Reply
New Member
Posts: 11
Registered: ‎05-21-2017
Kudos: 4

Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

it's taken me a while to get this running, so i thought i'd post here about how i did it.

 

Most of the routing information is thanks to mcmpr's post in the EdgeMax forum

 

 

Objective:

I want to be able to watch the UK Netflix and BBC iPlayer content on multiple devices at home.

 

 

Solution:

To watch the BBC iPlayer, i need a UK VPN connection

To watch Netflix, i need to connect to the US (see NordVPN post) - currently no UK servers available

 

As all of my devices connect wirelessly, setting up 3 wifi networks seemed to be the simplest solution. This way we could choose if the device was using 'normal' internet access or using the appropriate VPN internet connection. 

 

Next steps:

At the moment, this is all done through the command line interface (CLI), so I need to translate the information below to a config.gateway.json file which i can put on my cloudkey so that the configuration is always correctly provisioned.

 

My network environment - some things changed to protect the innocent!

ADSL 2+ connection -> TP-Link Modem -> USG3P -> TP-Link PoE switch -> AC AP Pro

 

I setup 3 networks

LAN (default VLAN) IP 10.0.0.0/24

UK VPN Network (VLAN 10) IP 10.0.1.0/24

US VPN Network (VLAN 20) IP 10.0.2.0/24

 

I setup 3 Wireless networks that relate to the 3 networks

DefaultWifi (Default VLAN)

UKWifi (VLAN 10)

USWifi (VLAN 20)

 

NordVPN OpenVPN files

 

 

My .ovpn files are stored on the USG in a directory /config/openvpn, along with a file containing my username and password. 

 

I needed to make a couple of changes to the .ovpn file: 

1. link to to file containing my NordVPN username and password

 

auth-user-pass /config/openvpn/nordvpnauth.txt

2. change pull to route-nopull

route-nopull

 

USG Commands

I setup a script i could easily copy/paster into a shell whenever the USG rebooted. 

I expect i have too many 'commit' commands.

This helped me test each section and fix errors.

 

# based on https://community.ubnt.com/t5/EdgeMAX/OpenVPN-Client-Setup-for-Private-Internet-Access/m-p/1154803/highlight/true#M53644
#

sudo -i
configure

# 1 Setup the VPN tunnels
set interfaces openvpn vtun0 config-file /config/openvpn/uk55.nordvpn.com.udp1194.ovpn
set interfaces openvpn vtun0 description 'UK OpenVPN VPN tunnel'
 
set interfaces openvpn vtun1 config-file /config/openvpn/us710.nordvpn.com.udp1194.ovpn
set interfaces openvpn vtun1 description 'US OpenVPN VPN tunnel'

commit

# 2 Route the appropriate devices though the related VPN tunnels 
set service nat rule 5000 description 'OpenVPN UK Clients'
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface vtun0
set service nat rule 5000 source address 10.0.1.0/28
set service nat rule 5000 type masquerade

set service nat rule 5001 description 'OpenVPN US Clients'
set service nat rule 5001 log disable
set service nat rule 5001 outbound-interface vtun1
set service nat rule 5001 source address 10.0.2.0/28
set service nat rule 5001 type masquerade
 
set service nat rule 5002 description 'All other clients'
set service nat rule 5002 log disable
set service nat rule 5002 outbound-interface eth0
set service nat rule 5002 source address 10.0.0.0/27
set service nat rule 5002 type masquerade
 
# 3 Create a static route using interface vtun0 as next-hop:   
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0
set protocols static table 2 interface-route 0.0.0.0/0 next-hop-interface vtun1

commit
 
# 4 Create a firewall modify rule for each host you want to route through the Open VPN tunnel.  
set firewall modify OPENVPN-UK rule 10 description 'Route UK VPN network to vtun0'
set firewall modify OPENVPN-UK rule 10 source address 10.0.1.0/28
set firewall modify OPENVPN-UK rule 10 modify table 1

set firewall modify OPENVPN-US rule 20 description 'Route US VPN Network - to vtun1'
set firewall modify OPENVPN-US rule 20 source address 10.0.2.0/28
set firewall modify OPENVPN-US rule 20 modify table 2

commit
 
# 5 Apply the firewall modify rule "in" to your LAN interface.  
set interfaces ethernet eth1 vif 10 firewall in modify OPENVPN-UK
set interfaces ethernet eth1 vif 20 firewall in modify OPENVPN-US
 
commit
save
exit

Converting to config.gateway.json

 

The following is my WIP .json that i've not fully tested.

