Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Ubiquiti USG configuration for Wireguard
[Interface]
PrivateKey = <content of client1_privatekey.key>
Address = 10.255.252.2/24
DNS = <internal DNS Server>
[Peer]
PublicKey = <content of wg_public.key>
Endpoint = <external-fqdn>:51820
AllowedIPs = <local subnets>, 10.255.252.0/24 # route only local subnet traffic through the tunnel
# AllowedIPs = 0.0.0.0/0, ::/0 # route all trafic through the tunnel
[Interface]
PrivateKey = <content of client2_privatekey.key>
Address = 10.255.252.2/24
DNS = <internal DNS Server>
[Peer]
PublicKey = <content of wg_public.key>
Endpoint = <external-fqdn>:51820
AllowedIPs = <local subnets>, 10.255.252.0/24 # route only local subnet traffic through the tunnel
# AllowedIPs = 0.0.0.0/0, ::/0 # route all trafic through the tunnel
{
"port-forward": {
"lan-interface": [
"<ADD (V)LAN INTERFACES>",
"wg0"
]
},
"firewall": {
"group": {
"network-group": {
"remote_user_vpn_network": {
"description": "Remote User VPN subnets",
"network": [
"10.255.252.0/24"
]
}
}
}
},
"interfaces": {
"wireguard": {
"wg0": {
"address": [
"10.255.252.1/24"
],
"firewall": {
"in": {
"name": "LAN_IN"
},
"local": {
"name": "LAN_LOCAL"
},
"out": {
"name": "LAN_OUT"
}
},
"listen-port": "51820",
"mtu": "1352",
"peer": [
{
"<content of client1_public.key>": {
"allowed-ips": [
"10.255.252.2/32"
],
"persistent-keepalive": 25
}
},
{
"<content of client2_public.key>": {
"allowed-ips": [
"10.255.252.3/32"
],
"persistent-keepalive": 25
}
}
],
"private-key": "/config/auth/wireguard/wg_public.key",
"route-allowed-ips": "true"
}
}
}
}

The purpouse is to have a WireGuard server running with a configuration for 2 clients to connect to the WireGuard server.

Installation - First steps

Follow the instructions for downloading and installing the WireGuard package here: https://github.com/WireGuard/wireguard-vyatta-ubnt

curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/${RELEASE}/${BOARD}-${RELEASE}.deb
sudo dpkg -i ${BOARD}-${RELEASE}.deb

Once the package has been installed, execute the following:

cd /config/auth
umask 077
mkdir wireguard
cd wireguard

Generate all keys (1x server, 2x client) - Path: /config/auth/wireguard/

wg genkey | tee wg_private.key | wg pubkey > wg_public.key # to create server keys
wg genkey | tee client1_privatekey.key | wg pubkey > client1_publickey.key # to create the first client keys
wg genkey | tee client2_privatekey.key | wg pubkey > client2_publickey.key # to create the second client keys

The config.gateway.json file

UniFi gateways are pretty similar to EdgeRouter products from Ubiquiti, with a crucial difference. Any config changes done from the CLI are wiped out on reboots, or any config changes from the controller. the UniFi Controller is nice, but does not support the full range of EdgeOS features that we can use.

Thankfully there is a solution – config.gateway.json. This file is layered over the base config that gets generated by UniFi, and allows much more control of a USG.

Copy example config.gateway.json to <unifi_base>/unifi/data/sites/default on the host running the Controller. The site may differ and not be called default.

Then through the Controller Web UI navigate to Devices, click on the USG row and then in the Properties window navigate to Config > Manage Device and click Provision.

Firewall

To allow remote access navigate to Settings > Routing & Firewall > Firewall > WAN LOCAL and create a new rule to accept UDP traffic to port 51820.

Verify after provisioning: sudo netstat -npl | grep 51820 | grep udp

And once a client is connected: sudo show interfaces wireguard wg0 endpoints

Persistent Setup (after reboot and/or upgrade)

https://github.com/WireGuard/wireguard-vyatta-ubnt/releases

curl -O https://raw.githubusercontent.com/britannic/install-edgeos-packages/master/install-pkgs
sudo install -o root -g root -m 0755 install-pkgs /config/scripts/post-config.d/install-pkgs
#!/usr/bin/env bash
# UniFi Security Gateways and EdgeOS Package Updater
# This script checks /config/data/install-packages/ for downloaded
# packages and installs any that aren't installed
#
# Author: Neil Beadle


downloads=/config/data/install-packages

cd $downloads

for pkg in *; do
  dpkg-query -W --showformat='${Status}\n' \
  $(dpkg --info "${pkg}" | \
  grep "Package: " | \
  awk -F' ' '{ print $NF}') > /dev/null 2>&1 || dpkg -i ${pkg}
done

cd -
sudo mkdir -p /config/data/install-packages
cd /config/data/install-packages
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/${RELEASE}/${BOARD}-${RELEASE}.deb

Removal

sudo rm /config/scripts/post-config.d/install-pkgs
sudo dpkg --remove wireguard
sudo rm -rf /config/auth/wireguard
sudo rm -rf /config/data/install-packages

Remove the file config.gateway.json from <unifi_base>/unifi/data/sites/default on the host running the Controller. The site may differ and not be called default.

Then through the Controller Web UI navigate to Devices, click on the USG row and then in the Properties window navigate to Config > Manage Device and click Provision.

Remove remote access. Navigate to Settings > Routing & Firewall > Firewall > WAN LOCAL and remove the rule to accept UDP traffic to port 51820.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment