Skip to main content

Knowledge Base

View Categories

Connecting to VPN with Windows OS

Table of Contents

Prerequisites (quick checklist) #

  • A UniFi Gateway (UDM/UDM-SE/UDR/UXG, etc.) with the UniFi Network app
  • A public IP on the gateway. If you’re behind another router (double-NAT), you must port-forward UDP 51820 to the UniFi gateway’s WAN IP
  • (Optional but recommended) A DNS name (DDNS or static) pointing at your public IP for easier client configs
  • The WireGuard for Windows app installer

Configure the UniFi WireGuard VPN Server #

  • Open UniFi Network → Settings → VPN → VPN Server → Create New
  • Choose WireGuard and give it a name (e.g., “Remote-Users”)
  • Server address & port
    • Port defaults to UDP 51820 (leave it unless you have a reason to change)
    • If you’re behind NAT or using a hostname, set “Use Alternate Address for Clients” to your FQDN (e.g., vpn.example.com)
  • VPN network / addresses
    • UniFi will generate the tunnel subnet automatically (e.g., 10.255.255.0/24)
  • DNS for clients (recommended)
    • Set this to a resolver that can reach your internal hosts (often the gateway/LAN DNS or your AD DNS)
  • Add a client
    • In the Clients section, click + Add Client
    • Name it (e.g., “First_ Name Last_Name”)
    • Choose what the client should route:
      • Full tunnel (all traffic through VPN): AllowedIPs = 0.0.0.0/0, ::/0
      • Split tunnel (only reach on-prem): AllowedIPs = your LAN subnets (e.g., 192.168.1.0/24)
      • Save and Download the configuration (.conf) for Windows (or show the QR for mobile)

Install & connect on Windows #

  • Install WireGuard for Windows (official client): run the Windows Installer from wireguard.com
  • Open WireGuard → Import tunnel(s) from file → select the .conf you downloaded from UniFi
  • Click Activate to connect. You should see the assigned tunnel IP and a “Connected” status. (Import/Activate flow shown in many UniFi+WG guides.)

Verify it’s working #

  • From the Windows PC do the following…
  • ipconfig → confirm a WireGuard adapter with an IP in your VPN subnet (e.g., 10.255.255.x)
  • Ping the UniFi gateway LAN IP (e.g., 192.168.1.1)
  • Access an internal resource (RDP, SMB, web UI) on your LAN
  • If you configured full-tunnel, browse to https://ifconfig.io to confirm the public IP is your site’s IP (not the client’s)

Typical client config (for reference): #

# First_Name Last_Name.conf (example)
[Interface]
PrivateKey = <client_private_key>
Address = 10.255.255.10/32
DNS = 192.168.1.10

[Peer]
PublicKey = <gateway_public_key>
Endpoint = vpn.example.com:51820
AllowedIPs = 192.168.1.0/24          # split tunnel to LAN only
# or AllowedIPs = 0.0.0.0/0, ::/0     # full tunnel
PersistentKeepalive = 25

What UniFi gives you will look similar to this (example): #

  • DNS: point to a resolver that can answer your internal names.
  • PersistentKeepalive=25 helps when the client is behind NAT.

Need Help: #

Contact the NETWINDY support team by opening a support ticket.