Download the latest ugw3
package from https://github.com/Lochnair/vyatta-wireguard/releases and install it on your USG using dpkg -i wireguard-ugw3-<version>.deb
.
cd /config/auth
umask 077
mkdir wireguard
cd wireguard
wg genkey > wg_private.key
wg pubkey < wg_private.key > wg_public.key
Copy example config.gateway.json
to /var/lib/unifi/data/sites/default
on the host running the Controller. Then through the Controller Web UI navigate to Devices, click on the USG row and then in the Properties window navigate to Config > Manage Device and click Provision.
To allow remote access navigate to Settings > Routing & Firewall > Firewall > WAN LOCAL and create a new rule to accept UDP traffic to port 51820.
Note that the mask associated with the allowed-ips
is not a netmask! I also found that provisioning failed with a /32
mask with only some very vague errors in /var/log/messages
.
Here's my config.gateway.json on my Cloud Controller
My peer configuration on iPhone
I have on the Unifi interface:
https://i.imgur.com/n6h6AQs.png This is on WAN_LOCAL
Besides that I don't think anything else was touched.
My network subnets are
None of these are reachable on my iPhone although the wireguard app shows packets being transferred. My IP on my phone also remains the carrier IP and not my USGs ISPs IP.