Setting Up Wireguard on the Ubiquiti USG

S

On my home network, I run a number of services not exposed to the outside world. However, when on the road, it would sometimes be nice to be able to get access to my local network. To set up Wireguard, I essentially followed this gist.

The internal network is 192.168.0.0/19 which allows addresses up to 192.168.31.255. I chose the next /24 to be the network for the Wireguard interface to use. The following configuration file, config.gateway.json, is used to provision the USG. It’s stored in the Docker data directory, /var/mnt/apps/unifi/data/sites/default.

{
    "firewall": {
        "group": {
            "network-group": {
                "remote_user_vpn_network": {
                    "description": "Remote User VPN subnets",
                    "network": [
                        "192.168.32.0/24"
                    ]
                }
            }
        }
    },
    "interfaces": {
        "wireguard": {
            "wg0": {
                "address": [
                    "192.168.32.1/24"
                ],
                "firewall": {
                    "in": {
                        "name": "LAN_IN"
                    },
                    "local": {
                        "name": "LAN_LOCAL"
                    },
                    "out": {
                        "name": "LAN_OUT"
                    }
                },
                "listen-port": "51820",
                "mtu": "1500",
                "peer": [
                    {
                        "PUBLIC_KEY_OF_LAPTOP": {
                            "allowed-ips": [
                                "192.168.32.10/32"
                            ],
                            "persistent-keepalive": 30
                        }
                    },
                    {
                        "PUBLIC_KEY_OF_PHONE": {
                            "allowed-ips": [
                                "192.168.32.11/32"
                            ],
                            "persistent-keepalive": 30
                        }
                    }
                ],
                "private-key": "/config/auth/wireguard/wg_private.key",
                "route-allowed-ips": "true"
            }
        }
    }
}

Once the file is in place, forcing a provision of the USG will create the Wireguard interface and configuration.

How to Update:

After a device update, the Wireguard modules will not be installed. Download the latest release and install it on the USG with:

BOARD="ugw3"
RELEASE="1.0.20210424-1"
curl -OL "https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/${RELEASE}/ugw3-v1-v${RELEASE}-v${RELEASE}.deb"
sudo dpkg -i "${BOARD}-v1-v${RELEASE}-v${RELEASE}.deb"

Once the package is re-installed, the USG will be re-provisioned.

About the author

Patrick Lawrence

Add comment

Recent Posts

Recent Comments

Archives

Categories

Meta