New Member
Posts: 6
Registered: ‎06-26-2017
Accepted Solution

WireGuard VPN server setup on USG

Hello,

 

I successfully managed to install wireguard and configure it via the configure command line and saving the config into a json file for my controller providing setup to the USG gateway:

 

        "wireguard": {
                        "wg0": {
                                "address": [
                                        "10.0.100.1/24"
                                ],
                                "listen-port": "29875",
                                "mtu": "1420",
                                "peer": {
                                        "**KEY**": {
                                                "allowed-ips": [
                                                        "10.0.100.2/32,10.120.0.0/16,10.121.0.0/16,10.122.0.0/16,10.123.0.0/16,10.8.0.0/16"
                                                ]
                                        },
                                        "**KEY**": {
                                                "allowed-ips": [
                                                        "10.0.100.3/32"
                                                ]
                                        }
                                },
                                "private-key": "/config/auth/wg.key",
                                "route-allowed-ips": "true"
                        }
	},	

However, using this config, I don't seem to be able to use the "server" to get out NATed of the wg network for my Android remote client (which is configured with a catch all 0.0.0.0/0 allowed-ips).

 

On a standard Linux box, I usually add a masquerade iptables rule like:

 

iptables -t nat -A POSTROUTING -s10.0.100.0/24 -j MASQUERADE

Any suggestions?


Accepted Solutions
Member
Posts: 298
Registered: ‎06-16-2017
Kudos: 202
Solutions: 6

Re: WireGuard VPN server setup on USG

[ Edited ]

Ok, I tested those 3 network groups. My wireguard clients are on 10.255.252.0/24 network. 

 

Of the 3, remote_user_vpn_network is the only one that did it. Both remote_client... and remote_site... did not enable my Android phone to route all traffic through gateway (no masquerading). So now here we go, a dump of my config, I have wg0 and wg1 there because I use wireguard for both site-to-site VPN (wg0) and for remote client VPN (wg1). You should probably delete the entries for wg0 below, rename wg1 to wg0 and edit appropriately. By the way, before saving your config.gateway.json file always validate it on jsonlint.com.

 

 

config.gateway.json:

{
	"firewall": {
		"group": {
			"network-group": {
				"remote_user_vpn_network": {
					"description": "Remote User VPN subnets",
					"network": [
						"10.255.252.0/24"
					]
				}
			}
		}
	},
	"interfaces": {
		"wireguard": {
			"wg0": {
				"description": "Site-to-site VPN",
				"address": [
					"10.255.253.1/24"
				],
				"firewall": {
					"in": {
						"name": "LAN_IN"
					},
					"local": {
						"name": "LAN_LOCAL"
					},
					"out": {
						"name": "LAN_OUT"
					}
				},
				"listen-port": "51820",
				"mtu": "1352",
				"peer": [{
						"--pubkey---": {
							"allowed-ips": [
								"10.255.253.4/32",
								"10.4.0.0/16"
							],
							"endpoint": "fqdn:51820",
							"persistent-keepalive": 25
						}
					},
					{
						"--pubkey----": {
							"allowed-ips": [
								"10.255.253.5/32",
								"10.5.0.0/16"
							],
							"endpoint": "fqdn:51820",
							"persistent-keepalive": 25
						}
					},
					{
						"--pubkey---": {
							"allowed-ips": [
								"10.255.253.6/32",
								"10.6.0.0/16"
							],
							"endpoint": "fqdn:51820",
							"persistent-keepalive": 25
						}
					},
					{
						"--pubkey---": {
							"allowed-ips": [
								"10.255.253.100/32",
								"10.100.0.0/16"
							],
							"endpoint": "fqdn:51820",
							"persistent-keepalive": 25
						}
					}
				],
				"private-key": "/config/auth/wireguard/wg0_private.key",
				"route-allowed-ips": "true"
			},
			"wg1": {
				"description": "VPN for remote clients",
				"address": [
					"10.255.252.1/24"
				],
				"firewall": {
					"in": {
						"name": "LAN_IN"
					},
					"local": {
						"name": "LAN_LOCAL"
					},
					"out": {
						"name": "LAN_OUT"
					}
				},
				"listen-port": "51821",
				"mtu": "1352",
				"peer": [{
						"--pubkey--": {
							"allowed-ips": [
								"10.255.252.2/32"
							],
							"persistent-keepalive": 60
						}
					},
					{
						"--pubkey--": {
							"allowed-ips": [
								"10.255.252.3/32"
							],
							"persistent-keepalive": 60
						}
					}
				],
				"private-key": "/config/auth/wireguard/wg1_private.key",
				"route-allowed-ips": "true"
			}
		}
	}
}

 

View solution in original post


All Replies
Member
Posts: 298
Registered: ‎06-16-2017
Kudos: 202
Solutions: 6

Re: WireGuard VPN server setup on USG

On the beta forum (do you have access to beta forum?) I recently posted tips on how to get Wireguard up and running.

https://community.ubnt.com/t5/UniFi-Routing-Switching-Beta/Tips-for-setting-up-wireguard-site-to-sit...

