Download the latest ugw3
package from https://github.com/Lochnair/vyatta-wireguard/releases and install it on your USG using dpkg -i wireguard-ugw3-<version>.deb
.
cd /config/auth
umask 077
mkdir wireguard
cd wireguard
wg genkey > wg_private.key
wg pubkey < wg_private.key > wg_public.key
Copy example config.gateway.json
to /var/lib/unifi/data/sites/default
on the host running the Controller. Then through the Controller Web UI navigate to Devices, click on the USG row and then in the Properties window navigate to Config > Manage Device and click Provision.
To allow remote access navigate to Settings > Routing & Firewall > Firewall > WAN LOCAL and create a new rule to accept UDP traffic to port 51820.
Note that the mask associated with the allowed-ips
is not a netmask! I also found that provisioning failed with a /32
mask with only some very vague errors in /var/log/messages
.
I really need help with this config... :(
I've managed to put wireguard running on my USG, I am able to connect from mobile phone to wireguard server on USG, from my USG I can ping both mobile phone, and internal network when I ssh to my USG, but I cannot access internal LAN resources via mobile phone when connected to wireguard server on USG.
Any hints?
My config.gateway.json file:
My wireguard configuration on mobile phone:
Interface:
public_key_of_android_phone
address: 192.168.5.50/32
peer:
endpoint: public_FQDN:52821
public_key_of_usg
allowed_ips: 0.0.0.0/0
keep-alive: 25s
output of route command on USG:
Kernel IP routing table
output of wg command on USG:
Any help would be much appreciated.
I've seen other forums with information, but typically very old one...