Reply
Member
Posts: 198
Registered: ‎04-26-2017
Kudos: 72
Solutions: 2

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

[ Edited ]

First off, kudos for the guide and info. I have gotten this to work with mixed success.

 

When I manually set up the connection and networks everything seems to work as expected, the assigned WLAN has the external IP of the VPN connection, and the main next has the IP of my ISP. But after a few minutes the USG shows high latency and internet stops working and vpn tunnel stops working

 

However, when I made my custom config.gateway.json it stopped working. At first all my networks had 200ms+ latency. Then it "autocorrected" after about a minute or two, at which point all of my networks have my ISP IP (123.4.5.67) and my assigned network is still not connected to the VPN. 

 

I can ping the VPN server, I can ping the VPN assigned IP, and can ping google dns (8.8.8.8) I cannot access websites because they time out.

 

At the time of this writing I think my VPNs Romania server was having issues so I am switching it to one in Japan for testing.

 

show interfaces

 

root@1160K-GW-1DA103:~# show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description
---------    ----------                        ---  -----------
eth0         123.4.5.67/21                  u/u
             2001:558:6027:0:c8b1:736e:443:fc09/128
eth1         10.0.0.1/24                       u/u
eth1.2       192.168.1.1/24                    u/u
eth1.10      -                                 u/u
eth1.20      -                                 u/u
eth1.111     10.0.111.1/27                     u/u
eth1.222     10.0.222.1/27                     u/u
eth2         -                                 A/D
lo           127.0.0.1/8                       u/u
             ::1/128
vtun0        10.75.1.3                        u/u  Swiss OpenVPN tunnel

 

 

show interfaces openvpn detail

 

 

vtun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 10.75.1.3 peer 10.75.1.2/32 scope global vtun0
       valid_lft forever preferred_lft forever
    Description: Swiss OpenVPN tunnel

    RX:  bytes    packets     errors    dropped    overrun      mcast
        313959        628          0          0          0          0
    TX:  bytes    packets     errors    dropped    carrier collisions
        230911       3040          0          0          0          0

 

 

show nat rules

 

 

Type Codes:  SRC - source, DST - destination, MASQ - masquerade
              X at the front of rule implies rule is excluded

rule   type  intf     translation
----   ----  ----     -----------
5000   MASQ  vtun0    saddr 10.0.111.0/27 to 10.75.1.3
    proto-all         sport ANY

5001   MASQ  vtun1    saddr 10.0.222.0/27 to
    proto-all         sport ANY

5002   MASQ  eth0     saddr 10.0.0.0/24 to 123.4.5.67
    proto-all         sport ANY

5003   MASQ  eth0     saddr 192.168.1.0/24 to 123.4.5.67
    proto-all         sport ANY

6001   MASQ  eth0     saddr ANY to 123.4.5.67
    proto-all         sport ANY

6002   MASQ  eth0     saddr ANY to 123.4.5.67
    proto-all         sport ANY

6003   MASQ  eth0     saddr ANY to 123.4.5.67
    proto-all         sport ANY

 

show firewall modify statistics

--------------------------------------------------------------------------------

IPv4 Firewall "OPENVPN-RM"

 Active on (eth1.20,IN)

rule  packets     bytes       action  description
----  -------     -----       ------  -----------
20    0           0           MODIFY  Allow RM clients to access vtun1
10000 0           0           ACCEPT  DEFAULT ACTION

--------------------------------------------------------------------------------

IPv4 Firewall "OPENVPN-SW"

 Active on (eth1.10,IN)

rule  packets     bytes       action  description
----  -------     -----       ------  -----------
10    0           0           MODIFY  Allow SW clients to access vtun0
10000 0           0           ACCEPT  DEFAULT ACTION

