This post lists how to set up a wireguard network on the original USG. It uses the wireguard module from https://github.com/WireGuard/wireguard-vyatta-ubnt.
The assumption here is:
- You have generated suitable public and private keys. The server private key is stored on the USG, at /config/auth/wireguard/wg_private.key
- The public keys for clients are stored in this document, and the private keys made available to the clients.
The json below doesnt format fantastically well, however this should be included in your config.gateway.json.
{
"firewall": {
"group": {
"network-group": {
"remote_user_vpn_network": {
"description": "Remote User VPN subnets",
"network": [
"192.168.200.0/24"
]
}
}
}
},
"interfaces": {
"wireguard": {
"wg0": {
"description": "VPN for remote clients",
"address": [
"192.168.200.1/24"
],
"firewall": {
"in": {
"name": "LAN_IN"
},
"local": {
"name": "LAN_LOCAL"
},
"out": {
"name": "LAN_OUT"
}
},
"listen-port": "1234",
"mtu": "1500",
"peer": [
{
"": { //Public key for peer one
"allowed-ips": [
"192.168.200.11/32"
],
"persistent-keepalive": 60
}
},
{
"": { //public key for peer two
"allowed-ips": [
"192.168.200.10/32"
],
"persistent-keepalive": 60
}
}
],
"private-key": "/config/auth/wireguard/wg_private.key",
"route-allowed-ips": "true"
}
}
}
}
Once added and the change provisioned, you should be able connect to your public IP : 1234 (or whatever port you set as above).
I found tailing some log files in /var/log on the usg helpful when provisioning new config. If provisioning fails, then revert the change and trigger a new provision.