Reply
Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 73
Solutions: 6

How To: OpenVPN Server Configuration on the USG

[ Edited ]

I got my USG successfully configured as an OpenVPN server using user/password authentication, just the way I wanted and figured I would share since a few things have changed since the other tutorials were written, and I haven't seen one yet specifically for the USG.

 

Step 1: Install easy-rsa and generate keys.

 

First, SSH into your USG. Then insteall easy-rsa. (easy-rsa simplifies key generation signfiicantly):

 

 

 

sudo bash
curl -O http://ftp.us.debian.org/debian/pool/main/e/easy-rsa/easy-rsa_2.2.2-1~bpo70+1_all.deb
sudo dpkg -i easy-rsa_2.2.2-1~bpo70+1_all.deb

Next, generate your keys:

 

 

 

cd /usr/share/easy-rsa
. vars
./clean-all
./build-ca

Give it a sensible common-name, something like: “OpenVPN CA”

 

./build-key-server server

Set the common name to “server”
Answer yes to signing the certificate and commiting it.

 

 

./build-dh

Copy the generated files:

 

mkdir /config/auth/keys/
cp keys/* /config/auth/keys/

 

 

Step 2: Configure OpenVPN

 

Enter your router's configuration mode:

 

 

configure

 

 

Now set the OpenVPN options:

 

 

set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet 10.0.1.0/24

Note, your subnet should be DIFFERENT than the subnet your non-VPN clients use. For example, my USG is at 10.0.0.1/255.255.255.0 on my local network, and normal clients get IPs in the 10.0.0.10-10.0.0.200 range. My VPN clients will get IPs in the the 10.0.1.X range.

 

 

 

set interfaces openvpn vtun0 tls ca-cert-file /config/auth/keys/ca.crt
set interfaces openvpn vtun0 tls cert-file /config/auth/keys/server.crt
set interfaces openvpn vtun0 tls key-file /config/auth/keys/server.key
set interfaces openvpn vtun0 tls dh-file /config/auth/keys/dh2048.pem
set interfaces openvpn vtun0 encryption aes128
set interfaces openvpn vtun0 openvpn-option "--keepalive 8 30"
set interfaces openvpn vtun0 openvpn-option "--comp-lzo"
set interfaces openvpn vtun0 openvpn-option "--duplicate-cn"
set interfaces openvpn vtun0 openvpn-option "--user nobody --group nogroup"
set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-pam.so login"
set interfaces openvpn vtun0 openvpn-option "--client-cert-not-required --username-as-common-name"
set interfaces openvpn vtun0 openvpn-option "--verb 1"
set interfaces openvpn vtun0 openvpn-option "--proto udp6"
set interfaces openvpn vtun0 openvpn-option "--port 1194"
set interfaces openvpn vtun0 openvpn-option "--push redirect-gateway def1"
set interfaces openvpn vtun0 openvpn-option "--push dhcp-option DNS 8.8.8.8"
set interfaces openvpn vtun0 openvpn-option "--push dhcp-option DNS 8.8.4.4"

--proto udp6 sets the server up to accept udp IPv4 and IPv6 connections. redirect-gateway option is what tells our clients to send all traffic through the VPN. You can change the port from the default 1194; I did.. but make sure you change it everywhere elese here too!

 

 

Next configure your firewall to allow OpenVPN connections:

 

set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 description "Allow OpenVPN clients in"
set firewall name WAN_LOCAL rule 20 destination port 1194
set firewall name WAN_LOCAL rule 20 log disable
set firewall name WAN_LOCAL rule 20 protocol udp

I have IPv6 configured on my USG too, so I also added an IPv6 firewall rule:

 

 

set firewall ipv6-name wan_local-6 rule 20 action accept
set firewall ipv6-name wan_local-6 rule 20 description "Allow OpenVPN clients in"
set firewall ipv6-name wan_local-6 rule 20 destination port 1194
set firewall ipv6-name wan_local-6 rule 20 log disable
set firewall ipv6-name wan_local-6 rule 20 protocol udp

Next, setup a NAT rule to tell the USG to forward your OpenVPN traffic to the internet. If you don't do this, you will be able to connect to your remote servers but not to the internet through your VPN.

 

 

 

set service nat rule 5010 description "Masquerade for WAN"
set service nat rule 5010 outbound-interface eth0
set service nat rule 5010 type masquerade

Now commit and save your changes:

 

 

 

commit
save

 

 

Step 3: Create a .ovpn file:

 

Your clients will use this to connect.