 

config.gateway.json

{
	"firewall": {
		"modify": {
			"OPENVPN-SW": {
				"rule": {
					"10": {
						"action": "modify",
						"description": "Allow SW clients to access vtun0",
						"modify": {
							"table": "1"
						},
						"source": {
							"address": "10.0.111.0/27"
						}
					}
				}
			},
			"OPENVPN-RM": {
				"rule": {
					"20": {
						"action": "modify",
						"description": "Allow RM clients to access vtun1",
						"modify": {
							"table": "2"
						},
						"source": {
							"address": "10.0.222.0/27"
						}
					}
				}
			}
		}
	},
	"interfaces": {
		"ethernet": {
			"eth1": {
				"vif": {
					"10": {
						"firewall": {
							"in": {
								"modify": "OPENVPN-SW"
							}
						}
					},
					"20": {
						"firewall": {
							"in": {
								"modify": "OPENVPN-RM"
							}
						}
					}
				},
				"speed": "auto"
			}
		},
		"openvpn": {
			"vtun0": {
				"config-file": "/config/openvpn/swiss.ovpn",
				"description": "Swiss OpenVPN tunnel"
			},
			"vtun1": {
				"config-file": "/config/openvpn/romania.ovpn",
				"description": "Romania OpenVPN tunnel"
			}
		}
	},
	"service": {
		"nat": {
			"rule": {
				"5000": {
					"description": "Route SW OpenVPN clients",
					"log": "disable",
					"outbound-interface": "vtun0",
					"source": {
						"address": "10.0.111.0/27"
					},
					"type": "masquerade"
				},
				"5001": {
					"description": "Route RM OpenVPN clients",
					"log": "disable",
					"outbound-interface": "vtun1",
					"source": {
						"address": "10.0.222.0/27"
					},
					"type": "masquerade"
				},
				"5002": {
					"description": "Route all other clients",
					"log": "disable",
					"outbound-interface": "eth0",
					"source": {
						"address": "10.0.0.0/24"
					},
					"type": "masquerade"
				},
				"5003": {
					"description": "Route all guests",
					"log": "disable",
					"outbound-interface": "eth0",
					"source": {
						"address": "192.168.1.0/24"
					},
					"type": "masquerade"
				}
			}
		}
	},
	"protocols": {
		"static": {
			"table": {
				"1": {
					"interface-route": {
						"0.0.0.0/0": {
							"next-hop-interface": {
								"vtun0": "''"
							}
						}
					}
				},
				"2": {
					"interface-route": {
						"0.0.0.0/0": {
							"next-hop-interface": {
								"vtun1": "''"
							}
						}
					}
				}
			}
		}
	}
}

 

ANy ideas?

 

Controller 5.7.10

USG 4.4.14.5041698

VPN: PrivateInternetAccess

New Member
Posts: 30
Registered: ‎10-21-2016
Kudos: 4

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)


@itommo wrote:

@limbolukas,

 

Yes - you'll see that on your Account Setup screen you have a Red No Entry sign - you need all Green Ticks.

 

You are either not on the correct Wifi Network or you need to reboot your devices. Try a reboot, join the DNS Wifi and then load up your SmartDNSProxy account page again.


Hi @itommo

 

Thanks for pointing me into the right direction.

I had to remove my pihole as primary DNS server from my AP AC Pros config to get it work. After that I was able get all green ticks and watch US Netflix on my iPad (rather slow) but not on the FireTV stick. 

In my case too many drawbacks to make it work. 

 

Anyway, many thanks for the help!

Member
Posts: 198
Registered: ‎04-26-2017
Kudos: 72
Solutions: 2

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

[ Edited ]

Ok, now when I manually enter the CLI commands, the Wi-Fi network routed the the vtun0 interface works, however the main Wi-Fi that should be in my normal ISP Times out.
When I run a traceroute on the USG to 8.8.8.8 the first hop is the vtun0 interface, shouldn’t it be eth0?

I’m struggling to figure out why my VPN’d Wi-Fi works but the main Wi-Fi doesn’t...

 

Thanks to @drichard's video HERE I was able to get this idea to work.

 

Objective:

Have a running VPN connection with any PIA VPN server accessible from a dedicated VLAN tagged SSID, leaving the rest of the LAN untouched.

 

 

Set up the PTPP client

Do NOT check "Use this VPN for internet"

Route Distance [EMPTY}

Remote subnets 1.2.3.4/30

Check "Use VPN server-provided DNS servers"

Server: enter the FQDN of the vpn service (for me it was PIA so enter i.e.: swiss.privateinternetaccess.com)

Username: duh

password: duh

CHECK Require Microsoft P2P Encryption

 

SSH into USG

 

sudo -i
configure
set firewall modify VPN_Gateway rule 3000 action modify
set firewall modify VPN_Gateway rule 3000 modify table 1
set firewall modify VPN_Gateway rule 3000 source address 10.0.111.0/27
set firewall modify VPN_Gateway rule 3000 protocol all
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface pptpc0
set interfaces ethernet eth1 vif 10 firewall in modify VPN_Gateway

The config.gateway.json I tested that held over.

