Ubiquiti USG configuration for Wireguard

client1-wg0.conf

[Interface]
Address = 10.255.252.2/32
PrivateKey = <CLIENT 1 PRIVATE KEY>
DNS = 1.1.1.1

[Peer]
PublicKey = <SERVER PUBLIC KEY>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <SERVER PUBLIC IP>:51820
# PersistentkeepAlive = 25

client2-wg0.conf

[Interface]
Address = 10.255.252.3/32
PrivateKey = <CLIENT 2 PRIVATE KEY>
DNS = 1.1.1.1

[Peer]
PublicKey = <SERVER PUBLIC KEY>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <SERVER PUBLIC IP>:51820
# PersistentkeepAlive = 25

config.gateway.json

{
    "port-forward": {
        "lan-interface": [
            "<ADD (V)LAN INTERFACES>",
            "wg0"
        ]
    },
    "firewall": {
        "group": {
            "network-group": {
                "remote_user_vpn_network": {
                    "description": "Remote User VPN subnets",
                    "network": [
                        "10.255.252.0/24"
                    ]
                }
            }
        }
    },
    "interfaces": {
        "wireguard": {
            "wg0": {
                "address": [
                    "10.255.252.1/24"
                ],
                "firewall": {
                    "in": {
                        "name": "LAN_IN"
                    },
                    "local": {
                        "name": "LAN_LOCAL"
                    },
                    "out": {
                        "name": "LAN_OUT"
                    }
                },
                "listen-port": "51820",
                "mtu": "1352",
                "peer": [
                    {
                        "<CLIENT 1 PUBLICKEY>": {
                            "allowed-ips": [
                                "10.255.252.2/32"
                            ],
                            "persistent-keepalive": 25
                        }
                    },
                    {
                        "<CLIENT 2 PUBLICKEY>": {
                            "allowed-ips": [
                                "10.255.252.3/32"
                            ],
                            "persistent-keepalive": 25
                        }
                    }
                ],
                "private-key": "/config/auth/wireguard/server_privatekey.key",
                "route-allowed-ips": "true"
            }
        }
    }
}

UGW3_Wireguard.md

The purpouse is to have a WireGuard server running with a configuration for 2 clients to connect to the WireGuard server.

Installation

Follow the instructions for downloading and installing the WireGuard package here: https://github.com/WireGuard/wireguard-vyatta-ubnt

curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/${RELEASE}/${BOARD}-${RELEASE}.deb
sudo dpkg -i ${BOARD}-${RELEASE}.deb

Once the package has been installed, execute the following:

cd /config/auth
umask 077
mkdir wireguard
cd wireguard

Generate all keys (1x server, 2x client) - Path: /config/auth/wireguard/

wg genkey > server_privatekey.key
wg pubkey < server_privatekey.key > server_publickey_client1.key
wg pubkey < server_privatekey.key > server_publickey_client2.key
wg genkey | tee client1_privatekey.key | wg pubkey > client1_publickey.key
wg genkey | tee client2_privatekey.key | wg pubkey > client2_publickey.key
chmod 600 *.key

Copy example config.gateway.json to <unifi_base>/unifi/data/sites/default on the host running the Controller. The site may differ and not be called default.

Then through the Controller Web UI navigate to Devices, click on the USG row and then in the Properties window navigate to Config > Manage Device and click Provision.

To allow remote access navigate to Settings > Routing & Firewall > Firewall > WAN LOCAL and create a new rule to accept UDP traffic to port 51820.

Verify after provisioning: sudo netstat -npl | grep 51820 | grep udp

And once a client is connected: sudo show interfaces wireguard wg0 endpoints

Persistent Setup (after reboot and/or upgrade) - https://github.com/WireGuard/wireguard-vyatta-ubnt/releases

curl -O https://raw.githubusercontent.com/britannic/install-edgeos-packages/master/install-pkgs
sudo install -o root -g root -m 0755 install-pkgs /config/scripts/post-config.d/install-pkgs

#!/usr/bin/env bash
# UniFi Security Gateways and EdgeOS Package Updater
# This script checks /config/data/install-packages/ for downloaded
# packages and installs any that aren't installed
#
# Author: Neil Beadle


downloads=/config/data/install-packages

cd $downloads

for pkg in *; do
  dpkg-query -W --showformat='${Status}\n' \
  $(dpkg --info "${pkg}" | \
  grep "Package: " | \
  awk -F' ' '{ print $NF}') > /dev/null 2>&1 || dpkg -i ${pkg}
done

cd -

sudo mkdir -p /config/data/install-packages
cd /config/data/install-packages
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/${RELEASE}/${BOARD}-${RELEASE}.deb

Removal

sudo rm /config/scripts/post-config.d/install-pkgs
sudo dpkg --remove wireguard
sudo rm -rf /config/auth/wireguard
sudo rm -rf /config/data/install-packages

Remove the file config.gateway.json from <unifi_base>/unifi/data/sites/default on the host running the Controller. The site may differ and not be called default.

Then through the Controller Web UI navigate to Devices, click on the USG row and then in the Properties window navigate to Config > Manage Device and click Provision.

Remove remote access. Navigate to Settings > Routing & Firewall > Firewall > WAN LOCAL and remove the rule to accept UDP traffic to port 51820.