 

{
    "firewall": {
        "modify": {
            "OPENVPN-UK": {
                "rule": {
                    "5000": {
                        "action": "modify",
                        "description": "Route UK network - VLAN 10 to vtun0",
                        "source": {
                          "address": "10.0.1.0/28"
                        },
                        "modify": "table 1"
                    }
                }
            },
            "OPENVPN-US": {
                "rule": {
                    "5000": {
                        "action": "modify",
                        "description": "Route US network - VLAN 20 to vtun1",
                        "source": {
                          "address": "10.0.2.0/28"
                        },
                        "modify": "table 2"
                    }
                }
            }
        }
    },
    "interfaces": {
        "ethernet": {
            "eth1": {
              "vif":{
                "10":{
                  
                  "firewall": {
                    "in": {
                        "modify": "OPENVPN-UK",
                        "name": "LAN_IN"
                    },
                    "local": {
                        "name": "LAN_LOCAL"
                    },
                    "out": {
                        "name": "LAN_OUT"
                    }
                  }
                },
                "20":{
                  
                  "firewall": {
                    "in": {
                        "modify": "OPENVPN-US",
                        "name": "LAN_IN"
                    },
                    "local": {
                        "name": "LAN_LOCAL"
                    },
                    "out": {
                        "name": "LAN_OUT"
                    }
                  }
                }
              },
              "speed": "auto"
            }
        },
        "openvpn": {
            "vtun0": {
                "config-file": "/config/openvpn/uk55.nordvpn.com.udp1194.ovpn",
                "openvpn-option": [
                    "--route-noexec"
                ]
            },
            "vtun1": {
                "config-file": "/config/openvpn/us710.nordvpn.com.udp1194.ovpn",
                "openvpn-option": [
                    "--route-noexec"
                ]
            }
        }
    },
    "service": {
        "nat": {
            "rule": {
                "5000": {
                    "description": "Route UK network clients to UK NordVPN",
                    "log": "disable",
                    "outbound-interface": "vtun0",
                    "source": {
                        "address": "10.0.1.0/28"
                    },
                    "type": "masquerade"
                },
                "5001": {
                    "description": "Route US Network clients to US NordVPN",
                    "log": "disable",
                    "outbound-interface": "vtun1",
                    "source": {
                        "address": "10.0.2.0/28"
                    },
                    "type": "masquerade"
                },
                "5002": {
                    "description": "Route other traffic to Internet",
                    "log": "disable",
                    "outbound-interface": "eth0",
                    "source": {
                        "address": "10.0.0.0/27"
                    },
                    "type": "masquerade"
                }
            }
        }
    },
    "protocols": {
      "static": {
        "table": {
          "1": {
            "interface-route": {
              "0.0.0.0/0": {
                "next-hop-interface": "vtun0"
              }
            }
          },
          "2": {
            "interface-route": {
              "0.0.0.0/0": {
                "next-hop-interface": "vtun1"
              }
            }
          }
        }
      }
    }
}

 

 

 

 

 

New Member
Posts: 11
Registered: ‎05-21-2017
Kudos: 4

Useful commands for testing openvpn connection

The following were the most useful tools to help me identify issues

 

show interfaces

- are the VPN tunnels initialised

 

 

Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                 
---------    ----------                        ---  -----------                 
eth0         x.x.x.x/24                  u/u                              
eth1         10.0.0.1/27                       u/u                              
eth1.10      10.0.1.1/28                       u/u                              
eth1.20      10.0.2.1/28                       u/u                              
eth2         -                                 A/D                              
lo           127.0.0.1/8                       u/u                              
             ::1/128                          
vtun0        10.8.8.160/24                     u/u  UK OpenVPN VPN tunnel       
vtun1        10.8.8.169/24                     u/u  US OpenVPN VPN tunnel   

