Setting Up Wireguard on the Ubiquiti USG

S

On my home network, I run a number of services not exposed to the outside world. However, when on the road, it would sometimes be nice to be able to get access to my local network. To set up Wireguard, I essentially followed this gist.

The internal network is 192.168.0.0/19 which allows addresses up to 192.168.31.255. I chose the next /24 to be the network for the Wireguard interface to use. The following configuration file, config.gateway.json, is used to provision the USG. It’s stored in the Docker data directory, /var/mnt/apps/unifi/data/sites/default.

{
    "firewall": {
        "group": {
            "network-group": {
                "remote_user_vpn_network": {
                    "description": "Remote User VPN subnets",
                    "network": [
                        "192.168.32.0/24"
                    ]
                }
            }
        }
    },
    "interfaces": {
        "wireguard": {
            "wg0": {
                "address": [
                    "192.168.32.1/24"
                ],
                "firewall": {
                    "in": {
                        "name": "LAN_IN"
                    },
                    "local": {
                        "name": "LAN_LOCAL"
                    },
                    "out": {
                        "name": "LAN_OUT"
                    }
                },
                "listen-port": "51820",
                "mtu": "1500",
                "peer": [
                    {
                        "PUBLIC_KEY_OF_LAPTOP": {
                            "allowed-ips": [
                                "192.168.32.10/32"
                            ],
                            "persistent-keepalive": 30
                        }
                    },
                    {
                        "PUBLIC_KEY_OF_PHONE": {
                            "allowed-ips": [
                                "192.168.32.11/32"
                            ],
                            "persistent-keepalive": 30
                        }
                    }
                ],
                "private-key": "/config/auth/wireguard/wg_private.key",
                "route-allowed-ips": "true"
            }
        }
    }
}

Once the file is in place, forcing a provision of the USG will create the Wireguard interface and configuration.

About the author

Patrick Lawrence

Add comment

Recent Posts

Recent Comments

Archives

Categories

Meta