Reply
New Member
Posts: 15
Registered: ‎01-30-2017
Kudos: 11

Re: How To: OpenVPN Server Configuration on the USG

Once again, it seems the solution came through...reading...ahem...

By removing

 

 "--push redirect-gateway def1",

and just adding the pushed routes, all is good.

New Member
Posts: 15
Registered: ‎01-30-2017
Kudos: 11

Re: How To: OpenVPN Server Configuration on the USG

[ Edited ]

I have attempted to change the default listening port to 443 tcp. I continue to get errors. Otherwise, my config is correct, allowing 443 tcp in on WAN_LOCAL.

 

Mar 09 10:24:17 2017 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Mar 09 10:24:17 2017 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Thu Mar 09 10:24:17 2017 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Thu Mar 09 10:24:17 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]A.A.A.A:443
Thu Mar 09 10:24:17 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Mar 09 10:24:17 2017 Attempting to establish TCP connection with [AF_INET]A.A.A.A:443 [nonblock]
Thu Mar 09 10:24:17 2017 MANAGEMENT: >STATE:1489073057,TCP_CONNECT,,,,,,
Thu Mar 09 10:24:18 2017 TCP connection established with [AF_INET]A.A.A.A:443
Thu Mar 09 10:24:18 2017 TCP_CLIENT link local: (not bound)
Thu Mar 09 10:24:18 2017 TCP_CLIENT link remote: [AF_INET]A.A.A.A:443
Thu Mar 09 10:24:18 2017 MANAGEMENT: >STATE:1489073058,WAIT,,,,,,
Thu Mar 09 10:24:18 2017 Connection reset, restarting [0]
Thu Mar 09 10:24:18 2017 TCP/UDP: Closing socket
Thu Mar 09 10:24:18 2017 SIGUSR1[soft,connection-reset] received, process restarting
Thu Mar 09 10:24:18 2017 MANAGEMENT: >STATE:1489073058,RECONNECTING,connection-reset,,,,,
Thu Mar 09 10:24:18 2017 Restart pause, 10 second(s)

 

Any suggestions?

New Member
Posts: 7
Registered: ‎04-06-2014
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

I managed to make it through the configuration with no errors (I haven't done the config.gateway.json file yet), but when I try to connect from the OpenVPN client, I keep getting:

"TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)"

I looked through the guide linked below and I am not sure if 1194 is actually open and if that is my problem.

 

Any Help is appreciated.

 

https://openvpn.net/index.php/open-source/faq/79-client/253-tls-error-tls-key-negotiation-failed-to-...

 

 

New Member
Posts: 7
Registered: ‎04-06-2014
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG


@KMcNickel wrote:

I managed to make it through the configuration with no errors (I haven't done the config.gateway.json file yet), but when I try to connect from the OpenVPN client, I keep getting:

"TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)"

I looked through the guide linked below and I am not sure if 1194 is actually open and if that is my problem.

 

Any Help is appreciated.

 

https://openvpn.net/index.php/open-source/faq/79-client/253-tls-error-tls-key-negotiation-failed-to-...

 

 


I wiped the configuration and followed a slightly modified set of steps from the site linked below, got it to work.

 

https://www.naschenweng.info/2017/03/18/access-ubiquiti-home-network-openvpn-certificate-authenticat...

New Member
Posts: 5
Registered: ‎06-03-2016

Re: How To: OpenVPN Server Configuration on the USG

Hey, 

I was running a server very similar to yours on my USG without the ipv6 settings. 

 

For now, whenever I connect, I use my username and password for the UniFi controller,

How do I add more users?  I tried using useradd in ssh but sadly USG does not support the command 

New Member
Posts: 7
Registered: ‎04-06-2014
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

Try adding a user from the settings in unifi controller
Member
Posts: 174
Registered: ‎01-13-2015
Kudos: 155

Re: How To: OpenVPN Server Configuration on the USG


@RyanisUbiquitous wrote:

I have attempted to change the default listening port to 443 tcp. I continue to get errors. Otherwise, my config is correct, allowing 443 tcp in on WAN_LOCAL.

 

Any suggestions?


Did you get this working?  I would like to also use port 443 as it should allow you to get in from more places as many networks, including most corporate networks, block almost all ports but they can't block 80,443 and a few others.

New Member
Posts: 14
Registered: ‎06-10-2017
Kudos: 7

Re: How To: OpenVPN Server Configuration on the USG

[ Edited ]

Great post.  This was a really good guide to get me going.  My configuration is USG Pro for my home network and I was working to establish a connection with another network using an ASUS router with the built in OpenVPN client.

 

I ran into a problem where I could not ping from my local net to the remote net, but when I was SSH'd into the USG I could.

 

It took a while but I finally figure out I needed to tell the OpenVPN interface which set of firewall rules to use.  This is what I did and it solved my problem.

 

 

set interfaces openvpn vtun0 firewall in name LAN_IN
set interfaces openvpn vtun0 firewall local name LAN_LOCAL
set interfaces openvpn vtun0 firewall out name LAN_OUT

 

I hope this help others who ran into the same issue I did.

