Skip to main content
search

Applicable Products

Part number Description
QUARTZ-GOLD-21-5G (GL) Dual Port Gigabit Ethernet Industrial Router
QUARTZ-GOLD-W21-5G (GL) Dual Port Gigabit Ethernet Industrial Router with dual Wi-Fi
QUARTZ-ONYX-GW42-5G (GL) Quad Port Gigabit Ethernet Industrial Router with dual Wi-Fi and GPS
QUARTZ-ONYX-W42-5G (GL) Quad Port Gigabit Ethernet Industrial Router with dual Wi-Fi

This document will use ‘QUARTZ 5G router’ to mean any of the above routers.

Objective

This application note sets out how to configure and use a QUARTZ 5G router as a WireGuard client. The WireGuard server to which it is connecting is running on another platform. There are many hosted VPNs available that use WireGuard such as Surfshark, NordVPN and PureVPN, and some of these such as Mullvad and Mozilla VPN offer no other VPN protocols except WireGuard.

The most likely reason a VPN will be used in the context of an industrial router is to allow secure remote access to a corporate network. The reader is reminded that the WireGuard VPN makes the path between the QUARTZ 5G router and the remote WireGuard server secure. If Wi-Fi connectivity is used to connect to the router, this part of the transmission path is not secured. Therefore, Siretta recommends using a cabled connection between the QUARTZ 5G router and the devices connected to it (the routers clients) when using a VPN to minimise the possibility that this connection be intercepted or monitored.

WireGuard makes it quite easy to set up and use a VPN tunnel. The way that WireGuard works makes this quite straightforward. This application note will guide the user through this straightforward process.

Solution

Originally developed for Linux in 2019, WireGuard now supports all major Operating Systems including Windows, macOS, iOS and Android. Its footprint is small (around 4,000 lines of code) making it very easy to embed into applications. It is UDP based and works by creating layer 3 secure network tunnels.

Note: When setting up a VPN on a QUARTZ 5G router, if setup errors occur there is the possibility that the user could lock themselves out of the router. This can be resolved by using the reset switch on the unit, but then the user will be back to factory settings and must set up the non-VPN parts of the router again. Before altering the VPN settings, it is suggested that the current working settings be saved as the user default configuration. Then, a press of the reset switch will cause a hardware reboot with current settings.

For clarification, the duration of reset press in Quartz 5G router results as follows:
• 2-10 seconds Router reboot with current settings
• 10-30 seconds Router reboot with custom reset configuration loaded.
• 30 or more seconds Router reboot with factory default configuration loaded.

 

Starting Point

This application unit assumes that the user has connected the QUARTZ 5G router to the Internet (either via Cellular, WAN or the Wi-Fi connection) but that otherwise the router is at factory default settings.

Since the QUARTZ 5G router will be setup as the client, it does not need to have a fixed IP address. If the WireGuard tunnel uses the cellular network to obtain an Internet connection, a regular SIM card with suitable data allowance may be used. However, the public IP address of the WireGuard Server to which the QUARTZ 5G router is establishing a VPN tunnel must be known.

Note: Settings shown in the screenshots are real and used to configure a real tunnel for this application note. However, please do not copy them – the VPN tunnel has now been deleted from our server and our public IP address has been masked for security reasons.

QUARTZ 5G router WireGuard client settings

Find the QUARTZ 5G router WireGuard setup page by navigating to VPN Tunnel > Wireguard:

Enable WireGuard VPN and set the mode to client as shown above, and press save to store the settings.

To set up the WireGuard VPN tunnel, settings for the following fields need to be obtained and populated:

QUARTZ 5G Router field Description
Peer IP/Port WireGuard server IP address and port
Local Key WireGuard client private key
Local IP/Mask WireGuard client VPN tunnel IP
Peer Key WireGuard server public key
Preshared key Optional key to further improve on the default security
Persistent Keepalive Link keepalive packet send time in seconds. Used when the WireGuard tunnel passes NAT and stateful firewalls to keep the connection alive.