 

{
	"firewall": {
		"modify": {
                        "VPN_Gateway": {
                                "rule": {
                                        "3000": {
                                                "action": "modify",
                                                "modify": {
                                                        "table": "1"
                                                },
                                                "protocol": "all",
                                                "source": {
                                                        "address": "10.0.111.0/27"
                                                }
                                        }
                                }
                        }
                }
	},
	"interfaces": {
		"ethernet": {
			"eth1": {
				"vif": {
					"10": {
                                                "address": [
                                                        "10.0.111.1/27"
                                                ],
                                                "firewall": {
                                                        "in": {
                                                                "ipv6-name": "LANv6_IN",
                                                                "modify": "VPN_Gateway",
                                                                "name": "LAN_IN"
                                                        },
                                                        "local": {
                                                                "ipv6-name": "LANv6_LOCAL",
                                                                "name": "LAN_LOCAL"
                                                        },
                                                        "out": {
                                                                "ipv6-name": "LANv6_OUT",
                                                                "name": "LAN_OUT"
                                                        }
                                                }
                                        }
				},
				"speed": "auto"
			}
		}
	},
	"protocols": {
                "static": {
                        "table": {
                                "1": {
                                        "interface-route": {
                                                "0.0.0.0/0": {
                                                        "next-hop-interface": {
                                                                "pptpc0": "''"
                                                        }
                                                }
                                        }
                                }
                        }
                }
        }
}

 (https://community.ubnt.com/t5/UniFi-Routing-Switching/Policy-Based-Routing-JSON-help/m-p/2177653#M70...)

 

Now I have completed the objective, and traffic is flowing as expected. VPN speeds are, as expected ~2.5-4mbps (a VPN in Switzerland)

 

I haven't tested a second SSID with a secon VPN client, though I'm sure the same process will work.

 

My guest network is also routed correctely, and could even pipe that through it's own VPN if I wanted.

 

Thanks everyone!!

New Member
Posts: 11
Registered: ‎08-09-2018

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

Steve, thank you for your original post.  I found the information extremely helpful in getting NordVPN to work for me.

New Member
Posts: 1
Registered: ‎03-15-2017

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

Hi, I followed the instructions and worked almost perfect. However, when vtun0 is enabled all the traffic that comes from eth0 does not work.

 

Also, when I renamed route-nopull instead of pull in the file the vpn stopped working.

 

Any ideas?

New Member
Posts: 2
Registered: ‎09-19-2018
Kudos: 3

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

Hi,

I also haven't been able to make this work for weeks. After a LOT of digging: the issue is 2018 update to the controller. You need to add "source-validation": "disable" to the firewall section. After that, traffic flows.This is my json file that works for me:

 

{
  "firewall": {
    "modify": {
      "SOURCE_ROUTE": {
        "rule": {
          "20": {
            "action": "modify",
            "description": "Traffic to Nord VPN",
            "modify": {
              "table": "1"
            },
			"protocol": "all",
            "source": {
              "address": "192.168.20.0/24"
            }
          }
        }
      }
    },
	"source-validation": "disable"
  },
  	"interfaces": {
		"ethernet": {
			"eth1": {
				"vif": {
					"20": {
                                                "firewall": {
                                                        "in": {
                                                                "modify": "SOURCE_ROUTE",
                                                                "name": "LAN_IN"
                                                        },
                                                        "local": {
                                                                "name": "LAN_LOCAL"
                                                        },
                                                        "out": {
                                                                "name": "LAN_OUT"
                                                        }
                                                }
                                        }
				}
			}
		},
		                "openvpn": {
                        "vtun0": {
                                "config-file": "/config/YOUROVPNCONFIGFILE",
                                "description": "Nord OpenVPN"
                        }
                }
	},
  "protocols": {
    "static": {
      "table": {
        "1": {
          "interface-route": {
            "0.0.0.0/0": {
              "next-hop-interface": {
                "vtun0": "''"
                }
              }
            }
          }
        }
      }
    },
	        "service": {
                "nat": {
                        "rule": {
                                "5020": {
                                        "description": "Route US OpenVPN clients",
                                        "log": "disable",
                                        "outbound-interface": "vtun0",
                                        "source": {
                                                "address": "192.168.20.0/24"
                                        },
                                        "type": "masquerade"
                                },