 

 

 

show nat rules

- list the NAT rules - are the correct IP ranges mapped to the correct vtun

 

Type Codes:  SRC - source, DST - destination, MASQ - masquerade
              X at the front of rule implies rule is excluded

rule   type  intf     translation                                               
----   ----  ----     -----------                                               
5000   MASQ  vtun0    saddr 10.0.1.0/28 to 10.8.8.160                           
    proto-all         sport ANY                                                     

5001   MASQ  vtun1    saddr 10.0.2.0/28 to 10.8.8.169                           
    proto-all         sport ANY                                                     

5002   MASQ  eth0     saddr 10.0.0.0/27 to x.x.x.x                        
    proto-all         sport ANY                                                     

6001   MASQ  eth0     saddr ANY to x.x.x.x                                
    proto-all         sport ANY                                                     

6002   MASQ  eth0     saddr ANY to x.x.x.x                                
    proto-all         sport ANY                                                     

6003   MASQ  eth0     saddr ANY to x.x.x.x                                
    proto-all         sport ANY         

 

show interfaces openvpn detail

- is traffic being routeed over the VPN tunnels? 

- in this case, there may be an issue with the UK VPN setup...

 

vtun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none 
    inet 10.8.8.160/24 brd 10.8.8.255 scope global vtun0
       valid_lft forever preferred_lft forever
    Description: UK OpenVPN VPN tunnel

    RX:  bytes    packets     errors    dropped    overrun      mcast
             0          0          0          0          0          0
    TX:  bytes    packets     errors    dropped    carrier collisions
             0          0          0          0          0          0
vtun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none 
    inet 10.8.8.169/24 brd 10.8.8.255 scope global vtun1
       valid_lft forever preferred_lft forever
    Description: US OpenVPN VPN tunnel

    RX:  bytes    packets     errors    dropped    overrun      mcast
         73788        163          0          0          0          0
    TX:  bytes    packets     errors    dropped    carrier collisions
         23272        226          0          0          0          0

 

 

show firewall modify statistics

- similar to the above, are the firewall rules routing the VLAN traffic

 

IPv4 Firewall "OPENVPN-UK"

 Active on (eth1.10,IN) 

rule  packets     bytes       action  description
----  -------     -----       ------  -----------
10    0           0           MODIFY  Route Empire - VLAN 10 to vtun0
10000 5           1704        ACCEPT  DEFAULT ACTION

--------------------------------------------------------------------------------

IPv4 Firewall "OPENVPN-US"

 Active on (eth1.20,IN) 

rule  packets     bytes       action  description
----  -------     -----       ------  -----------
20    477         55233       MODIFY  Route Colony - VLAN 20 to vtun1
10000 24          4692        ACCEPT  DEFAULT ACTION

 

 

New Member
Posts: 13
Registered: ‎05-04-2017

Re: Useful commands for testing openvpn connection

 THX for the HowTo!!!

 

Could you explain how you set this up?

 

I setup 3 networks

LAN (default VLAN) IP 10.0.0.0/24

UK VPN Network (VLAN 10) IP 10.0.1.0/24

US VPN Network (VLAN 20) IP 10.0.2.0/24

 

Did you create a secons Network? Cloud you give me a screenshot of the Controller ?

When i creat a second Network and set de VLAN ID 10 my other Clients cannot Connect anymore... I have several Options to create a Network:

 

VLAN, Corprate, VPN etc.... what did you create?

