Skip to content

Commit

Permalink
Update README.md for UDM support
Browse files Browse the repository at this point in the history
Moved EdgeOS / UGW instructions to Wiki.
Added link for UnifiOS instructions.
Added credits to README.md

Signed-off-by: Pascal Vorwerk <info@fossores.de>
  • Loading branch information
FossoresLP committed Nov 19, 2021
1 parent 1f55023 commit a85244f
Showing 1 changed file with 9 additions and 237 deletions.
246 changes: 9 additions & 237 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,246 +1,18 @@
WireGuard for Ubiquiti
======================

This repository contains Vyatta configuration files to integrate WireGuard with Ubiquiti Networks devices.
WireGuard for EdgeRouter, Unifi Gateway and Unifi Dream Machine

Please see below for instructions on how to install the prebuilt deb packages listed under [releases](https://github.com/WireGuard/wireguard-vyatta-ubnt/releases).
For a full list of supported devices, please see the latest release at [releases](https://github.com/WireGuard/wireguard-vyatta-ubnt/releases).

Table of Contents
-----------------
The installation instructions can be found in the Wiki:

* [Installation](#installation)
* [Upgrade](#upgrade)
* [Uninstallation](#uninstallation)
* [Usage](#usage)
* [Routing](#routing)
* [Binaries](#binaries)
* [Persistence on Reboot on USG](#persistence-on-reboot-on-usg)
- [EdgeOS / UGW](https://github.com/WireGuard/wireguard-vyatta-ubnt/wiki/EdgeOS-and-Unifi-Gateway)
- [UnifiOS](https://github.com/WireGuard/wireguard-vyatta-ubnt/wiki/UnifiOS-%28UDM%2C-UDR%2C-UXG%29)

---

Installation
------------

Download the [latest release](https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/latest) for your model and then install it:

```bash
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/${RELEASE}/${BOARD}-${RELEASE}.deb

sudo dpkg -i ${BOARD}-${RELEASE}.deb
```

After you will have be able to create a `wireguard` interface (`show interfaces`).

---

Upgrade
-------

Download the [latest release](https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/latest) for your model and then perform upgrade:

```bash
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/${RELEASE}/${BOARD}-${RELEASE}.deb

configure
set interfaces wireguard wg0 route-allowed-ips false
commit
delete interfaces wireguard
commit
sudo rmmod wireguard
sudo dpkg -i ${BOARD}-${RELEASE}.deb
sudo modprobe wireguard
load
commit
exit
```

This allows the upgrade without reboot.

---

Uninstallation
--------------

### Private key ###

Determine if the private key is stored as a file by running `show interfaces wireguard`; if the `private key` line is a path then run the following command otherwise jump to [Remove the configuration](#remove-the-configuration)

```bash
sudo rm /config/auth/wg.key
```

### Remove the configuration ###

```bash
configure

delete interfaces wireguard

commit
save
exit
```

### Remove the package ###

```bash
sudo dpkg --remove wireguard
```

---

Usage
-----

Read the documentation on [WireGuard.com](https://www.wireguard.com/) for general WireGuard concepts. Here is a simple example of a configuration for Vyatta/EdgeOS:

```bash
wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public

configure

set interfaces wireguard wg0 address 192.168.33.1/24
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips true

set interfaces wireguard wg0 peer GIPWDet2eswjz1JphYFb51sh6I+CwvzOoVyD7z7kZVc= endpoint example1.org:29922
set interfaces wireguard wg0 peer GIPWDet2eswjz1JphYFb51sh6I+CwvzOoVyD7z7kZVc= allowed-ips 192.168.33.101/32

set interfaces wireguard wg0 peer aBaxDzgsyDk58eax6lt3CLedDt6SlVHnDxLG2K5UdV4= endpoint example2.net:51820
set interfaces wireguard wg0 peer aBaxDzgsyDk58eax6lt3CLedDt6SlVHnDxLG2K5UdV4= allowed-ips 192.168.33.102/32
set interfaces wireguard wg0 peer aBaxDzgsyDk58eax6lt3CLedDt6SlVHnDxLG2K5UdV4= allowed-ips 192.168.33.103/32

set interfaces wireguard wg0 private-key /config/auth/wg.key

set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 protocol udp
set firewall name WAN_LOCAL rule 20 description 'WireGuard'
set firewall name WAN_LOCAL rule 20 destination port 51820

commit
save
exit
```

The `private-key` and `preshared-key` fields can take the key value or a file path. So if you prefer not to put the keys in the config file, then the `private-key` and `preshared-key` field can alternatively take a file path on the filesystem, such as `/config/auth/key`.