                                "5000": {
                                        "description": "Route other clients",
                                        "log": "disable",
                                        "outbound-interface": "eth0",
                                        "source": {
                                                "address": "192.168.1.0/24"
                                        },
                                        "type": "masquerade"
                                }
                        }
                }
        }
}
New Member
Posts: 1
Registered: ‎10-25-2018

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

Thanks, this worked for me perfectly. I was missing the [route-nopull] edit in the .ovpn config file. Thanks again for putting this together.
Emerging Member
Posts: 64
Registered: ‎09-21-2016
Kudos: 6
Solutions: 1

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

@stevearmitage how can your script be modified only for a specific ip to be routed through vtun0?

New Member
Posts: 11
Registered: ‎05-21-2017
Kudos: 4

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

[ Edited ]

based on the script above, change your VPN source address to the following

 

                                                "address": "192.168.20.0/24"

to be your IP address/32 i.e. only one computer

 

                                                "address": "192.168.1.1/32"

 

New Member
Posts: 3
Registered: ‎07-05-2018

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

Thanks for this Steve et.al., just got it working.  However I'm getting speeds of about 7-8mbps when connected to the Nordvpn USG VLAN (US or CA) as opposed to about 60mbps when not using the VPN (about 87% decrease).  Interestingly, when just using the NordVPN client on Android via the USG (no VPN), I get about 55Mbps (about an 8% decrease).

 

I'm hoping somebody has some suggestions on getting the throughput up when connected to NordVPN VLAN via the USG.

 

Emerging Member
Posts: 54
Registered: ‎09-18-2018
Kudos: 52
Solutions: 1

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

Hi,

 

I've managed to configure everything succesfully (big thanks for tutorial!) but I'm missing one thing: to access service running on VPN subnet from another, local subnet. 

I need to access it because service requires user input to work.

At the moment from a server (172.16.6.3) running in VPN subnet I can ping other subnets interfaces

 

root@DDSM:/# ping 172.16.0.1      <--- other subnet interface                              
PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.              
64 bytes from 172.16.0.1: icmp_seq=1 ttl=64 time=0.592 ms       
64 bytes from 172.16.0.1: icmp_seq=2 ttl=64 time=0.201 ms 

root@DDSM:/# ping 172.16.6.1       <--- VPN subnet interface                             
PING 172.16.6.1 (172.16.6.1) 56(84) bytes of data.              
64 bytes from 172.16.6.1: icmp_seq=1 ttl=64 time=0.208 ms       
64 bytes from 172.16.6.1: icmp_seq=2 ttl=64 time=0.217 ms       
64 bytes from 172.16.6.1: icmp_seq=3 ttl=64 time=0.181 ms       

But when trying to ping device in other subnet:

 

 

root@DDSM:/# ping 172.16.0.10                                   
PING 172.16.0.10 (172.16.0.10) 56(84) bytes of data.            
From 10.8.8.1 icmp_seq=1 Destination Port Unreachable           
From 10.8.8.1 icmp_seq=2 Destination Port Unreachable           
From 10.8.8.1 icmp_seq=3 Destination Port Unreachable           

Packets go through NordVPN's gateway as my vtun interfaces are

 

 

show interfaces openvpn        
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                 
---------    ----------                        ---  -----------                 
vtun0        172.16.5.1/28                     u/u VPN server                             
vtun1        10.8.8.15/24                      u/u  NordVPN client   

 

Question is how to exclude local network/subnets requests from being redirected through NordVPN/vtun1?

Emerging Member
Posts: 54
Registered: ‎09-18-2018
Kudos: 52
Solutions: 1

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

Ok, I've found it, in my case I want subnet 172.16.4.0 to be able to talk to NordVPN subnet:

set firewall modify NordVPN rule 5000 destination address !172.16.4.0/26

 

And below is part of rexpective json code:

        "firewall": {
                     "modify": {
                                "NordVPN": {
                                            "rule": {
                                                     "5000": {
                                                              "action": "modify",
                                                              "description": "Redirect to vtun1",
                                                          "destination": {
                                                                         "address": "!172.16.4.0/26"
                                                                         },
                                                               "modify": {
                                                                          "table": "1"
                                                                         },
                                                               "source": {
                                                                           "address": "172.16.6.0/28"
                                                                         }
                                                             }
                                                    }
                                            }
                                }
                    }

Anybody knows how to add second network to 172.16.4.0 as I want two subnets to communicate with NordVPN subnet... Do I need to create second modify firewall rule?

