Download the latest ugw3
package from https://github.com/Lochnair/vyatta-wireguard/releases and install it on your USG using dpkg -i wireguard-ugw3-<version>.deb
.
cd /config/auth
umask 077
mkdir wireguard
cd wireguard
wg genkey > wg_private.key
wg pubkey < wg_private.key > wg_public.key
Copy example config.gateway.json
to /var/lib/unifi/data/sites/default
on the host running the Controller. Then through the Controller Web UI navigate to Devices, click on the USG row and then in the Properties window navigate to Config > Manage Device and click Provision.
To allow remote access navigate to Settings > Routing & Firewall > Firewall > WAN LOCAL and create a new rule to accept UDP traffic to port 51820.
Note that the mask associated with the allowed-ips
is not a netmask! I also found that provisioning failed with a /32
mask with only some very vague errors in /var/log/messages
.
@darellsison Wireguard doesn't use the client/server model.
However this config is for running wireguard node on your USG, so external devices can access your internal network.
Configured properly it would also allow external devices to tunnel through your network.