pywkt

Setting Up WireGuard on a UDM Pro

Last Updated:

These instructions are incomplete.

This was an attempt from the first day I set up the UDM and knew much less about WireGuard than I do now. From what I remember, I was 90% of the way there with this, but eventually decided to plug the pfSense box back in upstream and continue to use that as a whole network firewall/vpn. I'm just publishing these notes here in case it helps anyone trying to do something similar.

Once getting through the initial setup, we need to log in to the UDM via ssh.

The UDM uses an ssh-rsa key rather than whatever the usual SSH key is.

Generate an rsa key

ssh-keygen -t rsa

Copy the public key

cat ~/.ssh/id_rsa.pub

Go in the network settings on the UDM and add that key to the SSH section at the bottom

(Network > System > Network Device SSH Authentication)

Remove/comment out any existing 192.168.1.1 keys

nano ~/.ssh/known_hosts

Update your ssh config

nano ~/.ssh/config

Host hostname_of_machine
HostName hostname_or_ip_address
User root
IdentityFile ~/.ssh/file.pem
IdentitiesOnly yes
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa

Now you should be able to SSH in to the UDM with an effin' bash shell. Here we go...

Install the split-vpn package

curl -LSsf https://raw.githubusercontent.com/peacey/split-vpn/main/vpn/install-split-vpn.sh | sh

Install WireGuard

Check for latest version Here

Download WireGuard

curl -LJo wireguard-kmod.tar.Z https://github.com/tusc/wireguard-kmod/releases/download/v06-01-22/wireguard-kmod-06-01-22.tar.Z

Extract tar file

tar -C /mnt/data -xvzf wireguard-kmod.tar.Z

Make the script executable and run it

cd /mnt/data/wireguard

chmod +x setup_wireguard.sh

./setup_wireguard.sh

Check that it installed

dmesg | grep wireguard

You should see something like this

[ 2758.032677] wireguard: WireGuard 1.0.20210124 loaded. See www.wireguard.com for information.
[ 2758.032680] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

Not sure if this will work because the guide says to do it on the UDM Pro SE, but let's try... curl -Lo /etc/systemd/system/setup-wireguard.service https://raw.githubusercontent.com/tusc/wireguard-kmod/main/src/boot/setup-wireguard.service

Looks like the non-SE version doesn't have systemctl. Note to self: Look in to starting wireguard on boot...

Generate wireguard keys

wg genkey | tee privatekey | wg pubkey > publickey

Set permissions

chmod 600 privatekey

References:

  • https://di-marco.net/blog/it/2022-02-02-wireguad_and_split_vpn_on_unifi_dream_machine_pro_se/
  • https://github.com/peacey/split-vpn
  • https://github.com/tusc/wireguard-kmod/releases
  • https://www.hostifi.com/blog/wireguard-on-a-unifi-dream-machine-pro
  • https://www.nodinrogers.com/post/2022-03-15-wireguard-vpn-on-ubiquity-udm-pro/
  • https://florianmuller.com/setup-a-wireguard-vpn-on-unifi-dream-machine-udm-udm-pro-and-use-macos-as-a-client
  • http://dl-origin.ubnt.com/qsg/UDM-Pro/UDM-Pro_EN.html
  • https://www.ui.com/quick-start/udm-pro