If you have an Edgerouter X (SFP) you can use the faster Wireguard VPN package to connect to it. You can use a Mobile device like your smartphone and add easily a VPN connection from everywhere to your home/work.

First you need to be up to date with your Firmware (v2.0.9-hotfix.1 (e50) January 27, 2020): Get it https://www.ui.com/download/edgemax/edgerouter-x-sfp

Second you need the latest wireguard package for this router: Get it https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20210219-1/e50-v2-v1.0.20210219-v1.0.20200827.deb

To place the wireguard software on your edgerouter, you need SSH access to the router. First fix this in the GUI of the router by turning this on.

Make sure that you can login with SSH on your Edgerouter.

Use on Windows something like Filezilla or on Linux scp to transfer the file to the router.

Use the username of your edgerouter and the password for this. After you copied the file (e50-v2-v1.0.20210219-v1.0.20200827.deb), you have to install it on the router. For this you have to logon with SSH to the router.

Let’s start:

user@Laptop:~$ ssh <username_edgerouter@<ip_address_edgerouter>
_ | || | _ _ (c) 2010-2020 | | / |/ _ |/ _ \ Ubiquiti Networks, Inc. | || (| | (| | / |._|. |_| https://www.ubnt.com
|_
/

Welcome to EdgeOS

By logging in, accessing, or using the Ubiquiti product, you
acknowledge that you have read and understood the Ubiquiti
License Agreement (available in the Web UI at, by default,
http://192.168.1.1) and agree to be bound by its terms.

<user>@<ip>’s password:
Linux router 4.14.54-UBNT #1 SMP Fri Jan 22 10:21:07 UTC 2021 mips
Welcome to EdgeOS

Install Wireguard:

username@router:~$ sudo dpkg -i e50-v2-v1.0.20210219-v1.0.20200827.deb

Generating keys explained:

For the example we use a linux system (or straight on your edgerouter) to generate a privatekey and a publickey for the client

username@router:~$ sudo wg genkey | tee privatekey | wg pubkey > publickey

username@router:~$ less privatekey and less publickey (this shows the privatekey/publickey in the display). Copy/write this both temporally down.

Making the config:
username@router:~$ cd /config/auth
username@router:/config/auth$ wg genkey | tee priv.key | wg pubkey > pub.key
username@router:/config/auth$ configure
[edit]
username@router#
[edit]
username@router# set interfaces wireguard wg0 address 10.99.99.1/24
[edit]
username@router# set interfaces wireguard wg0 listen-port 51820
[edit]
username@router# set interfaces wireguard wg0 route-allowed-ips true
[edit]
username@router# set interfaces wireguard wg0 peer IAqK+iTNL/3HVy19Gp07sTfkV7vMraW9MlS0agmX5z8=
[edit]
username@router# set interfaces wireguard wg0 peer IAqK+iTNL/3HVy19Gp07sTfkV7vMraW9MlS0agmX5z8= allowed-ips 10.99.99.11/32
[edit]
username@router# set interfaces wireguard wg0 private-key /config/auth/priv.key
[edit]
username@router# set firewall name WAN_LOCAL rule 20 action accept
[edit]
username@router# set firewall name WAN_LOCAL rule 20 description “Wireguard”
[edit]
username@router# set firewall name WAN_LOCAL rule 20 destination port 51820
[edit]
username@router# set firewall name WAN_LOCAL rule 20 protocol udp
[edit]

username@router# set firewall name WAN_LOCAL rule 20 log disable
[edit]

username@router# delete firewall name WAN_LOCAL rule 20 state [edit]
username@router# commit
[edit]
username@router# save
Saving configuration to ‘/config/config.boot’…
Done
[edit]
username@router# exit
exit
ubnt@sesam:/config/auth$

Explanation of the key used above:(IAqK+iTNL/3HVy19Gp07sTfkV7vMraW9MlS0agmX5z8=). This key is the public key from your client which will connect to the edgerouter.

On the other hand this key (x4X29ZX6jivgkK6/69usiYJGOttHRKWU8Q++9TLnPDA=) is the public key from the server (edgerouter).

Firewall-rule:

    rule 20 {
        action accept
        description WireGuard
        destination {
            port 51820
        }
        log disable
        protocol udp
    }

Wireguard-config:

}
wireguard wg0 {
    address 10.99.99.1/24
    listen-port 51820
    peer x4X29ZX6jivgkK6/69usiYJGOttHRKWU8Q++9TLnPDA= {
        allowed-ips 10.99.99.11/32
    }
    private-key ****************
    route-allowed-ips true
}

Wireguard-config Client:

This is done on a Linux-machine!

Create a file wg0.conf and place (for example) these lines in it (without ******). Take care of your own settings!

****** [Interface]
Address = 10.99.99.11/32
PrivateKey = sO1JZfkhuJgbYBelyIpyebmZYheD5G34S77Hz+YzGmk=

DNS = 1.1.1.1, 8.8.8.8 [Peer]
PublicKey = Hh51h+8SYPWDvoMTRmdyFySat8JUNhohuhisgENUDhY=
AllowedIPs = 0.0.0.0/0
Endpoint = <your_public_ip_off_the_router>:51820

******

Wireguard-config QRcode:

Do this on a linux system.

qrencode -t ansiutf8 < wg0.conf

This displays a qrcode on your display, which you can scan with your mobile app.