Reply
Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 73
Solutions: 6

Re: How To: OpenVPN Server Configuration on the USG

Link doesn't seem to work. I suspect that because you're a "new member" still that a moderator may need to approve it. @UBNT-Austin @Deleted Account can you help?
New Member
Posts: 41
Registered: ‎10-12-2016
Kudos: 20

Re: How To: OpenVPN Server Configuration on the USG

 

Here is the config JSON 

 

{
   "firewall":{
      "name":{
         "WAN_LOCAL":{
            "rule":{
               "20":{
                  "action":"accept",
                  "description":"Allow OpenVPN clients in",
                  "destination":{
                     "port":"1194"
                  },
                  "log":"disable",
                  "protocol":"udp"
               }
            }
         }
      },
      "ipv6-name":{
         "wan_in-6":{
            "default-action":"drop",
            "description":"wan_in",
            "enable-default-log":"''",
            "rule":{
               "1":{
                  "action":"accept",
                  "description":"Allow Enabled/Related state",
                  "state":{
                     "established":"enable",
                     "related":"enable"
                  }
               },
               "2":{
                  "action":"drop",
                  "description":"Drop Invalid state",
                  "log":"enable",
                  "state":{
                     "invalid":"enable"
                  }
               },
               "5":{
                  "action":"accept",
                  "description":"Allow ICMPv6",
                  "log":"enable",
                  "protocol":"icmpv6"
               }
            }
         },
         "wan_local-6":{
            "default-action":"drop",
            "description":"wan_local",
            "enable-default-log":"''",
            "rule":{
               "1":{
                  "action":"accept",
                  "description":"Allow Enabled/Related state",
                  "state":{
                     "established":"enable",
                     "related":"enable"
                  }
               },
               "2":{
                  "action":"drop",
                  "description":"Drop Invalid state",
                  "log":"enable",
                  "state":{
                     "invalid":"enable"
                  }
               },
               "20":{
                  "action":"accept",
                  "description":"Allow OpenVPN clients in",
                  "destination":{
                     "port":"1194"
                  },
                  "log":"disable",
                  "protocol":"udp"
               },
               "5":{
                  "action":"accept",
                  "description":"Allow ICMPv6",
                  "log":"enable",
                  "protocol":"icmpv6"
               },
               "6":{
                  "action":"accept",
                  "description":"DHCPv6",
                  "destination":{
                     "port":"546"
                  },
                  "protocol":"udp",
                  "source":{
                     "port":"547"
                  }
               }
            }
         }
      }
   },
   "interfaces":{
      "openvpn":{
         "vtun0":{
            "encryption":"aes256",
            "mode":"server",
            "openvpn-option":[
               "--keepalive 8 30",
               "--comp-lzo",
               "--duplicate-cn",
               "--user nobody --group nogroup",
               "--verb 1",
               "--proto udp6",
               "--port 1194",
               "--push redirect-gateway def1",
               "--push dhcp-option DNS 8.8.8.8",
               "--push dhcp-option DNS 8.8.4.4"
            ],
            "server":{
               "subnet":"192.168.254.0/24"
            },
            "tls":{
               "ca-cert-file":"/config/auth/keys/ca.crt",
               "cert-file":"/config/auth/keys/server.crt",
               "dh-file":"/config/auth/keys/dh2048.pem",
               "key-file":"/config/auth/keys/server.key"
            }
         }
      },
      "ethernet":{
         "eth0":{
            "dhcpv6-pd":{
               "pd":{
                  "0":{
                     "interface":{
                        "eth1":"''"
                     },
                     "prefix-length":"64"
                  }
               },
               "rapid-commit":"enable"
            },
            "firewall":{
               "in":{
                  "ipv6-name":"wan_in-6"
               },
               "local":{
                  "ipv6-name":"wan_local-6"
               }
            }
         },
         "eth1":{
            "ipv6":{
               "dup-addr-detect-transmits":"1",
               "router-advert":{
                  "cur-hop-limit":"64",
                  "link-mtu":"0",
                  "managed-flag":"true",
                  "max-interval":"600",
                  "other-config-flag":"false",
                  "prefix":{
                     "::/64":{
                        "autonomous-flag":"true",
                        "on-link-flag":"true",
                        "valid-lifetime":"2592000"
                     }
                  },
                  "reachable-time":"0",
                  "retrans-timer":"0",
                  "send-advert":"true"
               }
            }
         }
      }
   },
   "service":{
      "nat":{
         "rule":{
            "5010":{
               "description":"Masquerade for WAN",
               "outbound-interface":"eth0",
               "type":"masquerade"
            }
         }
      },
      "upnp2": {
        "listen-on": [
                "eth1"
        ],
        "nat-pmp": "enable",
        "secure-mode": "enable",
        "wan": "eth0"
}
   }
}