 

I think you are missing one part of the configuration. I will copy my suggestion from the post above here for those that do not have access to beta forum (anyone can request access and it is quite easy to do). I think if you add the firewall section like I show below it should all work, but I do not route internet from remote clients so have not tested it.

 

Let me know if it works for you! Isn't wireguard awesome?

 

{
	"interfaces": {
		"wireguard": {
			"wg0": {
				"address": [
					"<change_here>"
				],
				"firewall": {
					"in": {
						"name": "LAN_IN"
					},
					"local": {
						"name": "LAN_LOCAL"
					},
					"out": {
						"name": "LAN_OUT"
					}
				},
				"listen-port": "51820",
				"mtu": "1352",
				"peer": [{
					"<peer_public_key_from wg_public.key_file>": {
						"allowed-ips": [
							"subnet1_here",
							"subnet2_here",
                                                        "subnet..."
						],
						"endpoint": "<peer.fqdn.com>:51820",
						"persistent-keepalive": 25
					}
				}],
				"private-key": "/config/auth/wireguard/wg_private.key",
				"route-allowed-ips": "true"
			}
		}
	}
}
Member
Posts: 298
Registered: ‎06-16-2017
Kudos: 202
Solutions: 6

Re: WireGuard VPN server setup on USG

Ok, pulling from memory, I remember I dealt with this issue a while back when I was dealing with OpenVPN.

 

Besides adding the firewall section as I instructed earlier, you will need to add the remote subnets to one of:

 

network-group remote_client_vpn_network {
description "remote client VPN subnets"
}
network-group remote_site_vpn_network {
description "remote site VPN subnets"
}
network-group remote_user_vpn_network {
description "Remote User VPN subnets"
}

This is in firewall -> group -> network-group.

 

I will try to run some tests and tell you if I can get it working.

 

----------

Just for you to understand what we are trying do do here, we first needs to tell the USG that its wg0 interface belongs to LAN_IN, LAN_LOCAL and LAN_OUT zone, and then we need to tell it (it won't autodetect) what remote subnets there are. The USG will then apply proper MASQUERADE rules to all LAN traffic going out of WAN.

Check my posts on this old thread for more info:

https://community.ubnt.com/t5/UniFi-Routing-Switching/Setting-up-OpenVPN-client-in-USG/td-p/1397802

 

Member
Posts: 298
Registered: ‎06-16-2017
Kudos: 202
Solutions: 6

Re: WireGuard VPN server setup on USG

[ Edited ]

Ok, I tested those 3 network groups. My wireguard clients are on 10.255.252.0/24 network. 

 

Of the 3, remote_user_vpn_network is the only one that did it. Both remote_client... and remote_site... did not enable my Android phone to route all traffic through gateway (no masquerading). So now here we go, a dump of my config, I have wg0 and wg1 there because I use wireguard for both site-to-site VPN (wg0) and for remote client VPN (wg1). You should probably delete the entries for wg0 below, rename wg1 to wg0 and edit appropriately. By the way, before saving your config.gateway.json file always validate it on jsonlint.com.

 

 

config.gateway.json:

