WireGuard + UniFi

  |   Source

I have been looking around for a good VPN solution to use on the road recently. I have a few services running at home, that I really don't want on the internet (OctoPrint etc), but I want to use remotely.

This is as much documentation for future me as it is for anyone who stumbles across this page :)

I had previously set up a L2TP Remote user VPN in the UniFi controller, but it had a few issues.

  • Roaming problems on mobile
  • Battery usage on mobile
  • Slow Speeds

I had heard of Wireguard a while ago (I think they had a stall near the OpenStack stall in FOSDEM last year), but I had completely forgotten about them. It turns out some kind soul has created a deb package to install WireGuard on Vyatta (which is what the USG is based on).

Installation

  • Pick up the correct .deb from here
    • curl -sL https://github.com/Lochnair/vyatta-wireguard/releases/download/<version>/wireguard-<board>-<version>.deb -o wireguard-<board>-<version>.deb worked for me
    • In my case, version was 0.0.20190123-1 and board was ugw3
  • sudo dpkg -i wireguard-<board>-<version>-1.deb to install the package
  • sudo -i to make everything easier
  • umask 077 && mkdir wireguard && cd wireguard for the server keys
  • wg genkey | tee wg_private.key | wg pubkey > wg_public.key to create server keys
  • wg genkey | tee client1_private.key | wg pubkey > client1_public.key to create the first client keys. You will need one of these keys for each client connecting to the VPN
  • Then we move over to the UniFi controller to create the config for the VPN

config.gateway.json

UniFi gateways are pretty similar to EdgeRouter products from Ubiquiti, with a crucial difference. Any config changes done from the CLI are wiped out on reboots, or any config changes from the controller. the UniFi Controller is nice, but does not support the full range of EdgeOS features that we can use.

Thankfully there is a solution - config.gateway.json. This file is layered over the base config that gets generated by UniFi, and allows much more control of a USG.

I created this file in my UniFi controller (for me, on Ubuntu the right location is /usr/lib/unifi/data/sites/<site-id>/config.gateway.json).

{
    "firewall": {
        "group": {
            "network-group": {
                "remote_user_vpn_network": {
                    "description": "Remote User VPN subnets",
                    "network": [
                        "10.255.252.0/24",
                    ]
                }
            }
        }
    },
    "interfaces": {
        "wireguard": {
            "wg0": {
                "description": "VPN for remote clients",
                "address": [
                    "10.255.252.1/24"
                ],
                "firewall": {
                    "in": {
                        "name": "LAN_IN"
                    },
                    "local": {
                        "name": "LAN_LOCAL"
                    },
                    "out": {
                        "name": "LAN_OUT"
                    }
                },
                "listen-port": "443",
                "mtu": "1352",
                "peer": [
                    {
                        "<content of client1_public.key>": {
                            "allowed-ips":
                            [
                                "10.255.252.2/32"
                            ],
                            "persistent-keepalive": 60
                        }
                    }
                ],
                "private-key": "/config/auth/wireguard/wg_private.key",
                "route-allowed-ips": "true"
            }
        }
    }
}
Comments powered by Disqus