 

THX

New Member
Posts: 11
Registered: ‎05-21-2017
Kudos: 4

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

[ Edited ]

Screen Shot 2017-11-15 at 06.04.56.pngI setup these networks - they could have been all /24

Screen Shot 2017-11-15 at 06.05.09.pngThese are the Wifi networks with the corresponding VLAN ID's

The OpenVPN setup file needed an update parameters so that not all of the traffic goes over the VPN

 

Change:

pull

To: 

route-nopull

 

The VPN config then worked with these networks and sent only the trafiic identified over the connection

NB: i had no need for devices to connect between these networks, so if you are connected to the US VPN Netowork, you cannot access the main LAN

New Member
Posts: 5
Registered: ‎11-19-2016

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

Did you ever verify if your json works? I followed your steps however i only have one internal net 192.168.30.0/24 that needs access to a VPN. My USG gets stuck in provisioning if i attach the json to it.
New Member
Posts: 11
Registered: ‎05-21-2017
Kudos: 4

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

The JSON works every time now.
New Member
Posts: 5
Registered: ‎11-19-2016

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

Can you help me with mine if I gave you my details?

New Member
Posts: 1
Registered: ‎05-07-2017

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

Hi,

 

I tried this with your configuration but somethings not working and my usg is rebooting and reseting ^^

 

This was my Problem yesterday:

UniFi USG configuration commit error. Error message: { "COMMIT" : { "error" : "\ufffe[ firewall modify NordVPN ]\nError: [sudo /sbin/iptables-restore -n -v 2> /tmp/iptables.out] = 256\nIptables restore OK\n\n\uffff0\nCommit failed\n" , "failure" : "1" , "success" : "1"} , "DELETE" : { "failure" : "0" , "success" : "1"} , "SESSION_ID" : "061b5a1bba7d7786edb566d973" , "SET" : { "failure" : "0" , "success" : "1"}}

Patches Controller an USG Today, but: 

UniFi USG configuration commit error. Error message: { "COMMIT" : { "error" : "\ufffe[ firewall modify NordVPN ]\nFirewall config error: Cannot delete rule set \"NordVPN\" (still in use)\n\n\uffff0\n\ufffe[ firewall modify LOAD_BALANCE ]\nFirewall config error: Cannot delete rule set \"LOAD_BALANCE\" (still in use)\n\n\uffff0\n\ufffe[ interfaces ethernet eth0 address dhcp ]\nStarting DHCP client on eth0 ...\n\n\uffff1\nCommit failed\n" , "failure" : "1" , "success" : "1"} , "DELETE" : { "failure" : "0" , "success" : "1"} , "SESSION_ID" : "b9bc60e87078d9d43e7a30c66d" , "SET" : { "failure" : "0" , "success" : "1"}}

I don't really know whats wrong - configuration looks same like yours but just with one VPN.

 

Any Idea?

 

New Member
Posts: 11
Registered: ‎05-21-2017
Kudos: 4

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

This is the current JSON i have for just the US NordVPN

- the UK option was not working very well for me.

 

{
        "firewall": {
                 "modify": {
                        "OPENVPN-US": {
                                "rule": {
                                        "5000": {
                                                "action": "modify",
                                                "description": "Allow US clients to access vtun1",
                                                "modify": {
                                                        "table": "2"
                                                },
                                                "source": {
                                                        "address": "10.0.2.0/28"
                                                }
                                        }
                                }
                        }
                }
        },
        "interfaces": {
                "ethernet": {
                        "eth1": {
                                "vif": {
                                        "20": {
                                                "firewall": {
                                                        "in": {
                                                                "modify": "OPENVPN-US",
                                                                "name": "LAN_IN"
                                                        },
                                                        "local": {
                                                                "name": "LAN_LOCAL"
                                                        },
                                                        "out": {
                                                                "name": "LAN_OUT"
                                                        }
                                                }
                                        }
                                }
                        }
                },
                "openvpn": {
                        "vtun1": {
                                "config-file": "/config/openvpn/us729.nordvpn.com.udp1194.ovpn",
                                "description": "US OpenVPN tunnel"
                        }
                }
        },
        "protocols": {
                "static": {
                        "table": {
                                "2": {
                                        "interface-route": {
                                                "0.0.0.0/0": {
                                                        "next-hop-interface": {
                                                                "vtun1": "''"
                                                        }
                                                }
                                        }
                                }
                        }
                }
        },
        "service": {
                "nat": {
                        "rule": {
                                "5001": {
                                        "description": "Route US OpenVPN clients",
                                        "log": "disable",
                                        "outbound-interface": "vtun1",
                                        "source": {
                                                "address": "10.0.2.0/28"
                                        },
                                        "type": "masquerade"
                                },
                                "5002": {
                                        "description": "Route all other clients",
                                        "log": "disable",
                                        "outbound-interface": "eth0",
                                        "source": {
                                                "address": "10.0.0.0/27"
                                        },
                                        "type": "masquerade"
                                }
                        }
                }
        }
}
New Member
Posts: 11
Registered: ‎05-21-2017
Kudos: 4