Emerging Member
Posts: 54
Registered: ‎09-18-2018
Kudos: 52
Solutions: 1

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

Once again I'll answer myself - I excluded subnets that way:

  • created subnets (you want to exclude) group in firewall (in GUI)
  • using 
    mca-ctrl -t dump-cfg
  • found that group ID - searching by its name
  • set firewall modify NordVPN rule 5000 destination group address-group !dcb12538596903gjdk5
  • and json now look like this:
    "firewall": {
                         "modify": {
                                    "NordVPN": {
                                                "rule": {
                                                         "5000": {
                                                                  "action": "modify",
                                                                  "description": "Redirect WAN conn. to vtun1",
                                                              "destination": {
                                                                             "group": {
                                                                             "address-group": "!dcb12538596903gjdk5"
                                                                                      }
                                                                             },
                                                                   "modify": {
                                                                              "table": "1"
                                                                             },
                                                                   "source": {
                                                                               "address": "172.16.6.0/28"
                                                                             }
                                                                 }
                                                        }
                                                }
                                    }
                        }
New Member
Posts: 5
Registered: ‎03-02-2017

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

Hi Guys

 

I have got this working with the help of this page - thank you.

 

However, weird one. My TVs and Android boxes buffer constantly and the TVs refuse to load Netflix at all, even though I can load Netflix via a browser.

 

Any ideas?

 

Thanks


Dave

New Member
Posts: 3
Registered: ‎07-05-2018

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

Hi Dave,

 

I'm curious... what level of throughput are you getting on the NordVPN configured subnet?

 

-al

New Member
Posts: 5
Registered: ‎03-02-2017

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

Terrible speeds, about 10mb on a speed test and should be 80mb, no other devices on the network 

Emerging Member
Posts: 54
Registered: ‎09-18-2018
Kudos: 52
Solutions: 1

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

On USG Pro - max. I have is around 20 mb/s. I guess speed is limited by router CPU as NordVPN addon for Chrome let's me get over 100...

New Member
Posts: 3
Registered: ‎12-28-2018

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

This is my first mail on ubnt forum. In the beginning I would like to welcome everyone and thank you for sharing your vast knowledge with other Ubiquiti equipment users.
For two weeks I have been trying to run openvpn on my USG router (+RaspberryPi program controller) without success. I have read many guides from which the settings - also from this thread (by Lisciu) - I tried to transfer to my system but no results. I wanted to contact Lisciu (because of the same language) to give me some suggestions but I do not have his email address. Maybe he reads my post here and will help.
Can anyone guide me step by step in the USG and controller settings to run openvpn? Please note that I learn all of this myself and do not have any knowledge of computer networks like you. I have a public IP address, USG runs as 192.168.1.1, DHCP range starts with 192.168.1.100, openvpn server IP address should be eg. 10.8.0.1, and VPN users should have IP addresses belonging to this subnet. I have no knowledge about routing and firewall rules.

I will be grateful for your help. Thank you in advance and I apologize for the off topic
Emerging Member
Posts: 54
Registered: ‎09-18-2018
Kudos: 52
Solutions: 1

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

Welcome @porthos, bur first of all credit goes to @stevearmitage - he had written that nice tuto about OpenVPN client.

If you want to configure OpenVPN server read https://community.ubnt.com/t5/UniFi-Routing-Switching/How-To-OpenVPN-Server-Configuration-on-the-USG... and if you want, also my post: https://community.ubnt.com/t5/UniFi-Routing-Switching/How-To-OpenVPN-Server-Configuration-on-the-USG... (remember to check WAN interface name...)

 

New Member
Posts: 3
Registered: ‎12-28-2018

Re: Routing traffic from one sub-net/VLAN to NordVPN (OpenVPN)

Thank you Lisciu for reply. I think I read all this tutorials but will try one more time. I really appreciate your help.

Reply