Download the latest ugw3
package from https://github.com/Lochnair/vyatta-wireguard/releases and install it on your USG using dpkg -i wireguard-ugw3-<version>.deb
.
cd /config/auth
umask 077
mkdir wireguard
cd wireguard
wg genkey > wg_private.key
wg pubkey < wg_private.key > wg_public.key
Copy example config.gateway.json
to /var/lib/unifi/data/sites/default
on the host running the Controller. Then through the Controller Web UI navigate to Devices, click on the USG row and then in the Properties window navigate to Config > Manage Device and click Provision.
To allow remote access navigate to Settings > Routing & Firewall > Firewall > WAN LOCAL and create a new rule to accept UDP traffic to port 51820.
Note that the mask associated with the allowed-ips
is not a netmask! I also found that provisioning failed with a /32
mask with only some very vague errors in /var/log/messages
.
Perhaps you guys already knew this and you have purposely configured public address subnets within your internal networks for some specific reason. But if you didn't, you should know that the private "172" range is from 172.16.0.0 to 172.31.255.255, which is only a 20-bit block. Unlike the "10" range that goes from 10.0.0.0 to 10.255.255.255. What you guys have defined in the "172" ranges are not private networks, so you better have all your extra security layers well in place.