Skip to content

Instantly share code, notes, and snippets.

@pamolloy
Last active August 22, 2023 03:54
Star You must be signed in to star a gist
Embed
What would you like to do?
Ubiquiti USG configuration for Wireguard

Download the latest ugw3 package from https://github.com/Lochnair/vyatta-wireguard/releases and install it on your USG using dpkg -i wireguard-ugw3-<version>.deb.

cd /config/auth
umask 077
mkdir wireguard
cd wireguard
wg genkey > wg_private.key
wg pubkey < wg_private.key > wg_public.key

Copy example config.gateway.json to /var/lib/unifi/data/sites/default on the host running the Controller. Then through the Controller Web UI navigate to Devices, click on the USG row and then in the Properties window navigate to Config > Manage Device and click Provision.

To allow remote access navigate to Settings > Routing & Firewall > Firewall > WAN LOCAL and create a new rule to accept UDP traffic to port 51820.

Note that the mask associated with the allowed-ips is not a netmask! I also found that provisioning failed with a /32 mask with only some very vague errors in /var/log/messages.

See also

{
"firewall": {
"group": {
"network-group": {
"remote_user_vpn_network": {
"description": "Remote User VPN subnets",
"network": [
"10.2.1.0/24"
]
}
}
}
},
"interfaces": {
"wireguard": {
"wg0": {
"address": [
"10.2.1.1/24"
],
"firewall": {
"in": {
"name": "LAN_IN"
},
"local": {
"name": "LAN_LOCAL"
},
"out": {
"name": "LAN_OUT"
}
},
"listen-port": "51820",
"mtu": "1352",
"peer": [{
"ANDROID-PHONE-PUBLIC-KEY": {
"allowed-ips": [
"10.2.1.5/32"
],
"persistent-keepalive": 25
}
}],
"private-key": "/config/auth/wireguard/wg_private.key",
"route-allowed-ips": "true"
}
}
}
}
@vettronics
Copy link

@simonkaiser9
Found out the problem :) (contribution from WireGuard/wireguard-vyatta-ubnt#109)
Besides having the routes I also needed to have the my local subnet on the allowedips of the remote server.

@cdoublejj
Copy link

Copy example config.gateway.json to /var/lib/unifi/data/sites/default on the host running the Controller.

thats assuming/presuming the host is running linux and not windows like my self with windows server.

this file path is invalid

@swinchen
Copy link

swinchen commented Sep 5, 2022

Copy example config.gateway.json to /var/lib/unifi/data/sites/default on the host running the Controller.

thats assuming/presuming the host is running linux and not windows like my self with windows server.

this file path is invalid

Well, that's your fault 🤕

@cdoublejj
Copy link

cdoublejj commented Sep 5, 2022

Copy example config.gateway.json to /var/lib/unifi/data/sites/default on the host running the Controller.
thats assuming/presuming the host is running linux and not windows like my self with windows server.
this file path is invalid

Well, that's your fault 🤕

If I could have chose Linux, I def would have. Freedom is better.

@smdx2
Copy link

smdx2 commented Mar 17, 2023

I really need help with this config... :(
I've managed to put wireguard running on my USG, I am able to connect from mobile phone to wireguard server on USG, from my USG I can ping both mobile phone, and internal network when I ssh to my USG, but I cannot access internal LAN resources via mobile phone when connected to wireguard server on USG.

Any hints?

My config.gateway.json file:

{
	"firewall": {
		"group": {
			"network-group": {
				"remote_user_vpn_network": {
					"description": "Remote User VPN subnets",
					"network": [
						"192.168.5.0/24"
					]
				}
			}
		}
	},
  "interfaces": {
    "wireguard": {
      "wg0": {
        "address": [
          "192.168.5.1/24"  
        ],
        "firewall": {
          "in": {
            "name": "LAN_IN"
          },
          "local": {
            "name": "LAN_LOCAL"
          },
          "out": {
            "name": "LAN_OUT"
          }
        },
        "listen-port": "51821",  
        "mtu": "1500",
        "peer": [{
          "public_key_of_android_phone": {   
            "allowed-ips": [
              "192.168.5.50/32"               
            ],
            "persistent-keepalive": 25
          }
        },
        {
          "public_key_of_another_device": {   
            "allowed-ips": [
              "192.168.5.51/32"
            ],
            "persistent-keepalive": 25
          }
        }],
        "private-key": "/config/auth/wireguard/wg_private.key",  
        "route-allowed-ips": "true"
      }
    }
  }
}

My wireguard configuration on mobile phone:
Interface:
public_key_of_android_phone
address: 192.168.5.50/32

peer:
endpoint: public_FQDN:52821
public_key_of_usg
allowed_ips: 0.0.0.0/0
keep-alive: 25s

output of route command on USG:
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         (redacted) 0.0.0.0         UG    0      0        0 eth0
(redacted)     *               255.255.255.0   U     0      0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
192.168.0.0     *               255.255.254.0   U     0      0        0 eth1
192.168.2.0     *               255.255.255.0   U     0      0        0 eth1.2
192.168.5.0     *               255.255.255.0   U     0      0        0 wg0

output of wg command on USG:

root@USG:~# wg
interface: wg0
  public key: (redacted)
  private key: (redacted)
  listening port: 51821

peer: (redacted)
  endpoint: (redacted):1304
  allowed ips: 192.168.5.50/32
  latest handshake: 41 seconds ago
  transfer: 60.14 KiB received, 105.39 KiB sent
  persistent keepalive: every 25 seconds

Any help would be much appreciated.
I've seen other forums with information, but typically very old one...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment