I have been looking around for a good VPN solution to use while traveling recently. I have a few services running at home, that I really don’t want on the internet (OctoPrint, general ssh access etc), but I want to use remotely. I also want a way to secure my connection when I don’t trust the network I’m connecting through.<\/p>\n\n\n\n
I had previously set up a L2TP Remote user VPN in the UniFi controller, but it had a few issues.<\/p>\n\n\n\n
I had heard of Wireguard a while ago and have been keeping track of development and their status on integrating with the Linux kernel. It turns out some kind soul has created a deb package to install WireGuard on Vyatta (which is what the USG is based on).<\/p>\n\n\n\n\n\n\n\n
curl -sL https:\/\/github.com\/WireGuard\/wireguard-vyatta-ubnt\/releases\/download\/<version>\/wireguard-<board>-<version>.deb -o wireguard-<board>-<version>.deb<\/code>\u00a0<\/span>worked for me<\/li>\n\n\n\n- In my case, the command was\u00a0
curl -sL https:\/\/github.com\/WireGuard\/wireguard-vyatta-ubnt\/releases\/download\/1.0.20220627-1\/ugw4-v1-v1.0.20220627-v1.0.20210914.deb -o wireguard-ugw4-0.0.20191012-1.deb<\/code>\u00a0<\/span>for my USG pro 4<\/li>\n<\/ul>\n<\/li>\n\n\n\nsudo dpkg -i wireguard-<board>-<version>-1.deb<\/code>\u00a0<\/span>to install the package<\/li>\n\n\n\nsudo -i<\/code>\u00a0<\/span>to make everything easier<\/li>\n\n\n\ncd \/config\/auth<\/code>\u00a0<\/span>for the location to put the wireguard configuration<\/li>\n\n\n\numask 077 && mkdir wireguard && cd wireguard<\/code>\u00a0<\/span>for the server keys<\/li>\n\n\n\nwg genkey | tee wg_private.key | wg pubkey > wg_public.key<\/code>\u00a0<\/span>to create server keys<\/li>\n\n\n\nwg genkey | tee client1_private.key | wg pubkey > client1_public.key<\/code>\u00a0<\/span>to create the first client keys.<\/li>\n\n\n\n- You will need one of these keys for each client connecting to the VPN<\/li>\n\n\n\n
- Then we move over to the UniFi controller to create the config for the VPN<\/li>\n<\/ul>\n\n\n\n
config.gateway.json<\/h2>\n\n\n\n
UniFi gateways are pretty similar to EdgeRouter products from Ubiquiti, with a crucial difference. Any config changes done from the CLI are wiped out on reboots, or any config changes from the controller. the UniFi Controller is nice, but does not support the full range of EdgeOS features that we can use.<\/p>\n\n\n\n
Thankfully there is a solution – config.gateway.json. This file is layered over the base config that gets generated by UniFi, and allows much more control of a USG.<\/p>\n\n\n\n
I created this file in my UniFi controller, which for me, on Ubuntu the right location is:<\/p>\n\n\n\n
\/usr\/lib\/unifi\/data\/sites\/<site-id>\/config.gateway.json<\/pre>\n\n\n\n {\n \"firewall\": {\n \"group\": {\n \"network-group\": {\n \"remote_user_vpn_network\": {\n \"description\": \"Remote User VPN subnets\",\n \"network\": [\n \"10.255.252.0\/24\"\n ]\n }\n }\n }\n },\n \"interfaces\": {\n \"wireguard\": {\n \"wg0\": {\n \"description\": \"VPN for remote clients\",\n \"address\": [\n \"10.255.252.1\/24\"\n ],\n \"firewall\": {\n \"in\": {\n \"name\": \"LAN_IN\"\n },\n \"local\": {\n \"name\": \"LAN_LOCAL\"\n },\n \"out\": {\n \"name\": \"LAN_OUT\"\n }\n },\n \"listen-port\": \"443\",\n \"mtu\": \"1352\",\n \"peer\": [\n {\n \"<content of client1_public.key>\": {\n \"allowed-ips\":\n [\n \"10.255.252.2\/32\"\n ],\n \"persistent-keepalive\": 60\n }\n }\n ],\n \"private-key\": \"\/config\/auth\/wireguard\/wg_private.key\",\n \"route-allowed-ips\": \"true\"\n }\n }\n }\n }<\/pre>\n\n\n\nClient Configs<\/h2>\n\n\n\n
Next up – lets add some client configs. First device I wanted to add (as I was at home, and wanted to make sure this worked from outside the network, and is the main device I seem to want remote access from) is my Android phone.<\/p>\n\n\n\n
So, I created the following config on the unifi controller:<\/p>\n\n\n\n
[Interface]\n PrivateKey = <content of client1_private.key>\n Address = 10.255.252.2\/24\n DNS = <internal DNS Server>\n \n [Peer]\n PublicKey = <content of wg_public.key>\n Endpoint = <external-fqdn>:443\n AllowedIPs = <local subnets>, 10.255.252.0\/24<\/pre>\n\n\n\nI could then use the following:<\/p>\n\n\n\n
qrencode -t ansiutf8 < wireguard.conf<\/pre>\n\n\n\n