 

 

client
float
dev tun

#edit the hostname with yours
remote my.hostname.com 1194 udp

resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
cipher AES-128-CBC
comp-lzo
verb 3 <ca> -----BEGIN CERTIFICATE----- # put your certificate block here. Copy it from your /config/auth/keys/ca.crt file on your USG -----END CERTIFICATE----- </ca> # this is an random certificate. The .ovpn file needs one, but doesn't use it, so you can leave this as is <cert> -----BEGIN CERTIFICATE----- MIIB1jCCAT+gAwIBAgIEAmLSTjANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpP cGVuVlBOIENBMB4XDTEzMDExNzAyMTExMloXDTIzMDEyMjAyMTExMlowKDEmMCQG A1UEAxQdZnJyaWN0aW9uQGdtYWlsLmNvbV9BVVRPTE9HSU4wgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBALVEXIZYYu1Inmejuo4Si6Eo5AguTX5sg1pGbLkJSTR4 BXQsy6ocUnZ9py8htYkipkUUhjY7zDu+wJlUtWnVCwCYtewYfEc/+azH7+7eU6ue T2K2IKdik1KWhdtNbaNphVvSlgdyKiuZDTCedptgWyiL50N7FMcUUMjjXYh/hftB AgMBAAGjIDAeMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgeAMA0GCSqGSIb3 DQEBBQUAA4GBABhVzSYXHlQEPNaKGmx9hMwwnNKcHgD9cCmC9lX/KR2Y+vT/QGxK 7sYlJInb/xmpa5TUQYc1nzDs9JBps1mCtZbYNNDpYnKINAKSDsM+KOQaSYQ2FhHk bmBZk/K96P7VntzYI5S02+hOWnvjq5Wk4gOt1+L18+R/XujuxGbwnHW2 -----END CERTIFICATE----- </cert> # this is an random key. The .ovpn file needs one, but doesn't use it, so you can leave this as is <key> -----BEGIN PRIVATE KEY----- MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALVEXIZYYu1Inmej uo4Si6Eo5AguTX5sg1pGbLkJSTR4BXQsy6ocUnZ9py8htYkipkUUhjY7zDu+wJlU tWnVCwCYtewYfEc/+azH7+7eU6ueT2K2IKdik1KWhdtNbaNphVvSlgdyKiuZDTCe dptgWyiL50N7FMcUUMjjXYh/hftBAgMBAAECgYEAsNjgOEYVRhEaUlzfzmpzhakC SKT8AALYaAPbYO+ZVzJdh8mIbg+xuF7A9G+7z+5ZL35lrpXKnONuvmlxkK5ESwvV Q7EOQYCZCqa8xf3li3GUBLwcwXKtOUr3AYXhdbOh2viQdisD4Ky7H6/Nd3yMc3bu R4pErmWeHei+l6dIwAECQQDqljNxi9babmHiei6lHaznCMg5+jfAyDXgHvO/afFr 1bDQVDTDK+64kax4E9pvDZC6B/HGse9hOUGWXTjb0WZBAkEAxdAw/14iJIUcE5sz HDy2R0RmbUQYFjrNgBCi5tnmr1Ay1zHAs1VEF+Rg5IOtCBO50I9jm4WCSwCtN6zF FoFVAQJAUGfBJDcZIm9ZL6ZPXJrqS5oP/wdLmtFE3hfd1gr7C8oHu7BREWB6h1qu 8c1kPlI4+/qDHWaZtQpJ977mIToJwQJAMcgUHKAm/YPWLgT31tpckRDgqgzh9u4z e1A0ft5FlMcdFFT8BuWlblHWJIwSxp6YO6lqSuBNiuyPqxw6uVAxAQJAWGxOgn2I fGkWLLw4WMpkFHmwDVTQVwhTpmMP8rWGYEdYX+k9HeOJyVMrJKg2ZPXOPtybrw8T PUZE7FgzVNxypQ== -----END PRIVATE KEY----- </key>

 

At this point, you should be able to connect to your server using an OpenVPN client.

