I spent some time over the last few weeks getting a start on my home network and removing the ISP provided Router from the network (putting it into modem mode), so it only passes the internet to my router and does nothing else.

I previously had bought a UISP EdgeRouter 12P from Ubiquity, it has been a good Router so far. The documentation around EdgeOS could be better, it gives commands to run to make changes to the configuration but doesn’t always describe what each of the fields are or how they relate. Maybe this is something I should come to EdgeOS already knowing, as this seems like a bit of hardward that is intended for network specialists perhaps? I’m not sure.

So let’s get to the meat of this. I’ve been setting up the network with this router and a PiHole in order to have all devices on the network use this self hosted DNS so that I can block domains. I will probably document this in another post. With that setup I wanted to expand this and protect any devices that I bring out of the home e.g. phone, laptop, etc…


The EdgeOS system has a web interface that allows you to configure all the things, it is a decent interface and I’ve been able to work my way around it for the most part. It does have built in support for PPTP Remote Access and IPsec Site-to-Site, but I don’t know the details of these and they seem like a bit much for setting up on a phone and laptop.

Enter WireGuard

So I was aware of WireGuard as a VPN from a friend, he had done a similar setup with his network and used WireGuard. So I had a look around to see what was available if anything. Thankfully the community has provided for this: WireGuard/wireguard-vyatta-ubnt.

This project supplies the required .deb file to install wireguard on the ER12P using the E300 release. This has support for the ER4, ER6P and ER12. I took the chance that the ER12P and the ER12 were not so disimilar as to break the package. So far this has held true.

Installing WireGuard

In order to install WireGuard you will need to be able to ssh onto the Router. You should be able to use the default login details or, if you created your own user and deleted the default, you should be able to use your user details.

❯ ssh user@router
  _____    _
 | ____|__| | __ _  ___          (c) 2010-2020
 |  _| / _  |/ _  |/ _ \         Ubiquiti Networks, Inc.
 | |__| (_| | (_| |  __/
 |_____\__._|\__. |\___|

Welcome to EdgeOS

By logging in, accessing, or using the Ubiquiti product, you
acknowledge that you have read and understood the Ubiquiti
License Agreement (available in the Web UI at, by default, and agree to be bound by its terms.

user@router password: 
Linux er12p 4.9.79-UBNT #1 SMP Thu Jun 30 07:03:20 UTC 2022 mips64
Welcome to EdgeOS

The previously linked install guide describes what is needed in order to install and setup WireGuard on EdgeOS. I will outline some of that here. First thing we need to do is download and install the .deb package, replacing the envvar values as required:

user@router:~$ export RELEASE=1.0.20220627 BOARD=e300-v2 MODULE=1.0.20210914
user@router:~$ curl -OL${RELEASE}-1/${BOARD}-v${RELEASE}-v${MODULE}.deb
user@router:~$ sudo dpkg -i ${BOARD}-v${RELEASE}-v${MODULE}.deb

Configuring WireGuard and EdgeOS

We are now installed and can configure WireGuard to allow connections from clients. These clients are identified by a private and public key pair, the public key is used as part of the configuration, which we will go through now. First let’s setup the key pair for our Router:

user@router:~$ wg genkey | tee /config/auth/wg.key | wg pubkey > /config/auth/wg.public

With this keypair we can now setup the config for WireGuard in EdgeOS. We’ll need to enter the configure mode, run a few set commands and finally commit, save and exit:

user@router:~$ configure
# Let's set the address subent for the wireguard interface wg0
# The IP in the subnet is where the router will live for this subnet, in this
# example that is
user@router:~$ set interfaces wireguard wg0 address
# This is the port wireguard is listening on
user@router:~$ set interfaces wireguard wg0 listen-port 51820
user@router:~$ set interfaces wireguard wg0 route-allowed-ips true
# We also need to set the private key we generated as part of this interface
user@router:~$ set interfaces wireguard wg0 private-key /config/auth/wg.key
# We need to allow access to the WireGuard Interface port in our Firewall, make
# sure to set $RULE_NUMBER to something that does not conflict with an existing
# rule or it will be over written
user@router:~$ set firewall name WAN_LOCAL rule $RULE_NUMBER action accept
user@router:~$ set firewall name WAN_LOCAL rule $RULE_NUMBER protocol udp
user@router:~$ set firewall name WAN_LOCAL rule $RULE_NUMBER description "WireGuard VPN"
user@router:~$ set firewall name WAN_LOCAL rule $RULE_NUMBER destination port 51820
# Finally let's save all these changes
user@router:~$ commit
user@router:~$ save
user@router:~$ exit

Now that WireGuard is setup on the Router we should add our first client, to do this we’ll need to get the public key from a client. If you don’t already have one we’ll need to create one. I’ll work with the Android app here, we’ll create a new WireGuard tunnel:

Create WireGuard Tunnel

So we’re creating a new Tunnel with the name home-network, creating a Private and Public key, setting the IP Address that this client will have and if you have your own DNS Server, such as a pi-hole you can set the IP address for that in here. Next you will want to copy the Public key and create an entry for this in your Router config, this can be done as follows:

user@router:~$ configure
# Now we're going to add our first client device. This device will be able
# to connet to the internal network from outside by establishing a VPN connection
# to the Public IP with the above listen-port. Replace $PUBLIC_KEY_ID with the
# public key for your client device e.g. kaxZYUOQZVPpu/rhiUK0Rc2L3DWGld7omTu6ZhOGk3Y=
user@router:~$ set interfaces wireguard wg0 peer $PUBLIC_KEY_ID description "My Phone when outside"
user@router:~$ set interfaces wireguard wg0 peer $PUBLIC_KEY_ID allowed-ips
# And save changes
user@router:~$ commit
user@router:~$ save
user@router:~$ exit

Finally on our client device we need to setup a Peer which will be the Router. For this we’ll need the Public IP (or a domain if you have one associated with your public ip) and the Port we’ve setup WireGuard to use.

WireGuard Tunner Peer

So enter the public key you generated earlier when setting up the router: /config/auth/wg.public Then enter the Public IP (or domain) and Port in the Endpoint field and finally set the Allowed IPs to the value you would like, if you want all traffic to run through your home network set this value to You can also have IPv6 address run through this by adding , ::/0 to the field. Now all traffic will go through this connection. However you could limit this, if you instead only want traffic local to your home network to go through you can set this to a range that encompases this e.g., now everything else will use your devices public connection for anything outside of this range.

You can get pretty complex with AllowedIPs and this website will help you to calculate the setting if you need more than a simple range.


This is a great setup if you want to have access to your home-network while out and about. I’ve been using it now for few weeks and having this enabled and my DNS queries running thought the pi-hole, reducing the ads and tracking that generally follow you around the internet has been great. It’s also really useful to be able to access devices at home if needed, so far I have this on my phone, but I will be setting it up on my Laptop. So while I generally do not go out and use my laptop, with this setup I can see myself being a bit more likely to do that.

I hope this has been of use, it’s good to have it documented here for myself.