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

[ Edited ]

The process i went through to get this working for me was to 

 

1. Get the JSON of the USG config before i've done anything. SSH to the USG and type:

mca-ctrl -t dump-cfg

2. Get the VPN  working using the command line on the USG

3. Get the JSON of the USG config while the VPN is working - using the meta-ctrl command above

4. Create the new config.gateway.json file for the Cloudkey based on removing the subtracting the existing from of the JSON output in step1 from the JSON in step 3.

 

This is my current script which i just paste into a USG window.

NOTE that the UK VPN setup has been commented out, so produces the same result as the JSON on the cloudkey

# based on https://community.ubnt.com/t5/EdgeMAX/OpenVPN-Client-Setup-for-Private-Internet-Access/m-p/1154803/highlight/true#M53644
#

sudo -i
configure

# 1 Setup the VPN tunnels
#set interfaces openvpn vtun0 config-file /config/openvpn/uk129.nordvpn.com.udp.ovpn
#set interfaces openvpn vtun0 description 'UK OpenVPN tunnel'
 
set interfaces openvpn vtun1 config-file /config/openvpn/us729.nordvpn.com.udp.ovpn
set interfaces openvpn vtun1 description 'US OpenVPN tunnel'

commit

# 2 Route the appropriate devices though the related VPN tunnels 
#set service nat rule 5000 description 'Route UK OpenVPN clients'
#set service nat rule 5000 log disable
#set service nat rule 5000 outbound-interface vtun0
#set service nat rule 5000 source address 10.0.1.0/28
#set service nat rule 5000 type masquerade

set service nat rule 5001 description 'Route US OpenVPN clients'
set service nat rule 5001 log disable
set service nat rule 5001 outbound-interface vtun1
set service nat rule 5001 source address 10.0.2.0/28
set service nat rule 5001 type masquerade
 
set service nat rule 5002 description 'Route all other clients'
set service nat rule 5002 log disable
set service nat rule 5002 outbound-interface eth0
set service nat rule 5002 source address 10.0.0.0/27
set service nat rule 5002 type masquerade
 
# 3 Create a static route using interface vTun0 as next-hop:   
#set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0
set protocols static table 2 interface-route 0.0.0.0/0 next-hop-interface vtun1

commit
 
# 4 Create a firewall modify rule for each host you want to route through the Open VPN tunnel.  
#set firewall modify OPENVPN-UK rule 5000 description 'Allow UK clients to access vtun0'
#set firewall modify OPENVPN-UK rule 5000 source address 10.0.1.0/28
#set firewall modify OPENVPN-UK rule 5000 modify table 1

set firewall modify OPENVPN-US rule 5000 description 'Allow US clients to access vtun1'
set firewall modify OPENVPN-US rule 5000 source address 10.0.2.0/28
set firewall modify OPENVPN-US rule 5000 modify table 2

commit
 
# 5 Apply the firewall modify rule "in" to your LAN interface.  
#set interfaces ethernet eth1 vif 10 firewall in modify OPENVPN-UK
set interfaces ethernet eth1 vif 20 firewall in modify OPENVPN-US
 
commit
save
exit

show interfaces

 

New Member
Posts: 11
Registered: ‎05-21-2017
Kudos: 4

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

Can you attach your config file. it's very sensitive to syntax errors.