{
	"firewall": {
		"group": {
			"network-group": {
				"remote_user_vpn_network": {
					"description": "Remote User VPN subnets",
					"network": [
						"10.255.252.0/24"
					]
				}
			}
		}
	},
	"interfaces": {
		"wireguard": {
			"wg0": {
				"description": "Site-to-site VPN",
				"address": [
					"10.255.253.1/24"
				],
				"firewall": {
					"in": {
						"name": "LAN_IN"
					},
					"local": {
						"name": "LAN_LOCAL"
					},
					"out": {
						"name": "LAN_OUT"
					}
				},
				"listen-port": "51820",
				"mtu": "1352",
				"peer": [{
						"--pubkey---": {
							"allowed-ips": [
								"10.255.253.4/32",
								"10.4.0.0/16"
							],
							"endpoint": "fqdn:51820",
							"persistent-keepalive": 25
						}
					},
					{
						"--pubkey----": {
							"allowed-ips": [
								"10.255.253.5/32",
								"10.5.0.0/16"
							],
							"endpoint": "fqdn:51820",
							"persistent-keepalive": 25
						}
					},
					{
						"--pubkey---": {
							"allowed-ips": [
								"10.255.253.6/32",
								"10.6.0.0/16"
							],
							"endpoint": "fqdn:51820",
							"persistent-keepalive": 25
						}
					},
					{
						"--pubkey---": {
							"allowed-ips": [
								"10.255.253.100/32",
								"10.100.0.0/16"
							],
							"endpoint": "fqdn:51820",
							"persistent-keepalive": 25
						}
					}
				],
				"private-key": "/config/auth/wireguard/wg0_private.key",
				"route-allowed-ips": "true"
			},
			"wg1": {
				"description": "VPN for remote clients",
				"address": [
					"10.255.252.1/24"
				],
				"firewall": {
					"in": {
						"name": "LAN_IN"
					},
					"local": {
						"name": "LAN_LOCAL"
					},
					"out": {
						"name": "LAN_OUT"
					}
				},
				"listen-port": "51821",
				"mtu": "1352",
				"peer": [{
						"--pubkey--": {
							"allowed-ips": [
								"10.255.252.2/32"
							],
							"persistent-keepalive": 60
						}
					},
					{
						"--pubkey--": {
							"allowed-ips": [
								"10.255.252.3/32"
							],
							"persistent-keepalive": 60
						}
					}
				],
				"private-key": "/config/auth/wireguard/wg1_private.key",
				"route-allowed-ips": "true"
			}
		}
	}
}

 

New Member
Posts: 6
Registered: ‎06-26-2017

Re: WireGuard VPN server setup on USG

[ Edited ]

Thanks!  After posting this, I started to figure it out and seeing your post just confirmed it for me.

 

In some way, it looks a lot like the way I resolved the tunnelbroker.net's IPv6 configuration.

New Member
Posts: 14
Registered: ‎03-17-2016

Re: WireGuard VPN server setup on USG

hi @lebel - could you provide more details on the steps you took to configure on USG via command line? I would like to do that too. Thanks!

New Member
Posts: 6
Registered: ‎06-26-2017

Re: WireGuard VPN server setup on USG

hello @lucasvd,

 

basically the command line can be issued from the json content, one entry at a time

 

Like:

 

set interfaces wireguard wg0 address 192.168.10.1/24
set interfaces wireguard wg0 listen-port 29876
.
.
etc...

From the json segment:

 

    "interfaces": {
        "wireguard": {
            "wg0": {
                "address": [
                    "192.168.10.1/24"
                ],
                "listen-port": "29876",
 
New Member
Posts: 14
Registered: ‎03-17-2016

Re: WireGuard VPN server setup on USG

@lebel thank you! I have been able to run those commands on my USG, but the json is overwritten when Ubiquiti updates their controller software. Do you experience that as well?

 

Also, can you comment on how you downloaded and unpacked the Wireguard .deb file? I had a lot of issues with that step.

New Member
Posts: 6
Registered: ‎06-26-2017

Re: WireGuard VPN server setup on USG

That is normal.  You need to put the new json segment into your controller directory documented https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration so the next provision of the USG setup the custom configurations.

Member
Posts: 298
Registered: ‎06-16-2017
Kudos: 202
Solutions: 6

Re: WireGuard VPN server setup on USG

@lucasvd The USG will not persist your changes as you found out. That is why we present the config in a json file, that json file must be placed on your Controller under /usr/lib/unifi/data/sites/<site_string>/config.gateway.json.

There is plenty of documentation about how to deal with this json file, including on how to find out the site-string (it is = "default" if you have only one site on your controller). Go search for it. 

 

But you can use the commands like you did to test everything before you invest time in adding it to your config.gateway.json file.

 

To download the .deb file, you have to choose the correct file from https://github.com/Lochnair/vyatta-wireguard/releases. RIght click on the link and select "copy link address". Then ssh to your USG (do you know how to do it?) and do:

 

 

sudo -i
cd /tmp
curl -o wg.deb -L <paste link address here>
dpkg -i wg.deb

As of November/2018, the correct links are:

For USG3 (UGW3 on the wireguard page):

https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20181007-1/wireguard-ugw3-0.0.201...

