Ubiquiti USG configuration for Wireguard

README.md

Download the latest ugw3 package from https://github.com/Lochnair/vyatta-wireguard/releases and install it on your USG using dpkg -i wireguard-ugw3-<version>.deb.

cd /config/auth
umask 077
mkdir wireguard
cd wireguard
wg genkey > wg_private.key
wg pubkey < wg_private.key > wg_public.key

Copy example config.gateway.json to /var/lib/unifi/data/sites/default on the host running the Controller. Then through the Controller Web UI navigate to Devices, click on the USG row and then in the Properties window navigate to Config > Manage Device and click Provision.

To allow remote access navigate to Settings > Routing & Firewall > Firewall > WAN LOCAL and create a new rule to accept UDP traffic to port 51820.

Note that the mask associated with the allowed-ips is not a netmask! I also found that provisioning failed with a /32 mask with only some very vague errors in /var/log/messages.

See also

• Release: WireGuard for EdgeRouter
• Tips for setting up wireguard site-to-site VPN
• WireGuard VPN server setup on USG
• Systemd example network configuration
• Installing WireGuard on routers running OpenWrt and LuCI

config.gateway.json

{
    "firewall": {
        "group": {
            "network-group": {
                "remote_user_vpn_network": {
                    "description": "Remote User VPN subnets",
                    "network": [
                        "10.2.1.0/24"
                    ]
                }
            }
        }
    },
    "interfaces": {
        "wireguard": {
            "wg0": {
                "address": [
                    "10.2.1.1/24"
                ],
                "firewall": {
                    "in": {
                        "name": "LAN_IN"
                    },
                    "local": {
                        "name": "LAN_LOCAL"
                    },
                    "out": {
                        "name": "LAN_OUT"
                    }
                },
                "listen-port": "51820",
                "mtu": "1352",
                "peer": [{
                    "ANDROID-PHONE-PUBLIC-KEY": {
                        "allowed-ips": [
                            "10.2.1.5/32"
                        ],
                        "persistent-keepalive": 25
                    }
                }],
                "private-key": "/config/auth/wireguard/wg_private.key",
                "route-allowed-ips": "true"
            }
        }
    }
}

@ruchette I have the exact same problem since yesterday and it seems to coincite with the UniFi controller update as well.
Deleting the static route made the provisioning work again, as the error message in the log looked as if the route-allowed-ips config for wireguard now clashes with the additional manually entered static route.
My error was the same as this one:

Lochnair/vyatta-wireguard#137

It‘s currently not working for me. We‘ll see what I can find.

Question,

In LAN OUT I drop everything from the WireGuard VLAN to all internal IP (RC1819) and i have allow rules to allow communication to specific servers. This works.
But from the WireGuard client i can Web&SSH to all gateways. It dont matter if i Drop all Web/SSH to All Gateways.
I did try, WAN Local, LAN in, Lan Out, Lan Local. But nothing is blocking this traffic.

Has anyone a idea about how to block the gateways access?

@simonkaiser9 @ruchette I have the same problem.
I have setup the USG as a Wireguard Client.
The connection is established. From the USG SSH command line I can ping the remote wireguard server and all devices in remote Lan.
I cannot ping the remote devices from any of my local lan pcs...
Local Lan 192.168.2.x ; Remote Lan 192.168.1.x
I can see the route is set on USG:
"192.168.1.0/24 dev wg0 scope link"

Help!! I have spent 2 days on this :$

@vettronics I am - to be quite honest - not one hundred percent sure why my setup is now working flawlessly, but I got rid of the static route and have "route-allowed-ips" set to "true" for wg0. Routing between my two connected sites works perfect right now. There are no additional routes configured...

@simonkaiser9
Found out the problem :) (contribution from WireGuard/wireguard-vyatta-ubnt#109)
Besides having the routes I also needed to have the my local subnet on the allowedips of the remote server.

Copy example config.gateway.json to /var/lib/unifi/data/sites/default on the host running the Controller.

thats assuming/presuming the host is running linux and not windows like my self with windows server.

this file path is invalid

Copy example config.gateway.json to /var/lib/unifi/data/sites/default on the host running the Controller.

thats assuming/presuming the host is running linux and not windows like my self with windows server.

this file path is invalid

Well, that's your fault 🤕

Copy example config.gateway.json to /var/lib/unifi/data/sites/default on the host running the Controller.
thats assuming/presuming the host is running linux and not windows like my self with windows server.
this file path is invalid

Well, that's your fault 🤕

If I could have chose Linux, I def would have. Freedom is better.

I really need help with this config... :(
I've managed to put wireguard running on my USG, I am able to connect from mobile phone to wireguard server on USG, from my USG I can ping both mobile phone, and internal network when I ssh to my USG, but I cannot access internal LAN resources via mobile phone when connected to wireguard server on USG.

Any hints?

My config.gateway.json file:

{
	"firewall": {
		"group": {
			"network-group": {
				"remote_user_vpn_network": {
					"description": "Remote User VPN subnets",
					"network": [
						"192.168.5.0/24"
					]
				}
			}
		}
	},
  "interfaces": {
    "wireguard": {
      "wg0": {
        "address": [
          "192.168.5.1/24"  
        ],
        "firewall": {
          "in": {
            "name": "LAN_IN"
          },
          "local": {
            "name": "LAN_LOCAL"
          },
          "out": {
            "name": "LAN_OUT"
          }
        },
        "listen-port": "51821",  
        "mtu": "1500",
        "peer": [{
          "public_key_of_android_phone": {   
            "allowed-ips": [
              "192.168.5.50/32"               
            ],
            "persistent-keepalive": 25
          }
        },
        {
          "public_key_of_another_device": {   
            "allowed-ips": [
              "192.168.5.51/32"
            ],
            "persistent-keepalive": 25
          }
        }],
        "private-key": "/config/auth/wireguard/wg_private.key",  
        "route-allowed-ips": "true"
      }
    }
  }
}

My wireguard configuration on mobile phone:
Interface:
public_key_of_android_phone
address: 192.168.5.50/32

peer:
endpoint: public_FQDN:52821
public_key_of_usg
allowed_ips: 0.0.0.0/0
keep-alive: 25s

output of route command on USG:
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         (redacted) 0.0.0.0         UG    0      0        0 eth0
(redacted)     *               255.255.255.0   U     0      0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
192.168.0.0     *               255.255.254.0   U     0      0        0 eth1
192.168.2.0     *               255.255.255.0   U     0      0        0 eth1.2
192.168.5.0     *               255.255.255.0   U     0      0        0 wg0

output of wg command on USG:

root@USG:~# wg
interface: wg0
  public key: (redacted)
  private key: (redacted)
  listening port: 51821

peer: (redacted)
  endpoint: (redacted):1304
  allowed ips: 192.168.5.50/32
  latest handshake: 41 seconds ago
  transfer: 60.14 KiB received, 105.39 KiB sent
  persistent keepalive: every 25 seconds

Any help would be much appreciated.
I've seen other forums with information, but typically very old one...