All of the above settings will be derived from the WireGuard server configuration.

Once the WireGuard VPN tunnel has been set up, the routes using the WireGuard VPN tunnel need to be set up. No traffic will use the VPN tunnel unless instructed to do so. The following fields need to be considered and populated to meet the user’s routing requirements:

QUARTZ 5G Router field Description
Allowed IPS List of IP addresses separated by commas that are permitted to access the WireGuard VPN tunnel
Peer Subnet IP/Mask List of IP addresses routed through the WireGuard tunnel

Note: The settings for each WireGuard VPN tunnel are unique and must not be used for more than one tunnel. So, if a WireGuard Server has six clients, then there must be six unique sets of keys and tunnel IP addresses.

Obtaining the WireGuard VPN tunnel settings

There are many platforms on which a WireGuard server can run, and as such it is impossible to detail how the settings are obtained from every system. Siretta uses a Unifi Dream Machine Pro, so this application note will demonstrate the process to obtain the WireGuard VPN tunnel settings required to set up a QUARTZ-5G router WireGuard client. Most WireGuard servers will generate a configuration file for the client when the tunnel is created, and the Unifi Dream Machine Pro is typical of these.

Unifi Dream Machine Pro as WireGuard VPN server

To add a new client to an existing setup, navigate to the screen shown and click the ‘Add Client’ button to add a new client:

In the Add WireGuard Client window that pops up, add a name for the tunnel (default name is client <n>). The keys and other connection information is automatically generated (or it is possible to select Manual to set these yourself – not recommended). Download the configuration file and then click ‘Add’ to finalise this tunnel configuration. Add any further WireGuard VPN tunnels required, and then click ‘Apply Changes’ at the bottom to save all the tunnel configurations added. Only once the changes have been applied will the tunnels be stored and become active, otherwise the additions will be lost.

The (.conf) configuration file downloaded from the Unifi Dream Machine Pro WireGuard server is of this format:
[Interface] PrivateKey = IKlCPSFUN41JH1urIrwqqdrC0tNMW0yrMW6rBRux+HA=
Address = 192.168.3.5/32
DNS = 192.168.3.1

[Peer] PublicKey = iE0fY8Iws5w3pLK9v0TDA/Psp+RypjYb5D4SEXrTZWs=
AllowedIPs = 192.168.3.1/32,192.168.3.5/32,0.0.0.0/0
Endpoint = <Public IP address hidden>:51822
Other WireGuard servers will produce configuration files of similar format.

Here is how the fields from this file map to QUARTZ 5G router WireGuard client configuration fields:

Configuration file QUARTZ 5G router WireGuard client field
[interface] PrivateKey Local Key
[interface] Address Local IP/Mask
[Peer] PublicKey Peer Key
[Peer] Endpoint Peer IP/Port

Persistent Keepalive

The WireGuard protocol does not normally send any packets unless there is data to be sent. There is no periodic chatter of any sort. When there is no firewall or NAT, this works just fine. But the QUARTZ 5G router has a firewall and does use NAT. This means that the router must keep track of connections. To prevent connections from being closed if there is no traffic then the Persistent Keepalive field needs a setting that will generate some data to keep the connection open.

The recommended value to enter for this field is 25 (meaning send a keepalive packet every 25 seconds). Setting Keepalive to 0 turns keepalive packets off.

Routing traffic through the WireGuard VPN tunnel

Creating a WireGuard VPN tunnel does not mean that data will automatically be routed through the WireGuard VPN tunnel. By default, no traffic will pass through the WireGuard VPN tunnel unless rules are created to make this happen. Two settings control this routing. Allowed IPS and Peer Subnet IP/Mask.