 

Tom

 

New Member
Posts: 14
Registered: ‎07-12-2017
Kudos: 1

Re: How To: OpenVPN Server Configuration on the USG

Ubiquiti now add this to the User Interface...

Member
Posts: 174
Registered: ‎01-13-2015
Kudos: 155

Re: How To: OpenVPN Server Configuration on the USG

In what version?  And where do you find it?

New Member
Posts: 19
Registered: ‎08-16-2017
Kudos: 2
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

5.5.20 Setup > Network > New > Site-to-Site VPN...
Not sure if there are any others that have more details though!
New Member
Posts: 39
Registered: ‎08-16-2016
Kudos: 7
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

Is this only for Site-to-Site? I want to switch to the USG from the ER-X which I have OpenVPN configured on. However, I've been waiting for OpenVPN setup to be available in the GUI.
New Member
Posts: 19
Registered: ‎08-16-2017
Kudos: 2
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

[ Edited ]

@chaosvb wrote:
Is this only for Site-to-Site? I want to switch to the USG from the ER-X which I have OpenVPN configured on. However, I've been waiting for OpenVPN setup to be available in the GUI.

Shame that nobody has really gotten back to you; especially seen as you are likely hanging on another UBNT purchase based on the reply.

In the Unifi GUI: the current settings for OpenVPN are incredibly limited, in 3 days a newer controller v5.6.19 will become available for normal release... but the changelogs (plural: for some reason you need to manually check through the changelogs for each Beta version between these 2 releases) they do not indicate any updates to the VPN GUI menu:

 

temp.png

 

I use the word GUI a lot because (in theory) the actual config files themselves should hardly be different between the Edgerouters and USG's - due to a common OS. I don't have an edgerouter, but many people on these forums use the far-superior UI of the Edgerouter to create the config files, and then copy the necessary sections manually into the USG's config files (via SSH terminal).
 

 Unifi is getting better (pretty much daily) though, so I have no doubt that eventually it will have the same level of configuration via GUI as the edgerouter supposedly does. It's taken a few years to even get this on-off toggle though, so don't hold your breath.

Edit: It's now expected that V.20 will be the "released" one. Update release date for Controller 5.6 is 2017.11.06 (a few more days away).

New Member
Posts: 39
Registered: ‎08-16-2016
Kudos: 7
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

I appreciate the information you provided. In that case I'll continue to wait until you are able to fully configure it via this method.
Emerging Member
Posts: 84
Registered: ‎01-02-2018
Kudos: 12
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

Sorry to bump an old thread, but just wanted to check and see a year later since the last post is this still the best way to setup an OpenVPN server in a USG or is there an easier way these days?

Member
Posts: 225
Registered: ‎03-06-2013
Kudos: 31
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

I'm quite interested in this as well. Any update?

LiL Network
www.LilNetwork.com
Emerging Member
Posts: 46
Registered: ‎06-07-2016
Kudos: 17
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

Hi, I’m pretty sure there will be no GUI for OpenVPN configuration any time soon for many reasons which are beyond the current topic. OS for USG is based on vyatta/vyos. It’s power and beauty is in its command line core. 

My advice for everybody looking for and sticking to GUI is to stop wasting time and dig into power and simplicity of command line instead.

config.json file will keep your configuration over reboots and upgrades, and will let you configure everything in simple, clear and reproducible manner. Go for it and you will be happy. 

 

Emerging Member
Posts: 84
Registered: ‎01-02-2018
Kudos: 12
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

Does anything change in the setup/config if you want to use the lastest version of easy-rsa (3.0.4-2, LINK)?

Emerging Member
Posts: 46
Registered: ‎06-07-2016
Kudos: 17
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

[ Edited ]

@ben_r_While I cannot check nor confirm this new version of easy-rsa, I can say that you actually don't need and probably should not use easy-rsa directly on the USG. All you need for OpenVPN to work on USG is proper keys, certs and configuration. You may install easy-rsa on completely different machine, generate all your keys and certificates there and copy them into /config/auth/keys location on USG pointing the configuration to those file paths. I.e. you don't need easy-rsa itself on the USG at all for openvpn to work. Also note, that even if you install easy-rsa on USG it will not survive the firmware upgrade, while keys and certs inside /config/auth/ and config.json will.

Emerging Member
Posts: 84
Registered: ‎01-02-2018
Kudos: 12
Solutions: 1

Re: How To: OpenVPN Server Configuration on the USG

[ Edited ]

@doomer2 wrote:

@ben_r_While I cannot check nor confirm this new version of easy-rsa, I can say that you actually don't need and probably should not use easy-rsa directly on the USG. All you need for OpenVPN to work on USG is proper keys, certs and configuration. You may install easy-rsa on completely different machine, generate all your keys and certificates there and copy them into /config/auth/keys location on USG pointing the configuration to those file paths. I.e. you don't need easy-rsa itself on the USG at all for openvpn to work. Also note, that even if you install easy-rsa on USG it will not survive the firmware upgrade, while keys and certs inside /config/auth/ and config.json will.


I understand, and that makes sense. Is there any security reason to not run easy-rsa on the USG? Seems kinda "easy" to have it all "self contained". But ya I get what youre saying that really why do that if its not going to remain after a firmware upgrade, etc anyway.

Reply