 

Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 73
Solutions: 6

Re: How To: OpenVPN Server Configuration on the USG

What IP address range do normal (non-VPN) clients get on your network?
New Member
Posts: 41
Registered: ‎10-12-2016
Kudos: 20

Re: How To: OpenVPN Server Configuration on the USG

This is the range: 192.168.1.0/24

Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 73
Solutions: 6

Re: How To: OpenVPN Server Configuration on the USG

Can you also share your .ovpn client configure file? (Strip out your cert, host name, and anything else personal.)
New Member
Posts: 41
Registered: ‎10-12-2016
Kudos: 20

Re: How To: OpenVPN Server Configuration on the USG

Its basically this:

 

 

client
float
dev tun
remote my.domain.com 1194 udp
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-256-CBC
comp-lzo
verb 5
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
New Member
Posts: 41
Registered: ‎10-12-2016
Kudos: 20

Re: How To: OpenVPN Server Configuration on the USG

@appleguru any ideas?

Emerging Member
Posts: 46
Registered: ‎06-07-2016
Kudos: 17
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

[ Edited ]

@kashif-ali

 

Well, how to solve your routing issue depends on what kind of functionality from your OpenVPN server you want.

@appleguru's setup is different from mine in many ways. As far as I understand @appleguru wants to connect to his USG from outside and have all his traffic from the openvpn client to go through the server. That's why he has this option enabled:

openvpn-option "--push redirect-gateway def1"

Such setup is not for true roaming users, for example is not for employees who need to get remote access to the company's intranet. In such a case you only need to route internal traffic through the openvpn tunnel while leave all other traffic intact. There are also some other differences like what kind of DNS servers you push. In my case I need to push local intranet's DNS servers so as to allow connected users to resolve local servers's names through internal DNS servers. Also, like I already mentioned above authentication should be separated from USG system users database.

 

So, in my case I have the following setup which just works fine for my scenario. Many thanks to @appleguru for his valuable initial post.

 

 

# show interfaces openvpn 
 openvpn vtun0 {
     encryption aes256
     hash sha256
     mode server
     openvpn-option --comp-lzo
     openvpn-option --duplicate-cn
     openvpn-option "--user nobody --group nogroup"
     openvpn-option "--client-cert-not-required --username-as-common-name"
     openvpn-option "--verb 1"
     openvpn-option "--proto udp"
     openvpn-option "--port 1194"
     openvpn-option "--keepalive 10 30"
     openvpn-option "--script-security 2"
     openvpn-option "--auth-user-pass-verify /config/auth/ovpnauth.sh via-file"
     openvpn-option "--tmp-dir /dev/shm"
     openvpn-option --tls-server
     openvpn-option "--push dhcp-option DOMAIN my.intranet.domain"
     server {
         name-server 192.168.19.19
         push-route 192.168.19.0/24
         subnet 192.168.40.0/24
         topology subnet
     }
     tls {
         ca-cert-file /config/auth/keys/ca.crt
         cert-file /config/auth/keys/server.crt
         dh-file /config/auth/keys/dh2048.pem
         key-file /config/auth/keys/server.key
     }
 }
[edit]

In my example 192.168.40.0/24 is the subnet for OpenVPN connected users, while 192.168.19.0/24 is company's intranet subnet, and I push this route to connected clients. 192.168.19.19 is company's internal DNS server which serves my.intranet.domain that is why I also push related search domain option.

