Download the latest ugw3
package from https://github.com/Lochnair/vyatta-wireguard/releases and install it on your USG using dpkg -i wireguard-ugw3-<version>.deb
.
cd /config/auth
umask 077
mkdir wireguard
cd wireguard
wg genkey > wg_private.key
wg pubkey < wg_private.key > wg_public.key
Copy example config.gateway.json
to /var/lib/unifi/data/sites/default
on the host running the Controller. Then through the Controller Web UI navigate to Devices, click on the USG row and then in the Properties window navigate to Config > Manage Device and click Provision.
To allow remote access navigate to Settings > Routing & Firewall > Firewall > WAN LOCAL and create a new rule to accept UDP traffic to port 51820.
Note that the mask associated with the allowed-ips
is not a netmask! I also found that provisioning failed with a /32
mask with only some very vague errors in /var/log/messages
.
This config has worked for me, however I also set MTU to 1500, and
route-allowed-ips
to false.Using wireguard on android, I can connect to my home LAN successfully, as well as browse the WAN (routed via the LAN).
I run the controller in a docker container (linuxserver/unifi-controller) and I placed the config json inside the data volume at
/config/data/sites/[site id]
, as seen from the container. Seen from the host the path is/var/lib/docker/volumes/unifi_data/_data/data/sites/[site id]
. Note, adding it to thedefault
site did not work for me.Many props to @pamolloy for the concise guide.