 

Next, you'll want to create a config.gateway.json file that includes your changes so that you don't lose them when you reboot or make a change through your Unifi controller. I won't detail this process here, but mine ended up looking like this:

 

 

{
        "firewall": {
                "name": {
      "WAN_LOCAL": {
        "rule": {
          "20": {
            "action": "accept",
            "description": "Allow OpenVPN clients in",
            "destination": {
              "port": "1194"
            },
            "log": "disable",
            "protocol": "udp"
          }
        }
      }
    },
    "ipv6-name": {
                        "wan_in-6": {
                                "default-action": "drop",
                                "description": "wan_in",
                                "enable-default-log": "''",
                                "rule": {
                                        "1": {
                                                "action": "accept",
                                                "description": "Allow Enabled/Related state",
                                                "state": {
                                                        "established": "enable",
                                                        "related": "enable"
                                                }
                                        },
                                        "2": {
                                                "action": "drop",
                                                "description": "Drop Invalid state",
                                                "log": "enable",
                                                "state": {
                                                        "invalid": "enable"
                                                }
                                        },
                                        "5": {
                                                "action": "accept",
                                                "description": "Allow ICMPv6",
                                                "log": "enable",
                                                "protocol": "icmpv6"
                                        }
                                }
                        },
                        "wan_local-6": {
                                "default-action": "drop",
                                "description": "wan_local",
                                "enable-default-log": "''",
                                "rule": {
                                        "1": {
                                                "action": "accept",
                                                "description": "Allow Enabled/Related state",
                                                "state": {
                                                        "established": "enable",
                                                        "related": "enable"
                                                }
                                        },
                                        "2": {
                                                "action": "drop",
                                                "description": "Drop Invalid state",
                                                "log": "enable",
                                                "state": {
                                                        "invalid": "enable"
                                                }
                                        },
                                        "20": {
                                                "action": "accept",
                                                "description": "Allow OpenVPN clients in",
                                                "destination": {
                                                        "port": "1194"
                                                },
                                                "log": "disable",
                                                "protocol": "udp"
                                        },
                                        "5": {
                                                "action": "accept",
                                                "description": "Allow ICMPv6",
                                                "log": "enable",
                                                "protocol": "icmpv6"
                                        },
                                        "6": {
                                                "action": "accept",
                                                "description": "DHCPv6",
                                                "destination": {
                                                        "port": "546"
                                                },
                                                "protocol": "udp",
                                                "source": {
                                                        "port": "547"
                                                }
                                        }
                                }
                        }
                }
        },
        "interfaces": {
                "openvpn": {
      "vtun0": {
        "encryption": "aes128",
        "mode": "server",
        "openvpn-option": [
          "--keepalive 8 30",
          "--comp-lzo",
          "--duplicate-cn",
          "--user nobody --group nogroup",
          "--plugin /usr/lib/openvpn/openvpn-auth-pam.so login",
          "--client-cert-not-required --username-as-common-name",
          "--verb 1",
          "--proto udp6",
          "--port 1194",
          "--push redirect-gateway def1",
          "--push dhcp-option DNS 8.8.8.8",
          "--push dhcp-option DNS 8.8.4.4"
        ],
        "server": {
          "subnet": "10.0.1.0/24"
        },
        "tls": {
          "ca-cert-file": "/config/auth/keys/ca.crt",
          "cert-file": "/config/auth/keys/server.crt",
          "dh-file": "/config/auth/keys/dh2048.pem",
          "key-file": "/config/auth/keys/server.key"
        }
      }
    },
    "ethernet": {
                        "eth0": {
                                "dhcpv6-pd": {
                                        "pd": {
                                                "0": {
                                                        "interface": {
                                                                "eth1": "''"
                                                        },
                                                        "prefix-length": "64"
                                                }
                                        },
                                        "rapid-commit": "enable"
                                },
                                "firewall": {
                                        "in": {
                                                "ipv6-name": "wan_in-6"
                                        },
                                        "local": {
                                                "ipv6-name": "wan_local-6"
                                        }
                                }
                        },
                        "eth1": {
                                "ipv6": {
                                        "dup-addr-detect-transmits": "1",
                                        "router-advert": {
                                                "cur-hop-limit": "64",
                                                "link-mtu": "0",
                                                "managed-flag": "true",
                                                "max-interval": "600",
                                                "other-config-flag": "false",
                                                "prefix": {
                                                        "::/64": {
                                                                "autonomous-flag": "true",
                                                                "on-link-flag": "true",
                                                                "valid-lifetime": "2592000"
                                                        }
                                                },
                                                "reachable-time": "0",
                                                "retrans-timer": "0",
                                                "send-advert": "true"
                                        }
                                }
                        }
                }
        },
  "service": {
    "nat": {
      "rule": {
        "5010": {
          "description": "Masquerade for WAN",
          "outbound-interface": "eth0",
          "type": "masquerade"
        }
      }
    }
  }
}

Mine also includes changes I added for IPv6 support on my USG, so yours may end up looking a bit different. Copy your config.gateway.json file to the appropriate sites folder on your Unifi server. That's it, all done!

