Reply
Emerging Member
Posts: 46
Registered: ‎06-07-2016
Kudos: 17
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

@ben_r_I think there is no security risk running easy-rsa on USG, and there is no stability risk also (as vyos actually has easy-rsa preinstalled). But what IS a security risk is to store CA secret key on the USG. Remove (store it on a different machine) CA key from the USG, otherwise you PKI setup is somewhat risky. CA key is not needed for OpenVPN to work, but will allow the intruder to compromise all your PKI, server and all clients by revoking or issue of any keys related to your OpenVPN setup.

Member
Posts: 225
Registered: ‎03-06-2013
Kudos: 31
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

[ Edited ]

@doomer2 wrote:

Hi, I’m pretty sure there will be no GUI for OpenVPN configuration any time soon for many reasons which are beyond the current topic. OS for USG is based on vyatta/vyos. It’s power and beauty is in its command line core. 

My advice for everybody looking for and sticking to GUI is to stop wasting time and dig into power and simplicity of command line instead.

config.json file will keep your configuration over reboots and upgrades, and will let you configure everything in simple, clear and reproducible manner. Go for it and you will be happy. 

 



If we wanted the command line we would get the EdgeRouter and not the USG.

LiL Network
www.LilNetwork.com
Emerging Member
Posts: 46
Registered: ‎06-07-2016
Kudos: 17
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

[ Edited ]

@demonmaestro Well, that's correct partially. EdgeRouter has GUI which is more complicated and yes, powerful, than USG's (yet, cannot control OpenVPN via GUI). Still, you will want command line at some point and almost totally give up its GUI finally. The same is about USG: use its weak GUI until some point, then switch to command line. At this point there will be no difference between the two worlds USG or EdgeRouter.

If you want pure command line go for vyos instead.

Or, if you want command line go for EdgeRouter. If you want GUI go for EdgeRouter too.

Emerging Member
Posts: 85
Registered: ‎01-02-2018
Kudos: 12
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

[ Edited ]

Anyone else use Wayne's config.gateway.json file for their setup to leave out any IPv6 stuff (LINK)? Did it work well for you?

 

{
"firewall": {
    "name": {
      "WAN_LOCAL": {"rule": {"20": {"action": "accept","description": "Allow OpenVPN clients in","destination": {"port": "1194"},"log": "disable","protocol": "udp"}}}
    }},
"interfaces": 
    {"openvpn": {
      "vtun0": {
        "encryption": "aes128",
        "mode": "server",
        "openvpn-option": ["--keepalive 8 30","--comp-lzo","--duplicate-cn","--user nobody --group nogroup",
        "--plugin /usr/lib/openvpn/openvpn-auth-pam.so login","--client-cert-not-required --username-as-common-name",
          "--verb 1","--proto udp6","--port 1194","--push redirect-gateway def1",
          "--push dhcp-option DNS 8.8.8.8","--push dhcp-option DNS 8.8.4.4"
        ],
        "server": {"subnet": "10.0.1.0/24"},
        "tls": {
          "ca-cert-file": "/config/auth/keys/ca.crt",
          "cert-file": "/config/auth/keys/server.crt",
          "dh-file": "/config/auth/keys/dh2048.pem",
          "key-file": "/config/auth/keys/server.key"
        }
      }
    }
    },
"service": {"nat": {"rule": {"5010": {"description": "Masquerade for WAN","outbound-interface": "eth0","type": "masquerade"}}}}
}

 

Emerging Member
Posts: 85
Registered: ‎01-02-2018
Kudos: 12
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

[ Edited ]

Man I knew this was going to be a pain for me to figure out.... Thats why I have been putting it off.

 

So right off the bat just trying to get the latest version of EasyRSA installed I run into this issue:

 

sudo bash

curl -O http://ftp.us.debian.org/debian/pool/main/e/easy-rsa/easy-rsa_3.0.4-2_all.deb

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 35100  100 35100    0     0   124k      0 --:--:-- --:--:-- --:--:--  198k

sudo dpkg -i easy-rsa_3.0.4-2_all.deb

dpkg-deb: error: archive 'easy-rsa_3.0.4-2_all.deb' contains not understood data member control.tar.xz, giving up
dpkg: error processing easy-rsa_3.0.4-2_all.deb (--install):
 subprocess dpkg-deb --control returned error exit status 2

Errors were encountered while processing:
 easy-rsa_3.0.4-2_all.deb

Any thoughts on what is going wrong here? Do I HAVE to use the same version of Easy RSA unsed in this tutorial? It was from over 4 years ago, and the latest version is only a couple months old. Surely there have been some good changes since then no?