Allowed IPS

This is an outgoing traffic firewall. Unless there is a very special set of circumstances, this field should be populated with 0.0.0.0/0 which means that all IP traffic is allowed to egress the router. Traffic being allowed to egress the router does not mean that it will egress through the WireGuard VPN tunnel. The Peer Subnet/IP Mask controls that.

Peer Subnet IP/Mask

This defines the traffic that will pass through the WireGuard VPN tunnel. There are two cases for the WireGuard VPN tunnel:
• Passing all traffic through the tunnel.
• Passing only the traffic intended for the corporate network running the WireGuard server.

To pass all traffic through the WireGuard VPN tunnel, use 0.0.0.0/0 for the Peer Subnet IP/Mask field. All IP traffic passes through the WireGuard VPN tunnel. Routing rules of the WireGuard VPN server gateway will then apply to this IP traffic after it has traversed the VPN tunnel. In most situations this will mean that the QUARTZ 5G router traffic reaching the Internet through the tunnel will appear to have originated from the WireGuard VPN servers public IP address (i.e. the Peer IP address entered in the WireGuard client setup).

To pass corporate network traffic only down the VPN tunnel, enter the IP address/mask of the corporate network subnet(s) here. If multiple subnets need to be specified, separate them with a comma and make sure that there are no spaces in the string. The IP address of the VPN tunnel should be included. For the example configuration where the IP address of the VPN tunnel is 192.168.3.5, then 192.168.3.5/32 would route only traffic for 192.168.3.5 down the VPN tunnel. But the overall corporate network may use the larger 10.0.0.0 subnet, in which case using 192.168.3.5/32,10.0.0.0/8 would route 192.168.3.5 and any 10.0.0.0 address (10.0.0.0 – 10.255.255.255) through the VPN tunnel. Any other IP address would be routed according the 5G router’s routing table and Internet traffic would appear to originate from the 5G router’s WAN connection (usually the public IP address of the cell tower connected to it).

Demonstration of Solution

Example: All traffic down the WireGuard VPN tunnel

Configure the QUARTZ 5G router as below. Keys and IP addresses are those from the server configuration examples – please replace with settings from your WireGuard VPN server. Remember to click ‘save’ to apply the settings.

The routing table shows the local subnet 192.168.1.0/24 routed to the local LAN port; 10.74.176.205 is the gateway (shown on the router status page); and all other traffic following the default route to the WireGuard interface, wg0.

Example: VPN tunnel IP address traffic only down WireGuard VPN tunnel

Configure the QUARTZ 5G router as below. Keys and IP addresses are those from the server configuration examples – please replace with settings from your WireGuard VPN server. Remember to click ‘save’ to apply the settings.

The routing table shows the local subnet 192.168.1.0/24 routed to the local LAN; 192.168.3.5 routed to the WireGuard interface wg0; and 10.74.176.205 is the gateway (shown on the router status page).

Example:10.0.0.0/8 and VPN tunnel IP address traffic only down WireGuard VPN tunnel

Configure the QUARTZ 5G router as follows. Keys and IP addresses are those from the server configuration examples – please replace with settings from your WireGuard VPN server. Remember to click ‘save’ to apply the settings.

The routing table shows the local subnet 192.168.1.0/24 routed to the local LAN; 192.168.3.5 and 10.0.0.0/8 routed to the WireGuard interface wg0; and 10.74.176.205 is the gateway (shown on the router status page)

Additional Reading

Description Author
WireGuard Website WireGuard
QUARTZ-GOLD-5G Software Manual Siretta Ltd
QUARTZ-ONYX Software Manual Siretta Ltd
Unifi Dream Machine Pro web site Ubiquiti
Unifi Help Centre – WireGuard VPN Server Ubiquiti

Appendix 1: WireGuard Protocol Explanation

WireGuard is a protocol that implements simple yet secure manner a secure VPN tunnel operating at layer 3 (Network layer) of the OSI model.

With WireGuard, the ports used at each end of the tunnel are always the same. The port used is specified as part of the WireGuard server setup.

Download PDF
Close Menu