We can connect our UniFi network to a VPN provider to route all our internet traffic through a VPN. One of the best VPN providers that you can use for this is NordVPN. It has been one of the best providers for several years, but there is one challenge.
When we talk about VPN connections, one of the best protocols to use is WireGuard. It’s faster and lighter, so it doesn’t use that many resources from your UniFi Cloud Gateway. The only problem is that NordVPN doesn’t provide WireGuard configuration files.
In this article
In this article, I will show you how to create your own WireGuard configuration file to use NordVPN as the VPN provider for your UniFi network.
Requirements
There are already several guides on the internet that show you how to do this, but they all use a Linux system to generate the file. We are going to use Windows instead, to make it a little bit easier.
To create the configuration file, we need to have the NordVPN client installed and the WireGuard Client installed. We are also going to create an access token, but I will show you all the steps for that.
Further down in the article, you will find a complete PowerShell script that you can run to create the configuration file.
NordVPN WireGuard Configuration File
NordVPN does offer configuration files, but those are for OpenVPN. The downside of OpenVPN is that it requires more resources, resulting in a slower connection. The WireGuard protocol is a lot lighter which results in a faster connection.
Now NordVPN has rebranded their WireGuard protocol to NordLynx. So when you see NordLynx in this article, then we are actually talking about WireGuard.
To add a WireGuard connection in UniFi Network, we can use a configuration file or enter all the details manually. In this case, we need to use PowerShell to get all the information from NordVPN, so we can create the configuration file as well. This makes adding the connection a lot easier.
I have aligned the steps below with the steps in the PowerShell script. This way you can check and understand what the script does.
Step 1 – Install & Configure the NordVPN Client
To create the configuration file, we will need to install the NordVPN client. Simply download and install the normal client for your operating system. For Windows, they also offer an OpenVPN client, but we don’t need that one.
Once you have the client installed, we need to change the preferred VPN Type in the settings. By default, this is set to Auto, but we want to make sure that NordVPN is connected using the WireGuard protocol.
Open the client, go to Settings > Connection, and set the VPN protocol to NordLynx.
Step 2 – Create an Access Token
To create the WireGuard configuration file manually, we will need to obtain our PrivateKey. This key is used to authenticate the connection (we can’t use our username and password for this). To get the private key, we will need an access token first.
- Open https://my.nordaccount.com/dashboard/nordvpn/manual-configuration/
- Click on Set up NordVPN Manually (you will need to re-authenticate)
- Click on Generate New Token
- Set the token to Doesn’t Expire and click on Generate token
- Copy the token and paste it into NotePad or Word for now. We will need it later.
Step 3 – Install the WireGuard Client
To get all the necessary information for the configuration file we will need to install the WireGuard Client. With the client installed, and NordVPN connected, we can read out all the information we need.
You only have to download and install the WireGuard client for now.
Step 4 – Connect NordVPN
We have now everything set up to create the configuration file. We will need to connect the NordVPN client with our desired VPN server before we continue. Pick a server that you want to use and connect the NordVPN Client.
Step 5 – Get the Private Key
For the next steps, we are going to use PowerShell. Important note here is that you open PowerShell in elevated (admin) mode. Without admin mode, the WireGuard client, won’t have access to the NordVPN connection information.
- Right-click on Start
- Choose Terminal (admin) or PowerShell (admin)
You don’t have to be familiar with PowerShell, you can just copy and paste the codes below. Or run the complete script which will guide you through all the steps.
Enter your access token between the quotes and run the second command to get the private key. We will store the private key in a variable so we can use it later.
# Your access token$accessToken = "<copy-your-token>"# Get the Private key$privateKey = curl -s -u token:$accessToken "https://api.nordvpn.com/v1/users/services/credentials" | ConvertFrom-Json | Select-Object -ExpandProperty nordlynx_private_key
Step 6 – Get all the Connection Information
With the WireGuard client installed, we can use the command wg show
in PowerShell to read out the active connection information. To test it out, simply type the command and press enter.
We will need the public key, listening port number, pre-shared key and endpoint details from the connection. To do this we can use the following PowerShell command. These commands will get the details using the WireGuard client, and clean up any access information
$listenPort = wg show NordLynx listen-port$publicKey = wg show NordLynx public-key$preSharedKey = (wg show NordLynx preshared-keys) -replace '\s+\(none\)$', '' -replace '\s+$', ''$endPointRaw = wg show NordLynx endpoints$ipRegex = [regex]'\b(?:\d{1,3}\.){3}\d{1,3}:\d{1,5}\b'$endPoint = ($ipRegex.Match($endPointRaw)).Value
Step 7 – Create the WireGuard Configuration file
With all the required information collected, we can generate the WireGuard configuration file for our NordVPN connection. As you will see in the code below, there are some other details needed as well.
The Address is the IP Address that is locally assigned by NordVPN. This address is always the same. Below it, you will find the DNS server. You can change this to another DNS server if you want.
$filePath = New-Item -path "c:\temp\nordvpn-wireguard.conf"$confFileContent = @"[Interface]ListenPort = $listenPortPublicKey = $publicKeyPrivateKey = $privateKeyAddress = 10.5.0.2/32DNS = 1.1.1.1[Peer]PublicKey = $preSharedKeyAllowedIPs = 0.0.0.0/0, ::/0Endpoint = $endPointPersistentKeepalive = 60ForcedHandshake = 5"@Add-Content -path $filePath -Value $confFileContent
As mentioned earlier, I have also created a complete PowerShell script that will get the information and create the configuration file for you. You can find the script here in my GitHub repository.
If you are unfamiliar with PowerShell, then make sure you read this article on how to run PowerShell scripts.
Adding NordVPN to UniFi Network
With the configuration file created, we can add the NordVPN connection to our UniFi Network.
- Open UniFi Network
- Go to Settings > VPN
- Open the VPN Client tab and click on Create new
- Make sure that WireGuard is selected
- Enter a name for the connection
- Upload the configuration file
- Make sure that the configuration is valid. Otherwise, check the configuration file and compare it with the example file in my GitHub Repository
Click on Apply Changes to add the VPN connection. It can take a moment until the VPN connection is established.
Route your Traffic Through the VPN
With the VPN connection added, we are not finished yet. We will need to route our internet traffic through NordVPN. For this, we are going to create a Policy-Based route.
You can choose to route all your traffic through the VPN, only traffic from specific devices, or traffic from a specific network (VLAN). I will show you how to route only specific devices below, but you can use the same method with a VLAN. Just make sure that when you create a VLAN, you select “Allow Internet Access”.
- In UniFi Network, open Settings > Routing
- Click on Create Entry if you already have routes set up
- Give your route a name
- Select All Traffic
- For the source, I have selected two devices. You can also select the default network to route all traffic or a specific VLAN.
- Set the interface to the VPN connection that we created earlier.
- Click on Add Entry
If you go back to the VPN Client settings, you can see that the connection is up and network traffic going through it:
Wrapping Up
Connecting NordVPN through WireGuard does take a couple of steps, but when we look at the performance difference compared with the OpenVPN protocol, then it’s really worth the effort. Make sure that you try out the PowerShell script as well, which makes the configuration steps a bit easier.
Keep in mind that you can only have one active NordVPN connection at a time in UniFi Network. This comes due to the fact you can only use port 51820. You can however add multiple connections and pause the one you don’t need.
Hope you liked this article, make sure to follow LazyAdmin.nl on Facebook or subscribe to the newsletter.