Configure Wireguard on UniFi USG

[utterances-bot]

Configure Wireguard on UniFi USG

Installing and Configuring Wireguard on the UniFi Security Gateway

https://blog.damianflynn.com/USG-Wireguard/

[sriramvt]

Hi Damian.. great post. Quick question - Where do we specify the protocol like TCP/UDP. I have seen some articles with TCP or UDP 443 and i would prefer to do that rather higher port. Thanks,

[DamianFlynn]

Hi. Super easy with Wireguard to run on a different port. Only thing to remember is that both sides need to agree on the port.

The far side should have its listener set in its configuration with a line similar to

# Configure the Port Wireguard will be listening with
set interfaces wireguard wg0 listen-port 443 

While your USG will then connect to that agreed port with the line finishing with :443 as the new port choice

# Now, we need to tell the interface the address of the far side of the bridge
# And also the password to allow us connect
set interfaces wireguard wg0 peer <Insert-Public-Key-Of-Peer-Here> endpoint 14.28.207.179:443

443 in this case should then be permitted on the firewalls and to keep life simple not already be in use by a website on the endpoints

Damian

[randompseudo]

Damian,

Thank you for this excellent writeup. I take it the wireguard deb package gets nuked when you upgrade the firmware on the router, right? Firmware updates are of those things that I don't do frequently (every 2-3 months), so I'm sure to forget to re-install additional packages back onto the firewall. I'm looking at:
https://britannic.github.io/install-edgeos-packages/
"Script ensures packages are installed at the end of EdgeOS boot sequence, for any packages not installed during the first boot after an upgrade."
Have you tried this? Full disclosure: I have no affiliation with them at all!

[darellsison]

Sir? Will it be possible to apply this to wireguard config files given by my vpn provider? A cleint version of this guide perhaps? Thanks in advance.

[jgruman]

I'm confused by some of these steps (and a total dummy, so pardon my ignorance).
I'm trying to install on a USG4. I'd like to have Wireguard running so that clients can connect from anywhere (right now we're having loads of issues with Windows clients not able to connect consistently via L2TP.

I updated the CURL command to the following to get the latest version of vyatta's wireguard package:
curl -L https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20191219-2/wireguard-ugw4-0.0.20191219-2.deb -o /tmp/wireguard.deb

After I create the tunnel secrets, how do I access them?

I need them for this step here, don't I?

Now, we need to tell the interface the address of the far side of the bridge

And also the password to allow us connect

set interfaces wireguard wg0 peer endpoint 14.28.207.179:51820

Also, in that command above, is 14.28.207.179 the IP of our Wireguard client that is going to connect to the USG? How do we set it so that a client can connect from anywhere?

I'd appreciate any help you can provide.

Many thanks!