For USG4 (UGW4):

https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20181007-1/wireguard-ugw4-0.0.201...

For USG-XG:

https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20181007-1/wireguard-ugwxg-0.0.20...

 

Did you manage to get wireguard working?

 

=======================

By the way, as you learn about config.gateway.json, search as well for what you can do with file named config.properties that must be placed on the ame diretory as your config.gateway.json. I usually put the following contents in it:

config.ugw.voip.sip_alg_disable=true
config.firewall.internet.local.icmp=true
config.firewall.internet.local.ssh=true

 

This disables SIP ALG, enables ping response and enables remote ssh access.

 

New Member
Posts: 14
Registered: ‎03-17-2016

Re: WireGuard VPN server setup on USG

@lebel Ah, that is helpful! Thank you.

 

Any pointers on the .deb installation from this repo? https://github.com/Lochnair/vyatta-wireguard/releases

New Member
Posts: 14
Registered: ‎03-17-2016

Re: WireGuard VPN server setup on USG

@mbello Thank you! I will give this a try

New Member
Posts: 14
Registered: ‎03-17-2016

Re: WireGuard VPN server setup on USG

@mbello I finally got some time to look at this. I followed your steps here. I am trying to do a site-to-site VPN with a Streisand server running on a VPS. No errors but my public IP address is not that of my VPS. Any suggestions?

 

 

config.gateway.json:

"interfaces": {
	"wireguard": {
			"wg0": {
				"address": [
					"45.33.97.115/24"
				],
				"firewall": {
					"in": {
						"name": "LAN_IN"
					},
					"local": {
						"name": "LAN_LOCAL"
					},
					"out": {
						"name": "LAN_OUT"
					}
				},
				"listen-port": "51820",
				"mtu": "1352",
				"peer": [{
					"*pub key from Streisand*": {
						"allowed-ips": [
							"0.0.0.0/0"
						],
						"endpoint": "45.33.97.115:51820",
						"persistent-keepalive": 25
					}
				}],
				"private-key": "*private key from Streisand*",
				"route-allowed-ips": "true"

 


 

Member
Posts: 298
Registered: ‎06-16-2017
Kudos: 202
Solutions: 6

Re: WireGuard VPN server setup on USG

@lucasvd That first address there under "wg0" should be the private IP address of the wireguard subnet. This is the IP address that your wg interface will have on your USG. You do not want your wg interface to have the IP address of your remote server.

 

The first thing todo when planning your wg set-up is assign one IPV4 or IPV6 subnet for all your wg interfaces to use (each host will have one wg interface and each of them will be assigned one IP address from that same subnet). Have a quick read at the wireguard docs if you want more detail. Also, keep in mind that the wg subnet must not collide with that of your local or remote network.

 

For example.my wg peers are in the 10.255.252.0/24 subnet, so the wg on each peer has an address like 10.255.252.1, 10.255.252.2, 10.255.252.3, etc...

 

Therefore, the wg interface on your host should be listed with the private IP you chose for it. The subnet you choose for your wg network should be added to AllowedIPs. Nothing else on your network should get the address in that same subnet, only the wg interfaces on all of your peers. 

 

I also noticed another mistake. You have both the public key and the private key on your USG from your VPS server. That will not work. The public key from VPS is okay, but the private key should be the private key you have on your router. On your router you generated a private key and from that private key you generated a public key. That public key goes to the peer configuration on your VPS server. But on your USG you use the private key of your USG.

 

Think of it in this way. Each participant on your WG VPN must have its own private key and public key. The private key is a secret that no other participant must have access to, it stays local only. What travels is the public key, ALWAYS! 

 

FIx those two point and have a go at your configuration. Make sure on your VPS server you did not make the same mistakes with regards to wg interface address and private/public keys.

 

New Member
Posts: 14
Registered: ‎03-17-2016

Re: WireGuard VPN server setup on USG

@mbello Thank you. Obivously a bit of a newbie here. I've made those changes but still not seeing my external IP updated.

 

I'm running Streisand on my VPS, and that package provides client profiles with pregenerated private and public keys, which is what I'm using.

 

Do I need to initiate the connection somehow on my UGW3?