 

 

Also note that shell script ovpnauth.sh which was refereneced by @appleguru above has few bugs and I had to fix it to work.

 

Depending on your setup you may try to solve your routing issue by adequate 'push-route' value. Another option is to manage routes on the client side via .ovpn file options. Many useful ideas can be found here: FAQ

Also, I noticed that as of today USG's version of OpenVPN supports TLS 1.0 only. So '--tls-version-min 1.2' option doesn't work.

To avoid setting faked <cert> and <key> in client .ovpn file you may just add 'setenv CLENT_CERT 0' if you don't use user cert/key authentication.

 

my client config .ovpn file looks similar to this:

 

client
float
dev tun
remote your.wan.ip 1194 udp
resolv-retry 30
nobind
persist-key
persist-tun
auth-user-pass
cipher AES-256-CBC
auth-nocache
comp-lzo
verb 1
auth sha256
ns-cert-type server
remote-cert-ku a0 88
remote-cert-tls server
ifconfig-nowarn
tls-client
setenv CLIENT_CERT 0
#tls-version-min 1.2
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>

 

 

New Member
Posts: 41
Registered: ‎10-12-2016
Kudos: 20

Re: How To: OpenVPN Server Configuration on the USG

@doomer2 - Thanks, i think i know what the problem is now, after seeing your setup. I dont have an issue with all traffic being pushed via the VPN. Maybe in the future I will setup a split tunnel configuration (ideally Unifi should have all this confgurable via the gui).

 

Anyway here is what I think I need to change:

 

"server": {
"subnet": "192.168.254.0/24",
"name-server": "8.8.8.8",

 

This wasnt in the original configuration

New Member
Posts: 20
Registered: ‎11-24-2015
Kudos: 6
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

Howdy!

 

First of all, thank you for you awfull effort in this thread!

One small question:

What happens if i make a firmwareupgrade to the USG after installing a OpenVPN Server and providing that JSON-file of yours? Did i have to do all that konfiguration-stuff again?

 

Thanks in advance

ROBO

New Member
Posts: 41
Registered: ‎10-12-2016
Kudos: 20

Re: How To: OpenVPN Server Configuration on the USG

If you upgrade the firmware and place the Json again, I believe you should be good and not have to do anything in terms of configuration. However I am sure you would need to install OpenVPN and the put the SSL certs back. 

Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 73
Solutions: 6

Re: How To: OpenVPN Server Configuration on the USG

@robolabor as I mentioned up thread, so far anyways firmware updates have left my my configuration in tact and fully functional.

@doomer2 can you share your fixes/changes to ovpnauth.sh? Might be useful for others here!
New Member
Posts: 41
Registered: ‎10-12-2016
Kudos: 20

Re: How To: OpenVPN Server Configuration on the USG

@appleguru any thoughts on my routing issue?

Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 73
Solutions: 6

Re: How To: OpenVPN Server Configuration on the USG

Perhaps try the push-route option that doomer2 used? A quick look doesn't show any major issues with your config, so not sure what's going on.
New Member
Posts: 41
Registered: ‎10-12-2016
Kudos: 20

Re: How To: OpenVPN Server Configuration on the USG

I was thinking it could be a firewall rule, as I need to allow the VPN traffic to go out of my internal GW of 192.168.1.254?

Emerging Member
Posts: 46
Registered: ‎06-07-2016
Kudos: 17
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

@robolabor

 

I can confirm that everything you put in /config/auth (keys, certs) directory is kept intact through reboots and provisioning. I haven't yet tried to survive the firmware upgrade but according to @appleguru and vyatta manuals (EdgeOS is based on vyatta) it should be the case too.

Custom config json file is a right method of persistent configuration as well.

 

@kashif-ali

OpenVPN server is included in USG firmware so it is not necessary to install it after the firmware upgrade. Server's key and cert will survive the upgrade. Only easy-rsa will need to be reinstalled, but only in case you will need it again to issue new certificates for new users in the future. So, in general this OpenVPN setup suggested initially by @appleguru works quite well.

