Download the latest ugw3
package from https://github.com/Lochnair/vyatta-wireguard/releases and install it on your USG using dpkg -i wireguard-ugw3-<version>.deb
.
cd /config/auth
umask 077
mkdir wireguard
cd wireguard
wg genkey > wg_private.key
wg pubkey < wg_private.key > wg_public.key
Copy example config.gateway.json
to /var/lib/unifi/data/sites/default
on the host running the Controller. Then through the Controller Web UI navigate to Devices, click on the USG row and then in the Properties window navigate to Config > Manage Device and click Provision.
To allow remote access navigate to Settings > Routing & Firewall > Firewall > WAN LOCAL and create a new rule to accept UDP traffic to port 51820.
Note that the mask associated with the allowed-ips
is not a netmask! I also found that provisioning failed with a /32
mask with only some very vague errors in /var/log/messages
.
Thank you for the guide. Did you manage to generate port forwarding rules also for wg0 interface automatically? I'm facing problem that I can connect to VPN, everything works, but clients from VPN can not access forwarded ports on WAN, I've checked
iptables -L -v -n -t nat
table to see that those rules are missing inUBNT_PFOR_SNAT_RULES
chain. I can add them manually, just wondering if anyone solve this differently.