 

EDIT: There must be some other packages included in that ~bpo70+1_all.deb version as it does install as it should. Just wish I could use the latest version.

Emerging Member
Posts: 85
Registered: ‎01-02-2018
Kudos: 12
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

After this is all said and done, should the certificate file (/config/auth/keys/ca.crt) be removed/deleted from the USG? Doesn't seem like a good idea to leave it on there, but perhaps it doesnt matter?

Member
Posts: 113
Registered: ‎01-10-2016
Kudos: 6

Re: How To: OpenVPN Server Configuration on the USG

For those who who are interested in OpenVPN with Radius based auth, I've written a guide here:

 

https://gist.github.com/jcconnell/ec3c942c818a571d97f5ceaf954a37b0

 

I still need to determine whether the changes to the /etc persist on reboot, upgrade or provision. If they do not, I'll write a script that checks for their existence and replaces them if need be and update the gist. If someone else has some advice in this regard I'd love to hear it.

New Member
Posts: 3
Registered: ‎09-30-2018
Kudos: 2

Re: How To: OpenVPN Server Configuration on the USG

Have opvn running on USG with the help of the "config.gateway.json" file.
Also after a new provisioning, openvpn is running.

 

It's sad that ubiquiti does'nt implement this until now in the controller Smiley Sad

 

pOpY

New Member
Posts: 21
Registered: ‎11-23-2017
Kudos: 4

Re: How To: OpenVPN Server Configuration on the USG

I would really be interested in a OpenVPN Server implementation in the USG GUI.

L2TP is not working (kills connection) on my OnePlus Android P after 90 seconds or so.

 

OpenVPN has always been working for me while using a Synology NAS. However I would like to move OpenVPN server from the NAS to the USG.  ;-) in an easy to understand way. 

 

New Member
Posts: 33
Registered: ‎10-16-2016
Kudos: 617

Re: How To: OpenVPN Server Configuration on the USG

I think your facing a client issue. I can stay up all day on windows, Pixel 2xl or ipad with L2TP. try a different client.

New Member
Posts: 3
Registered: ‎09-30-2018
Kudos: 2

Re: How To: OpenVPN Server Configuration on the USG

Really sad that such a feature is not implemented, c'mon ubiquiti ....

New Member
Posts: 21
Registered: ‎11-23-2017
Kudos: 4

Re: How To: OpenVPN Server Configuration on the USG

@cdrom1028, tnx.

 

L2TP: Samsung Galaxy Tab S2 remains connected indeed, while the One Plus with latest Android version is kicked out.

To bad the Tab does not fit in my back pocket. Confused all day. At least we know where to look. 

One Plus is now on OpenVPN running from Synology, in case somebody tries to login the firewall will block the invalid login. Another nice Synology feature.

 

New Member
Posts: 33
Registered: ‎10-16-2016
Kudos: 617

Re: How To: OpenVPN Server Configuration on the USG

Emerging Member
Posts: 54
Registered: ‎09-18-2018
Kudos: 56
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

[ Edited ]

I've followed instructions (with excepton of generating PKI & certs - used easyrsa v.3 https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto and prepared everything on Mac and scp to USG) and everything works but internet access not.

I can see all local resources (incl. local DNS - pihole) but can't go out to WAN. Of course I have

set service nat rule 5010 description "Masquerade for WAN"
set service nat rule 5010 outbound-interface eth0
set service nat rule 5010 type masquerade

enabled. What else could have been done/checked?

Below is setup of my OpenVPN server:

"interfaces": {
                    "openvpn": {
                                "vtun0": {
                                          "encryption": "aes256",
                                          "mode": "server",
                                          "openvpn-option": [
                                             "--keepalive 8 30",
                                             "--comp-lzo",
                                             "--user nobody --group nogroup",
                                             "--verb 1",
                                             "--proto udp",
                                             "--port 1194",
                                             "--push route-gateway 172.16.5.1",
                                             "--push redirect-gateway def1",
                                             "--push dhcp-option DNS 172.16.0.10"
                                            ],
                                          "server": {"subnet": "172.16.5.0/28"},
                                          "tls": {
                                                  "ca-cert-file": "/config/auth/keys/ca.crt",
                                                  "cert-file": "/config/auth/keys/usg-serwer.crt",
                                                  "dh-file": "/config/auth/keys/dh.pem",
                                                  "key-file": "/config/auth/keys/usg-serwer.key"
                                                 }
                                         }
                               }
                 }

 

EDIT:

I've answered (eth0 -> eth2) myself in the new thread: https://community.ubnt.com/t5/UniFi-Routing-Switching/OpenVPN-missing-WAN-access/m-p/2545365/highlig... 

