The purpouse is to have a WireGuard server running with a configuration for 2 clients to connect to the WireGuard server.
Follow the instructions for downloading and installing the WireGuard package here: https://github.com/WireGuard/wireguard-vyatta-ubnt
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/${RELEASE}/${BOARD}-${RELEASE}.deb
sudo dpkg -i ${BOARD}-${RELEASE}.deb
Once the package has been installed, execute the following:
cd /config/auth
umask 077
mkdir wireguard
cd wireguard
Generate all keys (1x server, 2x client) - Path: /config/auth/wireguard/
wg genkey | tee wg_private.key | wg pubkey > wg_public.key # to create server keys
wg genkey | tee client1_privatekey.key | wg pubkey > client1_publickey.key # to create the first client keys
wg genkey | tee client2_privatekey.key | wg pubkey > client2_publickey.key # to create the second client keys
UniFi gateways are pretty similar to EdgeRouter products from Ubiquiti, with a crucial difference. Any config changes done from the CLI are wiped out on reboots, or any config changes from the controller. the UniFi Controller is nice, but does not support the full range of EdgeOS features that we can use.
Thankfully there is a solution – config.gateway.json. This file is layered over the base config that gets generated by UniFi, and allows much more control of a USG.
Copy example config.gateway.json
to <unifi_base>/unifi/data/sites/default
on the host running the Controller. The site may differ and not be called default
.
Then through the Controller Web UI navigate to Devices, click on the USG row and then in the Properties window navigate to Config > Manage Device and click Provision.
To allow remote access navigate to Settings > Routing & Firewall > Firewall > WAN LOCAL and create a new rule to accept UDP traffic to port 51820.
Verify after provisioning:
sudo netstat -npl | grep 51820 | grep udp
And once a client is connected:
sudo show interfaces wireguard wg0 endpoints
https://github.com/WireGuard/wireguard-vyatta-ubnt/releases
curl -O https://raw.githubusercontent.com/britannic/install-edgeos-packages/master/install-pkgs
sudo install -o root -g root -m 0755 install-pkgs /config/scripts/post-config.d/install-pkgs
#!/usr/bin/env bash
# UniFi Security Gateways and EdgeOS Package Updater
# This script checks /config/data/install-packages/ for downloaded
# packages and installs any that aren't installed
#
# Author: Neil Beadle
downloads=/config/data/install-packages
cd $downloads
for pkg in *; do
dpkg-query -W --showformat='${Status}\n' \
$(dpkg --info "${pkg}" | \
grep "Package: " | \
awk -F' ' '{ print $NF}') > /dev/null 2>&1 || dpkg -i ${pkg}
done
cd -
sudo mkdir -p /config/data/install-packages
cd /config/data/install-packages
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/${RELEASE}/${BOARD}-${RELEASE}.deb
sudo rm /config/scripts/post-config.d/install-pkgs
sudo dpkg --remove wireguard
sudo rm -rf /config/auth/wireguard
sudo rm -rf /config/data/install-packages
Remove the file config.gateway.json
from <unifi_base>/unifi/data/sites/default
on the host running the Controller. The site may differ and not be called default
.
Then through the Controller Web UI navigate to Devices, click on the USG row and then in the Properties window navigate to Config > Manage Device and click Provision.
Remove remote access. Navigate to Settings > Routing & Firewall > Firewall > WAN LOCAL and remove the rule to accept UDP traffic to port 51820.
After a few hour fighting with the wireguard configuration, i finally got it working ;-)
The Problem was two different public keys of the server (usg)
I don't know why, but if i run the command "sudo wg" the terminal show me a different publickey then the /config/auth/wireguard/wg_publickey
With the publickey wich is shown from the command the connection is working.
Do you have any idea where the different publickey is coming from?
Thanks a lot!