already have a VPN running.

Is she using the integrated MacOS VPN client? If so, she'll most likely need to check the box under Advanced "Send all traffic over VPN connection" as with some VPN types, it doesn't properly negotiate split tunnelling (the proper routes don't populate) and so the far side network subnets are never added to the routing table, making them inaccessible. By forcing all the traffic through the VPN, this overcomes this issue.

 

[Donald]

Is she using the integrated MacOS VPN client? If so, she'll most likely need to check the box under Advanced "Send all traffic over VPN connection" as with some VPN types, it doesn't properly negotiate split tunnelling (the proper routes don't populate) and so the far side network subnets are never added to the routing table, making them inaccessible. By forcing all the traffic through the VPN, this overcomes this issue.

I do not see anything that mentions VPN under advanced.

 

[OVERKILL]

I do not see anything that mentions VPN under advanced.

It's only if she's using the integrated Mac OS VPN client, is she?

 

[Donald]

It's only if she's using the integrated Mac OS VPN client, is she?

That's it, the need is for a few people to access an iMac at church from home. So I cannot see ask what they have on their iMac at home, but they may not know. Or cannot navigate to figure it out.

Would things be the same in a MacBook or iMac. I am tempted to buy a used one and get it working for myself. Then help others.

Could I try things out on an iPad? Does that look close to an iMac as far as oper sys and settings go? I can my hands on an older iPad.

 

[Pew]

Is their client failing to ping the church network and is the church on their own domain?

 

[OVERKILL]

That's it, the need is for a few people to access an iMac at church from home. So I cannot see ask what they have on their iMac at home, but they may not know. Or cannot navigate to figure it out.

Would things be the same in a MacBook or iMac. I am tempted to buy a used one and get it working for myself. Then help others.

Yes, the settings are the same across all the Apple computers.

Could I try things out on an iPad? Does that look close to an iMac as far as oper sys and settings go? I can my hands on an older iPad.

No, the settings are different on an iPhone or iPad.


Here are a few screenshots to show you what the integrated VPN setup on the Mac looks like:

1. Under System Preferences, go to "Network", which looks like this, and you'll see something similar to the below when you select the VPN connection:

2. In the bottom right corner, there's "Advanced...", which brings up this window:

Where the option to "Send all traffic over VPN connection" is available.

 

[Touring5]

A bit off topic but from my experience running a vpn server, wireguard is significantly faster than openvpn. I really like it.

 

[Donald]

So if I were to buy a used MacBook to help me figure things out and then tell others what they need to do, can I buy a 2012 or 2013 one? Can a 10 year old one be upgraded to current level of oper sys? I am willing to toss in $300 to get this working

 

[kschachn]

So if I were to buy a used MacBook to help me figure things out and then tell others what they need to do, can I buy a 2012 or 2013 one? Can a 10 year old one be upgraded to current level of oper sys? I am willing to toss in $300 to get this working

macOS Sonoma is compatible with these computers - Apple Support

You can install macOS Sonoma on any of these Mac models.

support.apple.com

If you want to check for previous (but some still updated versions) look here:

Update macOS on Mac - Apple Support

Use Software Update to install updates and upgrades for macOS and its built-in apps, including Safari.

support.apple.com

 

[jcy]

if you're willing to put $300 into this, then just rent a macos VM/VPS and save yourself much more expense

 

[OVERKILL]

So if I were to buy a used MacBook to help me figure things out and then tell others what they need to do, can I buy a 2012 or 2013 one? Can a 10 year old one be upgraded to current level of oper sys? I am willing to toss in $300 to get this working

Yes, the VPN client (the built-in one) is the same on MacOS versions.

If you are worried about running a "current" version of MacOS, check to confirm that OCLP (Open Core Legacy Patcher) will facilitate that on the unit you are looking at. There are some caveats, particularly with Sonoma and Ventura, where the focus really shifted to the M-series CPU support and away from Intel. I'm still running Monterey on my old Mac Pro 5,1 at this juncture for that reason.

 

[Donald]

Yes, the VPN client (the built-in one) is the same on MacOS versions.

If you are worried about running a "current" version of MacOS, check to confirm that OCLP (Open Core Legacy Patcher) will facilitate that on the unit you are looking at. There are some caveats, particularly with Sonoma and Ventura, where the focus really shifted to the M-series CPU support and away from Intel. I'm still running Monterey on my old Mac Pro 5,1 at this juncture for that reason.

So how old a MacBook laptop can I get and still be able to try setting up Wireguard and screen sharing with an iMac at church. Once I get this working I will sell the MacBook I guess.

 

[OVERKILL]

So how old a MacBook laptop can I get and still be able to try setting up Wireguard and screen sharing with an iMac at church. Once I get this working I will sell the MacBook I guess.

I just did a quick search and it looks like there's a "client" that you use with Wireguard and the setup is similar to Linux:

macOS

WireGuard Client: macOS In this tutorial, we setup a WireGuard client on macOS. Before following this tutorial, you should already have a working WireGuard server running. Install the WireGuard app for macOS. Get the Server Public Key From the server, print the server’s public key. We’ll need...

wireguard.how

 

[Rand]

Is there a reason to use wireguard when you could use teleport with the unifi gear?

Wifiman app would need to be installed.. they have android, mac, and windows.

Software Downloads - Ubiquiti

Browse downloads by product and explore popular and new Ubiquiti applications.

ui.com

I use it on my phone most of the time because work wifi blocks a ton of sites including at random times bitog.

Its 1 click.

UniFi Gateway - Teleport VPN​

Teleport is a zero-configuration VPN that allows you to instantly connect to your UniFi network from a remote location. Users with a Next-Gen gateway or UniFi Cloud Gateway running UniFi OS can access it from Network Settings > Teleport & VPN.

How Does it Work?​

After enabling Teleport, you can generate an invitation and share it with your desired recipient. If the recipient already has the WiFiman Mobile App (iOS / Android) or WiFiman Desktop installed, the invitation will automatically add the VPN to the app. If not, the invitation will prompt the user to install the app. Once installed, the invitation will add the Teleport VPN when it is clicked again.
Once the recipient has accepted the Teleport invitation, they can easily and securely access the UniFi network remotely, at any time.

 

[mk378]

First you should take your Mac to the church location and confirm that you are able to remote between the two while they are on the same LAN. Then look at the VPN.

Within the realm of traditional VPNs where both ends are locally manually controlled, Wireguard is remarkably simple.