Ubiquiti USG configuration for Wireguard

client1-wg0.conf

[Interface]
PrivateKey = <content of client1_privatekey.key>
Address = 10.255.252.2/24
DNS = <internal DNS Server>

[Peer]
PublicKey = <content of wg_public.key>
Endpoint = <external-fqdn>:51820
AllowedIPs = <local subnets>, 10.255.252.0/24 # route only local subnet traffic through the tunnel
# AllowedIPs = 0.0.0.0/0, ::/0 # route all trafic through the tunnel

client2-wg0.conf

[Interface]
PrivateKey = <content of client2_privatekey.key>
Address = 10.255.252.2/24
DNS = <internal DNS Server>

[Peer]
PublicKey = <content of wg_public.key>
Endpoint = <external-fqdn>:51820
AllowedIPs = <local subnets>, 10.255.252.0/24 # route only local subnet traffic through the tunnel
# AllowedIPs = 0.0.0.0/0, ::/0 # route all trafic through the tunnel

config.gateway.json

{
    "port-forward": {
        "lan-interface": [
            "<ADD (V)LAN INTERFACES>",
            "wg0"
        ]
    },
    "firewall": {
        "group": {
            "network-group": {
                "remote_user_vpn_network": {
                    "description": "Remote User VPN subnets",
                    "network": [
                        "10.255.252.0/24"
                    ]
                }
            }
        }
    },
    "interfaces": {
        "wireguard": {
            "wg0": {
                "address": [
                    "10.255.252.1/24"
                ],
                "firewall": {
                    "in": {
                        "name": "LAN_IN"
                    },
                    "local": {
                        "name": "LAN_LOCAL"
                    },
                    "out": {
                        "name": "LAN_OUT"
                    }
                },
                "listen-port": "51820",
                "mtu": "1352",
                "peer": [
                    {
                        "<content of client1_public.key>": {
                            "allowed-ips": [
                                "10.255.252.2/32"
                            ],
                            "persistent-keepalive": 25
                        }
                    },
                    {
                        "<content of client2_public.key>": {
                            "allowed-ips": [
                                "10.255.252.3/32"
                            ],
                            "persistent-keepalive": 25
                        }
                    }
                ],
                "private-key": "/config/auth/wireguard/wg_private.key",
                "route-allowed-ips": "true"
            }
        }
    }
}

UGW3_Wireguard.md

The purpouse is to have a WireGuard server running with a configuration for 2 clients to connect to the WireGuard server.

Installation - First steps

Follow the instructions for downloading and installing the WireGuard package here: https://github.com/WireGuard/wireguard-vyatta-ubnt

curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/${RELEASE}/${BOARD}-${RELEASE}.deb
sudo dpkg -i ${BOARD}-${RELEASE}.deb

Once the package has been installed, execute the following:

cd /config/auth
umask 077
mkdir wireguard
cd wireguard

Generate all keys (1x server, 2x client) - Path: /config/auth/wireguard/

wg genkey | tee wg_private.key | wg pubkey > wg_public.key # to create server keys
wg genkey | tee client1_privatekey.key | wg pubkey > client1_publickey.key # to create the first client keys
wg genkey | tee client2_privatekey.key | wg pubkey > client2_publickey.key # to create the second client keys

The config.gateway.json file

UniFi gateways are pretty similar to EdgeRouter products from Ubiquiti, with a crucial difference. Any config changes done from the CLI are wiped out on reboots, or any config changes from the controller. the UniFi Controller is nice, but does not support the full range of EdgeOS features that we can use.

Thankfully there is a solution – config.gateway.json. This file is layered over the base config that gets generated by UniFi, and allows much more control of a USG.

Copy example config.gateway.json to <unifi_base>/unifi/data/sites/default on the host running the Controller. The site may differ and not be called default.

Then through the Controller Web UI navigate to Devices, click on the USG row and then in the Properties window navigate to Config > Manage Device and click Provision.

Firewall

To allow remote access navigate to Settings > Routing & Firewall > Firewall > WAN LOCAL and create a new rule to accept UDP traffic to port 51820.

Verify after provisioning: sudo netstat -npl | grep 51820 | grep udp

And once a client is connected: sudo show interfaces wireguard wg0 endpoints

Persistent Setup (after reboot and/or upgrade)

https://github.com/WireGuard/wireguard-vyatta-ubnt/releases

curl -O https://raw.githubusercontent.com/britannic/install-edgeos-packages/master/install-pkgs
sudo install -o root -g root -m 0755 install-pkgs /config/scripts/post-config.d/install-pkgs

#!/usr/bin/env bash
# UniFi Security Gateways and EdgeOS Package Updater
# This script checks /config/data/install-packages/ for downloaded
# packages and installs any that aren't installed
#
# Author: Neil Beadle


downloads=/config/data/install-packages

cd $downloads

for pkg in *; do
  dpkg-query -W --showformat='${Status}\n' \
  $(dpkg --info "${pkg}" | \
  grep "Package: " | \
  awk -F' ' '{ print $NF}') > /dev/null 2>&1 || dpkg -i ${pkg}
done

cd -

sudo mkdir -p /config/data/install-packages
cd /config/data/install-packages
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/${RELEASE}/${BOARD}-${RELEASE}.deb

Removal

sudo rm /config/scripts/post-config.d/install-pkgs
sudo dpkg --remove wireguard
sudo rm -rf /config/auth/wireguard
sudo rm -rf /config/data/install-packages

Remove the file config.gateway.json from <unifi_base>/unifi/data/sites/default on the host running the Controller. The site may differ and not be called default.

Then through the Controller Web UI navigate to Devices, click on the USG row and then in the Properties window navigate to Config > Manage Device and click Provision.

Remove remote access. Navigate to Settings > Routing & Firewall > Firewall > WAN LOCAL and remove the rule to accept UDP traffic to port 51820.

After a few hour fighting with the wireguard configuration, i finally got it working ;-)

The Problem was two different public keys of the server (usg)

I don't know why, but if i run the command "sudo wg" the terminal show me a different publickey then the /config/auth/wireguard/wg_publickey

With the publickey wich is shown from the command the connection is working.

Do you have any idea where the different publickey is coming from?

Thanks a lot!

Thanks for the guide. There's a slight issue, but after fixing that, it's all working perfectly. Line 57 in config.gateway.json currently points to the public key instead of the private one:

                "private-key": "/config/auth/wireguard/wg_public.key",

The correct value is wg_private.key:

                "private-key": "/config/auth/wireguard/wg_private.key",

@goeschlm FYI, I think the above may have caused your issues too.

Thanks for the guide. There's a slight issue, but after fixing that, it's all working perfectly. Line 57 in config.gateway.json currently points to the public key instead of the private one:

                "private-key": "/config/auth/wireguard/wg_public.key",

The correct value is wg_private.key:

                "private-key": "/config/auth/wireguard/wg_private.key",

@goeschlm FYI, I think the above may have caused your issues too.

Pretty late reply, but I've updated the gist. Thanks!