Wireguard can be installed on Edgerouter systems by Ubiquiti. You may need to fiddle a little bit in order to get it working due to some missing functionality. This guide will help you set it up on your EdgeOS device and how to configure it.
Where to download Wireguard
You can get an EdgeOS build for Wireguard by going here. Here, you will find a list of supported devices and their model numbers. You will then download the corresponding Debian package file according to your router under Assets.
In this case, I will be using wireguard-e100.deb file which is for the Edgerouter Lite(model E100). You’ll need to download this file to your Edgerouter by using curl, since wget is not available:
curl -O https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20191219-2/wireguard-e100-0.0.20191219-2.deb
This will place the package in your default home folder. Now we are ready to install Wireguard.
You are now going to use the dpkg program to install the deb package that we’ve just downloaded:
sudo dpkg -i wireguard-e100-0.0.20191219-2.deb
At this point, Wireguard should be ready for configuration. We are now going to add an interface to our Edgerouter with this:
sudo ip link add dev wg0 type wireguard
After, lets add an IP address for the router’s Wireguard interface:
sudo ip addr add 10.0.0.1/32 dev wg0
Generate the needed keys to use for our Wireguard connection:
sudo wg genkey | tee privatekey | wg pubkey > publickey
You will then create your wg0.conf file and add in the following to it:
[Interface] PrivateKey = The contents of your privatekey file here. ListenPort = 51820 [Peer] PublicKey = The contents of your publickey file here. AllowedIPs = 10.0.0.2/32(or the IP of your Wireguard server/peer's interface) Endpoint = Wireguard server/peer IP and port goes here.
Once you’re finished setting up your config, run the following:
sudo wg setconf wg0 /home/$USER/wg0.conf
When ready, turn on Wireguard by running this command:
sudo ip link set up dev wg0
On EdgeOS, Wireguard doesn’t configure the routes automatically. They will all need to be manually configured using the ip route command. Go ahead and add in the following route(s) for both our peer and local:
sudo ip route add 10.0.0.1/32 dev wg0 && sudo ip route add 10.0.0.2/32 dev wg0
You will need to do this for any additional network that you’ll want to access.
If your Edgerouter is the server and you would like to give clients access to its network, you will need to configure NAT. To be specific, NAT should be configured for masquerading on wg0 if the client, other interface(s) if the server.
Wireguard doesn’t automatically start or save the configuration prop on EdgeOS, as there is no wg-quick program to work with. An alternate solution would be to create a script and make it run at boot. Add the following to the script:
#!/bin/vbash /bin/ip link add dev wg0 type wireguard /bin/ip addr add 10.0.0.1/32 dev wg0 /usr/bin/sudo /usr/bin/wg setconf wg0 /home/$USER/wg0.conf /bin/ip link set up dev wg0 /bin/ip route add 10.0.0.1/32 dev wg0 /bin/ip route add 10.0.0.2/32 dev wg0 /bin/ip route add 192.168.1.0/32 dev wg0 /usr/bin/sudo /sbin/ifconfig wg0 mtu 1300
Full paths will need to be used in order for everything to work properly. Make this script and executable with chmod +x and place it in the /config/scripts/post-config.d/ folder.
If you’re having problems accessing anything at the other end of the peer, set the MTU for the Wireguard interface on both ends to 1300 with this:
sudo ifconfig wg0 mtu 1300
This should solve any issues that you might have with TCP connections.