---

Routing
Credits
-------

Currenty there is no integration between the routing daemon and WireGuard which means allowed-ips for a peer will not be updated based upon dynamic routing updates.

If you are going to utilize a dynamic routing protocol over wireguard interfaces it is recommended to configure them with a single peer per interface, disable route-allowed-ips and either configure allowed-ips to 0.0.0.0/0 or all ip addresses which might ever be routed over the interface including any multicast addresses required by the routing protocol.

---

Binaries
--------

Prebuilt binaries are available under [releases](https://github.com/WireGuard/wireguard-vyatta-ubnt/releases).

The binaries are statically linked against [musl libc](https://www.musl-libc.org/) to mitigate potential issues with Ubiquiti EdgeOS's outdated glibc.

---

Persistence on Reboot on USG
----------------------------

On the USG3/4 Pro the commandline setup above does not survive reboot/re-provisioning. The settings need to be added to a `config.gateway.json` file and placed on the *controller*. Depending on your particular setup, this file can be located in several locations. You can use the *commented* example below and follow the instructions in [Unifi - USG Advanced Configuration Using config.gateway.json](https://help.ui.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration-Using-config-gateway-json) to create the file in the appropriate location. The firewall changes can be made in the UI, or added to the file.

```json
{
"firewall": {
"name": {
"WAN_LOCAL": {
"rule": {
"20": {
"action": "accept",
"description": "WireGuard",
"destination": {
"port": "51820" //Firewall port - can be customised, adjust listen port accordingly
},
"protocol": "udp"
}
}
}
},
"group": {
"network-group": {
"remote_user_vpn_network": {
"description": "Remote User VPN subnets",
"network": [
"10.16.1.0/24" //Subnet assigned to wireguard clients
]
}
}
}
},
"interfaces": {
"wireguard": {
"wg0": {
"address": [
"10.16.1.1/24" //USG gateway address in wireguard subnet
],
"firewall": {
"in": {
"name": "LAN_IN"
},
"local": {
"name": "LAN_LOCAL"
},
"out": {
"name": "LAN_OUT"
}
},
"listen-port": "51820", //Listen port - can be customised, adjust firewall port accordingly
"mtu": "1500",
"peer": [{
"wZ0j/CM/nJ6tdIxFTtBLOxbIoTNoK0Tjn49rZgasLUM=": { //Peer 1 Public Key
"allowed-ips": [
"10.16.1.50/32" //Peer IP address
],
"persistent-keepalive": 25
}
},
{
"wZ0j/CM/nJ6tdIxFTtBLOxbIoTNoK0Tjn49rZgasLUM=": { //Peer 2 public key
"allowed-ips": [
"10.16.1.51/32"
],
"persistent-keepalive": 25
}
},
{
"wZ0j/CM/nJ6tdIxFTtBLOxbIoTNoK0Tjn49rZgasLUM=": { //Peer 3 public key
"allowed-ips": [
"10.16.1.52/32"
],
"persistent-keepalive": 25
}
},
{
"wZ0j/CM/nJ6tdIxFTtBLOxbIoTNoK0Tjn49rZgasLUM=": { //Peer 4 public key
"allowed-ips": [
"10.16.1.53/32"
],
"persistent-keepalive": 25
}
},
{
"wZ0j/CM/nJ6tdIxFTtBLOxbIoTNoK0Tjn49rZgasLUM=": { //Peer 5 public key
"allowed-ips": [
"10.16.1.54/32"
],
"persistent-keepalive": 25
}
}],
"private-key": "/config/auth/wireguard/wg_private.key", //Server key
"route-allowed-ips": "true"
}
}
}
}
```
---
Support for EdgeOS and Unifi Gateway was originally developed by [@Lochnair](https://github.com/Lochnair).
Support for UnifiOS was developed by [@tusc](https://github.com/tusc) and integrated into this repository by [@peacey](https://github.com/peacey).
See the [list of contributors](https://github.com/WireGuard/wireguard-vyatta-ubnt/graphs/contributors) and the [commit history](https://github.com/WireGuard/wireguard-vyatta-ubnt/commits/master) for the many other contributions.

0 comments on commit a85244f

Please sign in to comment.