Skip to content

Instantly share code, notes, and snippets.

@pamolloy
Last active January 23, 2024 07:28
Star You must be signed in to star a gist
Save pamolloy/059c552b814b0dddfcdc0cec2bbe5872 to your computer and use it in GitHub Desktop.
Ubiquiti USG configuration for Wireguard

Download the latest ugw3 package from https://github.com/Lochnair/vyatta-wireguard/releases and install it on your USG using dpkg -i wireguard-ugw3-<version>.deb.

cd /config/auth
umask 077
mkdir wireguard
cd wireguard
wg genkey > wg_private.key
wg pubkey < wg_private.key > wg_public.key

Copy example config.gateway.json to /var/lib/unifi/data/sites/default on the host running the Controller. Then through the Controller Web UI navigate to Devices, click on the USG row and then in the Properties window navigate to Config > Manage Device and click Provision.

To allow remote access navigate to Settings > Routing & Firewall > Firewall > WAN LOCAL and create a new rule to accept UDP traffic to port 51820.

Note that the mask associated with the allowed-ips is not a netmask! I also found that provisioning failed with a /32 mask with only some very vague errors in /var/log/messages.

See also

{
"firewall": {
"group": {
"network-group": {
"remote_user_vpn_network": {
"description": "Remote User VPN subnets",
"network": [
"10.2.1.0/24"
]
}
}
}
},
"interfaces": {
"wireguard": {
"wg0": {
"address": [
"10.2.1.1/24"
],
"firewall": {
"in": {
"name": "LAN_IN"
},
"local": {
"name": "LAN_LOCAL"
},
"out": {
"name": "LAN_OUT"
}
},
"listen-port": "51820",
"mtu": "1352",
"peer": [{
"ANDROID-PHONE-PUBLIC-KEY": {
"allowed-ips": [
"10.2.1.5/32"
],
"persistent-keepalive": 25
}
}],
"private-key": "/config/auth/wireguard/wg_private.key",
"route-allowed-ips": "true"
}
}
}
}
@vettronics
Copy link

@simonkaiser9 @ruchette I have the same problem.
I have setup the USG as a Wireguard Client.
The connection is established. From the USG SSH command line I can ping the remote wireguard server and all devices in remote Lan.
I cannot ping the remote devices from any of my local lan pcs...
Local Lan 192.168.2.x ; Remote Lan 192.168.1.x
I can see the route is set on USG:
"192.168.1.0/24 dev wg0 scope link"

Help!! I have spent 2 days on this :$

@simonkaiser9
Copy link

@vettronics I am - to be quite honest - not one hundred percent sure why my setup is now working flawlessly, but I got rid of the static route and have "route-allowed-ips" set to "true" for wg0. Routing between my two connected sites works perfect right now. There are no additional routes configured...

@vettronics
Copy link

@simonkaiser9
Found out the problem :) (contribution from WireGuard/wireguard-vyatta-ubnt#109)
Besides having the routes I also needed to have the my local subnet on the allowedips of the remote server.

@cdoublejj
Copy link

Copy example config.gateway.json to /var/lib/unifi/data/sites/default on the host running the Controller.

thats assuming/presuming the host is running linux and not windows like my self with windows server.

this file path is invalid

@swinchen
Copy link

swinchen commented Sep 5, 2022

Copy example config.gateway.json to /var/lib/unifi/data/sites/default on the host running the Controller.

thats assuming/presuming the host is running linux and not windows like my self with windows server.

this file path is invalid

Well, that's your fault 🤕

@cdoublejj
Copy link

cdoublejj commented Sep 5, 2022

Copy example config.gateway.json to /var/lib/unifi/data/sites/default on the host running the Controller.
thats assuming/presuming the host is running linux and not windows like my self with windows server.
this file path is invalid

Well, that's your fault 🤕

If I could have chose Linux, I def would have. Freedom is better.

@smdx2
Copy link

smdx2 commented Mar 17, 2023

I really need help with this config... :(
I've managed to put wireguard running on my USG, I am able to connect from mobile phone to wireguard server on USG, from my USG I can ping both mobile phone, and internal network when I ssh to my USG, but I cannot access internal LAN resources via mobile phone when connected to wireguard server on USG.

Any hints?

My config.gateway.json file:

{
	"firewall": {
		"group": {
			"network-group": {
				"remote_user_vpn_network": {
					"description": "Remote User VPN subnets",
					"network": [
						"192.168.5.0/24"
					]
				}
			}
		}
	},
  "interfaces": {
    "wireguard": {
      "wg0": {
        "address": [
          "192.168.5.1/24"  
        ],
        "firewall": {
          "in": {
            "name": "LAN_IN"
          },
          "local": {
            "name": "LAN_LOCAL"
          },
          "out": {
            "name": "LAN_OUT"
          }
        },
        "listen-port": "51821",  
        "mtu": "1500",
        "peer": [{
          "public_key_of_android_phone": {   
            "allowed-ips": [
              "192.168.5.50/32"               
            ],
            "persistent-keepalive": 25
          }
        },
        {
          "public_key_of_another_device": {   
            "allowed-ips": [
              "192.168.5.51/32"
            ],
            "persistent-keepalive": 25
          }
        }],
        "private-key": "/config/auth/wireguard/wg_private.key",  
        "route-allowed-ips": "true"
      }
    }
  }
}

My wireguard configuration on mobile phone:
Interface:
public_key_of_android_phone
address: 192.168.5.50/32

peer:
endpoint: public_FQDN:52821
public_key_of_usg
allowed_ips: 0.0.0.0/0
keep-alive: 25s

output of route command on USG:
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         (redacted) 0.0.0.0         UG    0      0        0 eth0
(redacted)     *               255.255.255.0   U     0      0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
192.168.0.0     *               255.255.254.0   U     0      0        0 eth1
192.168.2.0     *               255.255.255.0   U     0      0        0 eth1.2
192.168.5.0     *               255.255.255.0   U     0      0        0 wg0

output of wg command on USG:

root@USG:~# wg
interface: wg0
  public key: (redacted)
  private key: (redacted)
  listening port: 51821

peer: (redacted)
  endpoint: (redacted):1304
  allowed ips: 192.168.5.50/32
  latest handshake: 41 seconds ago
  transfer: 60.14 KiB received, 105.39 KiB sent
  persistent keepalive: every 25 seconds

Any help would be much appreciated.
I've seen other forums with information, but typically very old one...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment