Skip to content

Instantly share code, notes, and snippets.

@dcava

dcava/README.md

Forked from pamolloy/README.md
Last active March 22, 2020 21:35
Show Gist options
  • Save dcava/2a531e6e1be3b66ab26af1667bc1e3e2 to your computer and use it in GitHub Desktop.
Save dcava/2a531e6e1be3b66ab26af1667bc1e3e2 to your computer and use it in GitHub Desktop.
Download ZIP
Ubiquiti USG configuration for Wireguard
Raw
README.md

Download the latest ugw3 package from https://github.com/FossoresLP/vyatta-wireguard/releases and install it on your USG using dpkg -i wireguard-ugw3-<version>.deb.

cd /config/auth
umask 077
mkdir wireguard
cd wireguard
wg genkey > wg_private.key
wg pubkey < wg_private.key > wg_public.key

Copy example config.gateway.json to /var/lib/unifi/data/sites/default on the host running the Controller. Then through the Controller Web UI navigate to Devices, click on the USG row and then in the Properties window navigate to Config > Manage Device and click Provision.

To allow remote access navigate to Settings > Routing & Firewall > Firewall > WAN LOCAL and create a new rule to accept UDP traffic to port 51820.

Note that the mask associated with the allowed-ips is not a netmask! I also found that provisioning failed with a /32 mask with only some very vague errors in /var/log/messages.

See also

Raw
config.gateway.json
{
"firewall": {
"group": {
"network-group": {
"remote_user_vpn_network": {
"description": "Remote User VPN subnets",
"network": [
"10.2.1.0/24"
]
}
}
}
},
"interfaces": {
"wireguard": {
"wg0": {
"address": [
"10.2.1.1/24"
],
"firewall": {
"in": {
"name": "LAN_IN"
},
"local": {
"name": "LAN_LOCAL"
},
"out": {
"name": "LAN_OUT"
}
},
"listen-port": "51820",
"mtu": "1352",
"peer": [{
"ANDROID-PHONE-PUBLIC-KEY": {
"allowed-ips": [
"10.2.1.5/32"
],
"persistent-keepalive": 25
}
}],
"private-key": "/config/auth/wireguard/wg_private.key",
"route-allowed-ips": "true"
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment