Download the latest
ugw3 package from https://github.com/Lochnair/vyatta-wireguard/releases and install it on your USG using
dpkg -i wireguard-ugw3-<version>.deb.
cd /config/auth umask 077 mkdir wireguard cd wireguard wg genkey > wg_private.key wg pubkey < wg_private.key > wg_public.key
/var/lib/unifi/data/sites/default on the host running the Controller. Then through the Controller Web UI navigate to Devices, click on the USG row and then in the Properties window navigate to Config > Manage Device and click Provision.
To allow remote access navigate to Settings > Routing & Firewall > Firewall > WAN LOCAL and create a new rule to accept UDP traffic to port 51820.
Note that the mask associated with the
allowed-ips is not a netmask! I also found that provisioning failed with a
/32 mask with only some very vague errors in
Perhaps you guys already knew this and you have purposely configured public address subnets within your internal networks for some specific reason. But if you didn't, you should know that the private "172" range is from 172.16.0.0 to 172.31.255.255, which is only a 20-bit block. Unlike the "10" range that goes from 10.0.0.0 to 10.255.255.255. What you guys have defined in the "172" ranges are not private networks, so you better have all your extra security layers well in place.