Member
Posts: 298
Registered: ‎06-16-2017
Kudos: 202
Solutions: 6

Re: WireGuard VPN server setup on USG

Hard to give advice when you provide so little information.
If you run on your USG:
tcpdump -i <wan interface> port 51820
What do you see? You should see both outgoing packets to your VPS IP and incoming packets from that same IP.
If instead you sre seeing packets in only one direction, let me know which direction it is. Or maybe the IP adresses do not match what they should be?
You can run the same thing on your VPS server. Also post the output of wg show wg0 from Streisand.
Emerging Member
Posts: 60
Registered: ‎03-24-2018
Kudos: 15

Re: WireGuard VPN server setup on USG

 So I have setup the config.gateway.json I believe correctly:

 

 

{
    "firewall": {
        "group": {
            "network-group": {
                "remote_user_vpn_network": {
                    "description": "Remote Wireguard VPN subnets",
                    "network": [
                        "10.2.1.0/24"
                    ]
                }
            }
        }
    },
    "interfaces": {
        "wireguard": {
            "wg0": {
              "description": "Remote User WG VPN",
              "address": [
                    "10.2.1.1/24"
                ],
                "firewall": {
                    "in": {
                        "name": "LAN_IN"
                    },
                    "local": {
                        "name": "LAN_LOCAL"
                    },
                    "out": {
                        "name": "LAN_OUT"
                    }
                },
                "listen-port": "51820",
                "mtu": "1352",
                "peer": [{
                    "Public Key": {
                        "allowed-ips": [
                            "10.2.1.5/32"
                        ],
                        "persistent-keepalive": 25
                    }
                },{
                  "Public Key": {
                      "allowed-ips": [
                          "10.2.1.6/32"
                      ],
                      "persistent-keepalive": 25
                  }
              }],
                "private-key": "/config/auth/wireguard/wg_private.key",
                "route-allowed-ips": "true"
            }
        }
    }
}

The text above is my complete config.gateway json.

 

The issue i am running into is that myIOS client seems to connect, but I can't seem to route from the WireGuard subnet across to my internal subnet.  

 

In the client, for the "PEER" I have my external facing FQDN.  For allowed IP's, I have the USG WG ip/32, and the internal NW subnet 192.168.x.x/24.  

 

I am sure I am missing something, but figured woudl be quicker to ask the experts what.

Controller: 5.10.19(GCP)
Gateway: USG-Pro-4
Switch: US-24-250w, US-8, US-8-60
AP: 2 x UAP-NanoHD, 1 x UAP-IW-Pro, 1 x UAP-AC-MESH
Member
Posts: 298
Registered: ‎06-16-2017
Kudos: 202
Solutions: 6

Re: WireGuard VPN server setup on USG

Ok, I am also usually on #wireguard if you want to debug this in realtime.

 

Tell me more about how you set your iPhone. What IP address did you give your iPhone? Should be either 10.2.1.5/24 or 10.2.1.6/24.

 

I see you have 2 peers set, is any of them a Linux Desktop? It will be much easier to debug it if you have a Linux desktop which will let you debug things.

 

And how do you know your iOS client is 'connecting'? By the way there is no such thing in WG, you should check if there has been a valid handshake but unfortunately the handshakes are not shown on Unifi and I am not sure if iOS client tells handshake status.

 

Can you ping 10.2.1.1 from iOS?

Emerging Member
Posts: 60
Registered: ‎03-24-2018
Kudos: 15

Re: WireGuard VPN server setup on USG

[ Edited ]

@mbelloWhen you say usually on #wireguard, what platform are you referring to? Discord/Reddit/etc.?

 

As for iPhone - 

 

IP config'd as 10.2.1.5/32.   (other ip is for iPad).

 

As for connected, showing as such via WG client (as well as VPN on IOS).  Checked log export and appeared to show just fine.   Can't ping USG (using 10.2.1.1 ip) from app within IOS.

 

 

Controller: 5.10.19(GCP)
Gateway: USG-Pro-4
Switch: US-24-250w, US-8, US-8-60
AP: 2 x UAP-NanoHD, 1 x UAP-IW-Pro, 1 x UAP-AC-MESH
Highlighted
Member
Posts: 298
Registered: ‎06-16-2017
Kudos: 202
Solutions: 6

Re: WireGuard VPN server setup on USG

#wireguard would be on Freenode (IRC)

 

I haven't used the iOS client, but I would say you may be thinking it connected when it didn't. There is no such connected/not connected concept in WG. But I may be wrong.

 

Have you opened port 51820 on firewall?