Emerging Member
Posts: 46
Registered: ‎06-07-2016
Kudos: 17
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG


@appleguru wrote:

@doomer2 can you share your fixes/changes to ovpnauth.sh? Might be useful for others here!

Yes, I will share below. Though the right place for these fixes is github itself, but though I have github account I'm not actually a contributor Man Wink

Original code of ovpnauth.sh is here.

 

My updated code:

#!/bin/sh

# Config parameters

conf="/config/auth/ovpnauth.conf"
logfile="/var/log/ovpnauth.log"

# End of config parameters

if [ "$1" = "" ] || [ "$1" = "help" ]
then
        echo "ovpnauth.sh v0.1 - OpenVPN sh authentication script with simple user db"
        echo "                   for use withauth-user-pass-verify via-file option"
        echo ""
        echo "help - prints help"
        echo "sha256 password - to compute password sha256 checksum"
        exit 1
fi

sha256(){
        echo "$1.`uname -n`" > /dev/shm/$$.sha256calc
        sum="`sha256sum /dev/shm/$$.sha256calc | awk '{print $1}'`"
        rm /dev/shm/$$.sha256calc
        echo "$sum"
}

if [ "$1" = "sha256" ]
then
        echo `sha256 $2`
        exit 1
fi

log(){
        echo "`date +'%m/%d/%y %H:%M'` - $1" >> $logfile
}

logenv(){
        enviroment="`env | awk '{printf "%s ", $0}'`"
        echo "`date +'%m/%d/%y %H:%M'` - $enviroment" >> $logfile
}

userpass=`cat $1`
username=`echo $userpass | awk '{print $1}'`
password=`echo $userpass | awk '{print $2}'`

# computing password sha256
password=`sha256 $password`
userpass=`cat $conf | grep ^$username= | grep ^'[^#;]' | awk -F= '{print $2}'`

if [ "$password" = "$userpass" ]
then
        log "OpenVPN authentication successfull: $username"
        logenv
exit 0
fi

log "OpenVPN authentication failed"
log `cat $1`
logenv
exit 1

A few comments. I changed md5 hash to modern and more secure sha256. Also, I changed /tmp dir to /dev/shm shared memory virtual dir to prevent passwords ever touch non volatile memory. I removed orphaned envr variable which was not actually used. And most significant security bug fixed, I added ^ to the $username= grep search string to ensure the full length of username (and not just any ending part of it) match. And also I added extra grep filter to remove commented out usernames.

Emerging Member
Posts: 46
Registered: ‎06-07-2016
Kudos: 17
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

@kashif-ali

try this config to disable split-tunneling (taken from Vyatta documentation):

 

interfaces {
  openvpn vtun0 {
     replace‐default‐route {
        local
      }
   }
}

Vyatta reads: "replace-default-route: This option tells OpenVPN that the default route should
be replaced by a route through the VPN tunnel, i.e., split tunnelling should be
disabled. Note that, when set, this option has different effects depending on the
OpenVPN mode in which the endpoint operates.
— If the endpoint is in site-to-site mode or client mode, setting
replace-default-route will replace the default route on this endpoint with a
route through VPN tunnel. In other words, it disables split tunnelling on this
endpoint.
— If the endpoint is in server mode, setting replace-default-route will cause the
clients connecting to this server to replace their default route. In other words,
it disables split tunnelling on the clients.
• local: The local option under replace-default-route must be set if and only if the
two tunnel endpoints are directly connected, i.e., on the same subnet."

 

You probably don't need local option above.

New Member
Posts: 41
Registered: ‎10-12-2016
Kudos: 20

Re: How To: OpenVPN Server Configuration on the USG

I havent had a chance to try this out. I will get back to you asap

 

Thanks for the info

New Member
Posts: 41
Registered: ‎10-12-2016
Kudos: 20

Re: How To: OpenVPN Server Configuration on the USG

No luck with this.

 

I wish Ubiquiti would make effort to have a proper VPN setup available in GUI or CLI, however all scenarios documented.

 

 

Reply