 

 

References that helped a lot:

 

https://community.ubnt.com/t5/EdgeMAX/OpenVPN-server-with-PAM-and-OpenVPN-IOS-Client-configuration/m...

 

https://community.ubnt.com/t5/EdgeMAX/How-to-configure-OpenVPN/td-p/519289

 

 

Emerging Member
Posts: 56
Registered: ‎06-19-2015
Kudos: 17

Re: How To: OpenVPN Server Configuration on the USG

Thank you! This is an excellent guide.  It also underscores the need for a wizard / non json approach in the GUI. 

New Member
Posts: 41
Registered: ‎10-12-2016
Kudos: 20

Re: How To: OpenVPN Server Configuration on the USG

This is a great post, however I believe the client side  configuretion needs to be detailed out.

 

i.e how to generate teh client certificate and ensure the server has it in the right location. (if not using the certificate you have given).

 

regards

 

Kash

Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 73
Solutions: 6

Re: How To: OpenVPN Server Configuration on the USG

[ Edited ]

@kashif-ali wrote:

This is a great post, however I believe the client side  configuretion needs to be detailed out.

 

i.e how to generate teh client certificate and ensure the server has it in the right location. (if not using the certificate you have given).

 

regards

 

Kash


The first few steps use easy-rsa on the USG to generate public and private keys on your USG... then you just need to copy the contents of your /config/auth/keys/ca.crt file on your USG to your .ovpn client config file in the <ca> block and your're good to go!

New Member
Posts: 41
Registered: ‎10-12-2016
Kudos: 20

Re: How To: OpenVPN Server Configuration on the USG

So my issue is the generated ovpn file expects a username and password and I dont know how to generate that? 

Emerging Member
Posts: 46
Registered: ‎06-07-2016
Kudos: 17
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

@appleguruThank you for sharing.

 

How do your USG setup survives the reboot/reprovisioning/readoption? I guess all local files like certs and keys that you created are erased. easy-rsa package too. Do you know the way to keep them?

 

Also, you mentioned that you have user/password authentication but actually I don't see that functionality in your config... It would be nice to have it.

Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 73
Solutions: 6

Re: How To: OpenVPN Server Configuration on the USG


@kashif-ali wrote:

So my issue is the generated ovpn file expects a username and password and I dont know how to generate that? 


Username and password are the same as the username and password to log into your USG.

Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 73
Solutions: 6

Re: How To: OpenVPN Server Configuration on the USG


@doomer2 wrote:

@appleguruThank you for sharing.

 

How do your USG setup survives the reboot/reprovisioning/readoption? I guess all local files like certs and keys that you created are erased. easy-rsa package too. Do you know the way to keep them?

 

Also, you mentioned that you have user/password authentication but actually I don't see that functionality in your config... It would be nice to have it.


The client-cert-not-required openvpn option tells the server to authenticate with username/password.

 

You can configure new users like this:

 

https://help.ubnt.com/hc/en-us/articles/204977644-EdgeMAX-Create-and-delete-user-accounts-on-EdgeOS

 

RE persistence across reboots, this is what the config.gateway.json file is for. It lives on your unifi server and will reconfigure the options you specify even after the unifi server makes changes or the gateway reboots.

 

You are correct that the files (including easy rsa) that we downloaded get wiped on reboot. But the /config directory is persistent. And we copy the keys into /config/auth/keys ;-)

Emerging Member
Posts: 46
Registered: ‎06-07-2016
Kudos: 17
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

@appleguruSuch a situation when your OpenVPN server remote access users are those who have administartive access (well, even read only) to USG and Controller GUI is limited to home private setup. It doesn't work for true roaming users in small businesses, etc. So, authentication against system wide PAM is not an option for me.

 

Do you know the way how to have a set of local user/passwords for OpenVPN server alone?

 

Regarding, persistent config: yes, I understand that custom config json file is for this particular reason. However my question was about survival of key and cert files that are stored locally on USG. Even if they survive reboot, they probably will not survive the firmware update or even provisioning.