Emerging Member
Posts: 73
Registered: ‎08-27-2016
Kudos: 16
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

I would really like them to fix this. I also have a OP6 with Android 9 and it will not stay connected. It worked on my old OP3 with Android 8.

 

I wish it was simpler to get Open VPN up and running on the USG. I am not skilled in doing the SSH thing and configuring it through a shell. But it seems the VPN functions of the USG aren't very polished yet.

New Member
Posts: 9
Registered: ‎12-08-2016

Re: How To: OpenVPN Server Configuration on the USG

What people seem to not mention on this forum, and correct me if I am wrong. Is that you should take a config.boot from /config (via SSH) before you start, then take the config.boot after you have commit/saved your changes. Then do a file DIFF. Then the DIFF's are what you put into the config.gateway.json file!

Emerging Member
Posts: 85
Registered: ‎01-02-2018
Kudos: 12
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG


@xantari wrote:

What people seem to not mention on this forum, and correct me if I am wrong. Is that you should take a config.boot from /config (via SSH) before you start, then take the config.boot after you have commit/saved your changes. Then do a file DIFF. Then the DIFF's are what you put into the config.gateway.json file!


Well thats one way to do it. I just wrote out the changes in the config.gateway.json file as I was configuring the openvpn server and figuring out what worked and what didnt.

Highlighted
Emerging Member
Posts: 85
Registered: ‎01-02-2018
Kudos: 12
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

[ Edited ]

@doomer2 wrote:

@appleguruwrote:

@doomer2can you share your fixes/changes to ovpnauth.sh? Might be useful for others here!

Yes, I will share below. Though the right place for these fixes is github itself, but though I have github account I'm not actually a contributor Man Wink

Original code of ovpnauth.sh is here.

 

My updated code:

#!/bin/sh

# Config parameters

conf="/config/auth/ovpnauth.conf"
logfile="/var/log/ovpnauth.log"

# End of config parameters

if [ "$1" = "" ] || [ "$1" = "help" ]
then
        echo "ovpnauth.sh v0.1 - OpenVPN sh authentication script with simple user db"
        echo "                   for use withauth-user-pass-verify via-file option"
        echo ""
        echo "help - prints help"
        echo "sha256 password - to compute password sha256 checksum"
        exit 1
fi

sha256(){
        echo "$1.`uname -n`" > /dev/shm/$$.sha256calc
        sum="`sha256sum /dev/shm/$$.sha256calc | awk '{print $1}'`"
        rm /dev/shm/$$.sha256calc
        echo "$sum"
}

if [ "$1" = "sha256" ]
then
        echo `sha256 $2`
        exit 1
fi

log(){
        echo "`date +'%m/%d/%y %H:%M'` - $1" >> $logfile
}

logenv(){
        enviroment="`env | awk '{printf "%s ", $0}'`"
        echo "`date +'%m/%d/%y %H:%M'` - $enviroment" >> $logfile
}

userpass=`cat $1`
username=`echo $userpass | awk '{print $1}'`
password=`echo $userpass | awk '{print $2}'`

# computing password sha256
password=`sha256 $password`
userpass=`cat $conf | grep ^$username= | grep ^'[^#;]' | awk -F= '{print $2}'`

if [ "$password" = "$userpass" ]
then
        log "OpenVPN authentication successfull: $username"
        logenv
exit 0
fi

log "OpenVPN authentication failed"
log `cat $1`
logenv
exit 1

A few comments. I changed md5 hash to modern and more secure sha256. Also, I changed /tmp dir to /dev/shm shared memory virtual dir to prevent passwords ever touch non volatile memory. I removed orphaned envr variable which was not actually used. And most significant security bug fixed, I added ^ to the $username= grep search string to ensure the full length of username (and not just any ending part of it) match. And also I added extra grep filter to remove commented out usernames.


What settings need to be negated and/or added to make this work? Im guessing these two have to be added?

 

set interfaces openvpn vtun0 openvpn-option "--script-security 2"
set interfaces openvpn vtun0 openvpn-option "--auth-user-pass-verify /path/ovpnauth.sh via-file"

Is that true and is there anything else?

 

And Im thinking something has to be removed? Like maybe these three?

set interfaces openvpn vtun0 openvpn-option "--user nobody --group nogroup"
set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-pam.so login"
set interfaces openvpn vtun0 openvpn-option "--client-cert-not-required --username-as-common-name"

 And how is a setting like that removed? What command is used to "unset" openvpn-options?

Reply