@x-ares-x wrote:

Hi,

 

I tried this with your configuration but somethings not working and my usg is rebooting and reseting ^^

 

This was my Problem yesterday:

UniFi USG configuration commit error. Error message: { "COMMIT" : { "error" : "\ufffe[ firewall modify NordVPN ]\nError: [sudo /sbin/iptables-restore -n -v 2> /tmp/iptables.out] = 256\nIptables restore OK\n\n\uffff0\nCommit failed\n" , "failure" : "1" , "success" : "1"} , "DELETE" : { "failure" : "0" , "success" : "1"} , "SESSION_ID" : "061b5a1bba7d7786edb566d973" , "SET" : { "failure" : "0" , "success" : "1"}}

Patches Controller an USG Today, but: 

UniFi USG configuration commit error. Error message: { "COMMIT" : { "error" : "\ufffe[ firewall modify NordVPN ]\nFirewall config error: Cannot delete rule set \"NordVPN\" (still in use)\n\n\uffff0\n\ufffe[ firewall modify LOAD_BALANCE ]\nFirewall config error: Cannot delete rule set \"LOAD_BALANCE\" (still in use)\n\n\uffff0\n\ufffe[ interfaces ethernet eth0 address dhcp ]\nStarting DHCP client on eth0 ...\n\n\uffff1\nCommit failed\n" , "failure" : "1" , "success" : "1"} , "DELETE" : { "failure" : "0" , "success" : "1"} , "SESSION_ID" : "b9bc60e87078d9d43e7a30c66d" , "SET" : { "failure" : "0" , "success" : "1"}}

I don't really know whats wrong - configuration looks same like yours but just with one VPN.

 

Any Idea?

 


 

New Member
Posts: 11
Registered: ‎05-21-2017
Kudos: 4

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

If you want to attach your file, i'll take a look and use my limited knowledge to see if i can see any issues.

I got a lot of help from Brandon Jaffe @Ubiquiti.
Make sure you have the latest software and firmware updates.

I'm currently using
cloudkey firmware: v0.8.2
cloudkey controller 5.6.24
USG: 4.4.12
New Member
Posts: 3
Registered: ‎01-20-2016

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

Thanks for your very helpful post.  This is the first post that gives enough detail (step by step and troubleshooting) for a true beginner to get it working.  I sucessfully got NordVPN working on my USG. Two questions if you have time to respond.

1) where are you putting the json file on your cloudkey? 

2) My upload/download speeds are terrible.  My wired iMac gets 300mbps plus without the VPN, 30 to 200mbps with the NordVPN MacOS client (OpenVPN), and seems to cap at 8mbps using the NordVPN configuration files on the USG.  The USG shows a large number of dropped packets on vtun0.  Do you have any idea what to change? I played with the tun-mtu and mssfix values in the ovpn file provided by NordVPN following guidance from 

 

https://community.ubnt.com/t5/UniFi-Routing-Switching/Setting-up-OpenVPN-client-in-USG/m-p/2109051/h...

 

It seemed to make speeds worse.  I am waiting on NordVPN to respond (I also followed their tutorial).  

 

Any help appreciated.

New Member
Posts: 11
Registered: ‎05-21-2017
Kudos: 4

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

1. Location of config.gateway.json

 

Identify the base URL for the files

https://help.ubnt.com/hc/en-us/articles/115004872967

 

For the UniFi Cloud Key & Debian/Ubuntu Linux:  /usr/lib/unifi

 

The location of the config file as well as how to modify

https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-How-to-further-customize-USG-configuration-w...

 

My site is 'default' so the URL is: /usr/lib/unifi/data/sites/default/

 

2. Speed.

 

I found having 2 connections was terrible and marginally better with one. As my internet connection can be quite slow (i can only dream of >100mbps), i haven't given any more thought about trying to improve the performance. When using the connection from my Mac, over  the same internet connection it is much better, so i'd be very interested to try anything you find to improve

 

New Member
Posts: 3
Registered: ‎01-20-2016

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

Thank you for your response. NordVPN wrote back and offered two suggestions/explanations. 

 

1. OpenVPN is not multi threaded or scalable and the USG may be maxed out in terms of speed because it cannot encrypt or decrypt any faster. 

