In a recent Beta firmware for various Unifi cloud consoles, Teleport was released.
Under the covers, this appears to be run over wireguard. I have been using Wireguard as VPN for some time, though when I migrated off my USG I have had to run this from a raspberry pi in my network instead.
After installing the beta firmware, I took a look around and found the wg-tools are now installed.
Example config file:
[Interface] Address = 192.168.100.1/32 ListenPort = 1234 PrivateKey = IPhTq/Mr7iw423t1S6ZV6snsjkzYacD8Mi23ry+hMlU= [Peer] PublicKey = y/GNJHLx7DcxFRYLGBbo+i38k2/lmRSM1knUOeGWxH0= AllowedIPs = 192.168.100.2/32
You can generate PrivateKey with :
root@Console:/tmp# wg genkey IPhTq/Mr7iw423t1S6ZV6snsjkzYacD8Mi23ry+hMlU=
and then PublicKey, create a new PrivateKey as above for the first client, and then echo it through wg pubkey. E.g
root@Console:/tmp# wg genkey CC/Qg+d2vKMJhne6Md8YX2DYIODy/vxTangg46zsJ3A= root@Console:/tmp# echo CC/Qg+d2vKMJhne6Md8YX2DYIODy/vxTangg46zsJ3A=|wg pubkey y/GNJHLx7DcxFRYLGBbo+i38k2/lmRSM1knUOeGWxH0=
I copied over my config file to my console, and placed in /etc/wireguard as wg1.conf
Enabled the wireguard service for wg1:
systemctl enable wg-quick@wg1
Then started the service
root@Console:/tmp# systemctl start wg-quick@wg1
You can then check the status
root@Console:/tmp# systemctl start wg-quick@wg1 root@Console:/tmp# wg show wg1 interface: wg1 public key: /BoXnj7ekraL+WQOKUoEH1T4sk8AFkik1TQhK0NK8nI= private key: (hidden) listening port: 1234 peer: d8yGQJeuD9NpuZFiMbzagr86bXtG5WuYMBA8mDu6W0c= allowed ips: 192.168.100.2/32
We can see that the interface is up, however nothing connected. To connect we need to configure our client with an equivalent config file. e.g
[Interface] Address = 192.168.100.2/32 PrivateKey = CC/Qg+d2vKMJhne6Md8YX2DYIODy/vxTangg46zsJ3A= [Peer] PublicKey = /BoXnj7ekraL+WQOKUoEH1T4sk8AFkik1TQhK0NK8nI= AllowedIPs = 192.168.100.1/32 Endpoint = <public IP of console>:1234
Where the private key is the private key generated for the client, and the PublicKey is the Private key for server piped through wg pubkey
If you try and connect now, it will likely not work. You need to also create a rule in the firewall for Internet/WAN local allowing inbound UDP on the port you defined in the config file (in my example, port 1234)
In the UI, in Settings -> Firewall & Security, add an entry for Internet Local
Where the Port Group WG In contains the port you defined in your config file (in my example, 1234).
I have tested restarting the console and the VPN comes back up again, we will see what happens when the next firmware is released.
I expect this should work for all Unifi “all in one” devices (UDM, UDMP, UDR, UDM SE), teleport seems supported on the cloud key too, however I guess that you might need to set up some forwarding from your router to the cloud key to get the wireguard VPN working. Hopefully a UI is added at some point, its a feature thats been requested for some time now.