 

Frankly, we actually still don't have a good working solution for remote access VPN with USG/ER. PPTP is dead and shouln't be used. L2TP/IPsec have number of serious issues: DPD issues with various Windows versions (client cannot connect after the disconnect - still not solved since first mentions in this forum in 2013/2014), hardware offloading doesn't work with L2TP/IPsec, ike/esp proposal, pfs are all not configurable with L2TP, too limited Vyatta defaults for L2TP and not configurable in persistent manner. It's a crazy thing that in year 2016 Mac OS or iOS client starts ipsec handshaking with AES256-SHA1-DH2048 ike proposal but denied by USG and have to fall back to DH1536 because of Vyatta defaults. Windows 10 client starts from EC384 ECDHE but ends up with rediculous 3DES-SHA1-DH1024 due to same Vyatta defaults that are not configurable, at least in the manner that survive reboot. OpenVPN remote access is also limited to very special setup like yours.

 

I wonder, what Ubiquiti finally thinks about remote access functionality in its router product line, in general. It looks like no solution actually works. Glad to be wrong.

New Member
Posts: 41
Registered: ‎10-12-2016
Kudos: 20

Re: How To: OpenVPN Server Configuration on the USG

Hi,

 

@appleguru - I have it working now Man Happy thank's a lot.

 

I will post up my setup, which is basically using certs only and so no users need to be created. You simply create a certificate pair per user.

 

Ill post up all instructions asap.

 

Regards

 

Kash

Emerging Member
Posts: 46
Registered: ‎06-07-2016
Kudos: 17
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

@kashif-ali

 

It would be very helpful, waiting.

thank you for sharing guys!

New Member
Posts: 41
Registered: ‎10-12-2016
Kudos: 20

Re: How To: OpenVPN Server Configuration on the USG

Hi tried to create a post three times and its failed Man Sad

Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 73
Solutions: 6

Re: How To: OpenVPN Server Configuration on the USG

[ Edited ]

@doomer2 wrote:

 

Regarding, persistent config: yes, I understand that custom config json file is for this particular reason. However my question was about survival of key and cert files that are stored locally on USG. Even if they survive reboot, they probably will not survive the firmware update or even provisioning.

So far anyways, my config has survived several reboots, fw updates, and reprovisionings without issue.

New Member
Posts: 41
Registered: ‎10-12-2016
Kudos: 20

Re: How To: OpenVPN Server Configuration on the USG

My post got deleted again??!!?! - I might have to create a new post all together

Emerging Member
Posts: 46
Registered: ‎06-07-2016
Kudos: 17
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG


appleguru wrote

So far anyways, my config has survived several reboots, fw updates, and reprovisionings without issue.


That's great to hear. Then together with X.509 cert authentication it may be a working solution for roaming users access.

Emerging Member
Posts: 46
Registered: ‎06-07-2016
Kudos: 17
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

[ Edited ]

@kashif-ali

Probably some problem with formatting, illegal/reserved characters or tags, etc. Have you tried Preview before posting?

Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 73
Solutions: 6

Re: How To: OpenVPN Server Configuration on the USG


@doomer2 wrote:

appleguru wrote

So far anyways, my config has survived several reboots, fw updates, and reprovisionings without issue.


That's great to hear. Then together with X.509 cert authentication it may be a working solution for roaming users access.


Also, if you do want user/pass auth instead of/in addition to certs, something simple like this for the auth script should also likely work pretty easily on the USG:

 

https://github.com/troydm/ovpnauth.sh

 

Very lightweight, User DB is just a text file with username=passwordmd5sum entries

 

New Member
Posts: 41
Registered: ‎10-12-2016
Kudos: 20

Re: How To: OpenVPN Server Configuration on the USG

Ill try again when i get home and dont have to rush the post.

 

In the mean time, my VPN connects and I can talk to everything internal. However I lose internet connection Man Sad

Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 73
Solutions: 6

Re: How To: OpenVPN Server Configuration on the USG

Did you setup the redirect-gateway option, external DNS servers, and NAT rules like my original post shows?
New Member
Posts: 41
Registered: ‎10-12-2016
Kudos: 20

Re: How To: OpenVPN Server Configuration on the USG

[ Edited ]

Tried, posting again Man Sad still no luck. privew was fine also Man Sad

 

I created a new thread.

 

http://community.ubnt.com/t5/UniFi-Routing-Switching/OpenVPN-remote-user-Server-setup-Certification-...

 

@appleguru - can you have a quick look and see if you can see an issue with the routing?

 

Reply