2. Use ping google.com -f -l 1500 subtracting 10 from 1500 then 1490 and so on  until you get a response from google and then increase by 1 repetitively until you get the max value. Add 28 and that is the MTU value to use. Set the interface value to that MTU

 

I tried it from my Mac using their client software which uses IKEv2 and never got a useful number with constant  icmp errors. Maybe it isn’t supposed to work that way. I have not tried it using the USG as a client yet which is the original plan. Using your step by step method I made changes to the USG so that I could easily reprovision it with the cloud key and bring my speed back when it didn’t work out correctly. 

 

If I learn anymore I will respond to this thread. 

 

New Member
Posts: 35
Registered: ‎03-14-2017
Kudos: 3

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

While your solution may provide you with the result that your looking for there is a much easier and elegant way to do it.

 

Objective:

I want to be able to watch the UK Netflix and BBC iPlayer content on multiple devices at home.

 

Solution:

Add SmartDNSProxy to your network at the USG, or have a separate Subnet / VLAN with SmartDNSProxy DNS Services manually selected:

 

1. Use this link for a 14 day free trail of SmartDNSProxy.

2. Setup a VLAN subnet and manually select DNS according to the servers on this page.

 

BBC iPlayer will work on the Subnet and Netflix will show US content. You may wish to add the DNS to main network instead. Works just as well.

New Member
Posts: 30
Registered: ‎10-21-2016
Kudos: 4

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

[ Edited ]

@itommo wrote:

 

 

2. Setup a VLAN subnet and manually select DNS according to the servers on this page.

 

BBC iPlayer will work on the Subnet and Netflix will show US content. You may wish to add the DNS to main network instead. Works just as well.



Do you mind sharing some screenshots of the UniFi part as to how you did it for wireless devices such as the Amazon Fire TV Stick?

I am looking for a solution that I can only tie to a certain wireless network and not the whole network so I would be interested to see what you did. 

 

Thank you!

New Member
Posts: 35
Registered: ‎03-14-2017
Kudos: 3

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

Hi @limbolukas,

 

Sure, I run Controller v5.6.26 and this is how I set it up. 

 

- First Create a Network that runs on a VLAN (i.e. 10) and uses the SmartDNSProxy DNS settings in DHCP Name Server (Manual).

- I run multiple VLANs on my network so I use the following in Gateway / Subnet - 192.168.[VLAN].1/24 so that I can quickly identify what device is on what VLAN etc.

- Now Create a Wireless Network and under Advanced Settings assign the VLAN for the DNS network (10).

 

- If you are running v5.6.26 then also go to Controller - Settings - Services - MDNS and turn it ON. It will help with printers / Apple TVs etc across the subnets.

 

This setup allows me to have a Wireless Network to connect the devices that I want on the DNS while I also allowing me to select ports on the Switches to run the DNS VLAN which is neat.

 

Screen Shot 2017-12-17 at 1.56.06 AM.pngController - Settings - Networks - Create New NetworkScreen Shot 2017-12-17 at 1.56.36 AM.pngController - Settings - Wireless Networks - Create New Wireless Network

New Member
Posts: 30
Registered: ‎10-21-2016
Kudos: 4

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

Hi @itommo

 

Many thanks for the screenshots for the explanations and screenshots. Unfortunately, it does not work for me as I still get my home country Netflix library on my devices (UniFi v5.7.10, mDNS activated).

 

Bildschirmfoto 2017-12-17 um 09.50.20.pngBildschirmfoto 2017-12-17 um 09.50.52.pngBildschirmfoto 2017-12-17 um 09.51.17.png

 

Any ideas?

New Member
Posts: 35
Registered: ‎03-14-2017
Kudos: 3

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

@limbolukas,

 

Yes - you'll see that on your Account Setup screen you have a Red No Entry sign - you need all Green Ticks.

 

You are either not on the correct Wifi Network or you need to reboot your devices. Try a reboot, join the DNS Wifi and then load up your SmartDNSProxy account page again.

Reply