Download the latest ugw3
package from https://github.com/Lochnair/vyatta-wireguard/releases and install it on your USG using dpkg -i wireguard-ugw3-<version>.deb
.
cd /config/auth
umask 077
mkdir wireguard
cd wireguard
wg genkey > wg_private.key
wg pubkey < wg_private.key > wg_public.key
Copy example config.gateway.json
to /var/lib/unifi/data/sites/default
on the host running the Controller. Then through the Controller Web UI navigate to Devices, click on the USG row and then in the Properties window navigate to Config > Manage Device and click Provision.
To allow remote access navigate to Settings > Routing & Firewall > Firewall > WAN LOCAL and create a new rule to accept UDP traffic to port 51820.
Note that the mask associated with the allowed-ips
is not a netmask! I also found that provisioning failed with a /32
mask with only some very vague errors in /var/log/messages
.
@anthr76 have you found a solution to this problem? Got the exact same. However, it is possible to SSH between peers.
Update: This thread pointed me in the right direction: https://www.reddit.com/r/WireGuard/comments/ag6g44/access_home_network_behind_nat_via_vps_and/ee4gqx7/
The problem in the configuration for me was the client. I had put allowed_ips to the wireguard interface ip I was connecting to (in your case 172.255.255.1/24). Removing this and making it completely open (0.0.0.0/0) resulted in the wanted behaviour. Local IPs are working and my external IP on the phone is the one from the wireguard server site.