New Member
Posts: 3
Registered: ‎11-07-2015
Accepted Solution

Setting up OpenVPN client in USG

I configured my USG to connect to a OpenVPN as a client using the following command

set interfaces openvpn vtun0 config-file /config/openvpn/client.conf

The configuration file header looks like this:

client
dev-type tun
proto udp
remote [REMOTE_IP] 1195
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
[KEYS]

And I can see the conection being made:

root@USG:/config/openvpn# show interfaces openvpn
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description 
--------- ---------- --- ----------- 
vtun0 10.0.5.218 u/u

And I'm able to ping a IP inside the VPN:

root@USG:/config/openvpn# ping 10.1.5.200
PING 10.1.5.200 (10.1.5.200) 56(84) bytes of data.
64 bytes from 10.1.5.200: icmp_req=1 ttl=127 time=57.9 ms
64 bytes from 10.1.5.200: icmp_req=2 ttl=127 time=57.6 ms
64 bytes from 10.1.5.200: icmp_req=3 ttl=127 time=57.6 ms
64 bytes from 10.1.5.200: icmp_req=4 ttl=127 time=57.6 ms
--- 10.1.5.200 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 57.642/57.726/57.950/0.321 ms

 

This are the routes:

 

root@USG:/config/openvpn# show ip route 
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route
S>* 0.0.0.0/0 [210/0] via 192.168.1.1, eth0
K>* 10.0.0.0/16 via 10.0.5.217, vtun0
K>* 10.0.5.129/32 via 10.0.5.217, vtun0
C>* 10.0.5.217/32 is directly connected, vtun0
K>* 10.1.0.0/16 via 10.0.5.217, vtun0
C>* 127.0.0.0/8 is directly connected, lo
C>* 192.168.1.0/24 is directly connected, eth0
C>* 192.168.2.0/24 is directly connected, eth1

root@USG:/config/openvpn# ip route
default via 192.168.1.1 dev eth0 proto zebra 
10.0.0.0/16 via 10.0.5.217 dev vtun0 
10.0.5.129 via 10.0.5.217 dev vtun0 
10.0.5.217 dev vtun0 proto kernel scope link src 10.0.5.218 
10.1.0.0/16 via 10.0.5.217 dev vtun0 
127.0.0.0/8 dev lo proto kernel scope link src 127.0.0.1 
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.232 
192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1

The problem is that none of the users on the LAN can ping/access to any ip inside the VPN.

 


Accepted Solutions
New Member
Posts: 2
Registered: ‎11-13-2015
Solutions: 1

Re: Setting up OpenVPN client in USG

Hey aleon02. 

I figured out my problem, I had to add masquerade. Maybe this'll help you.

 

set service nat rule 5004 description "masq to vpn vtun0"
set service nat rule 5004 destination address 0.0.0.0/0
set service nat rule 5004 outbound-interface vtun0
set service nat rule 5004 type masquerade

View solution in original post


All Replies
New Member
Posts: 2
Registered: ‎11-13-2015
Solutions: 1

Re: Setting up OpenVPN client in USG

Were you able to figure this out? I'm stuck in the same spot. 

New Member
Posts: 3
Registered: ‎11-07-2015

Re: Setting up OpenVPN client in USG

Not yet. I'm still waiting for a response from Ubiquiti support.

New Member
Posts: 2
Registered: ‎11-13-2015
Solutions: 1

Re: Setting up OpenVPN client in USG

Hey aleon02. 

I figured out my problem, I had to add masquerade. Maybe this'll help you.

 

set service nat rule 5004 description "masq to vpn vtun0"
set service nat rule 5004 destination address 0.0.0.0/0
set service nat rule 5004 outbound-interface vtun0
set service nat rule 5004 type masquerade
New Member
Posts: 3
Registered: ‎11-07-2015

Re: Setting up OpenVPN client in USG

Thanks! That did the trick, I just changed the destination address to only send the traffic for one specific subnet:

 

set service nat rule 5004 destination address 10.0.0.0/16

 

New Member
Posts: 3
Registered: ‎02-17-2016
Kudos: 1

Re: Setting up OpenVPN client in USG

[ Edited ]

Unfortunately for us this did not work.

 

What happens when you add the "solution" here is that you masq all your traffic across the tunnel. It's essentially like clicking "send all traffic" on a vpn client. Which then means we are beholden to the upline on the remote site as our downline here.

 

Trying to change the 0.0.0.0/0 value to the subnet (remote) desired does work for that subnet but it breaks the default route and no traffic will go out the standard ethernet gateway. What needs to happen is a "split tunnel" vpn that will only send the traffic on the routes it pulls. The issue is that the routes pulled into the USG put the 0.0.0.0/1 -> vtun0 above the default route.

 

Does anyone know how this might be doable? The routes pushed from the openvpn server do work without an manual nat rules or masq but the clients inside the network don't have access to this.

 

Our config is exactly as above.

New Member
Posts: 3
Registered: ‎02-17-2016
Kudos: 1

Re: Setting up OpenVPN client in USG

We had an issue doing this because it sent all traffic over the vpn tunnel. The resolution was to add 

"route nopull" 

to the config file and then add the configuration below to the USG.

 

Each subnet on the other side of the vpn that needs to be routable needs both an interface-route, and a masquerade rule. This is shown below.

#in configure#
#first add the static interface route#
set protocols static interface-route <remote subnet>/<remote subnet mask> next-hop-interface vtun0

#add the masquerade rule#
set service nat rule <number between 5000-5999> destination address <remote subnet mask>
set service nat rule <number between 5000-5999> outbound interface vtun0
set service nat rule <number between 5000-5999> type masquerade

After that the config will not persist across a reprovision so we must edit the config.gateway.json file on the controller. That is where I've run into issues. My config is pasted below but there is a syntax error that I'm not seeing.

 

{
	"interfaces": {
		"openvpn": {
			"vtun0": {
				"config-file": "/config/openvpn/client.conf"
			}
		}
	},
	"protocols": {
		"static": {
			"interface-route": {
				"172.16.100.0/24": {
					"next-hop-interface": {
						"vtun0": "''"
					}
				}
			}
		}
	},
	"protocols": {
		"static": {
			"interface-route": {
				"10.0.99.0/24": {
					"next-hop-interface": {
						"vtun0": "''"
					}
				}
			}
		}
	},
	"protocols": {
		"static": {
			"interface-route": {
				"192.168.0.0/24": {
					"next-hop-interface": {
						"vtun0": "''"
					}
				}
			}
		}
	},
	"protocols": {
		"static": {
			"interface-route": {
				"10.0.72.0/24": {
					"next-hop-interface": {
						"vtun0": "''"
					}
				}
			}
		}
	},
	"service": {
		"nat": {
			"rule": {
				"5000": {
					"destination": {
						"address": "172.16.100.0/24"
					},
					"outbound-interface": "vtun0",
					"type": "masquerade"
				}
			},
			"rule": {
				"5001": {
					"destination": {
						"address": "10.0.99.0/24"
					},
					"outbound-interface": "vtun0",
					"type": "masquerade"
				}
			},
			"rule": {
				"5002": {
					"destination": {
						"address": "192.168.0.0/24"
					},
					"outbound-interface": "vtun0",
					"type": "masquerade"
				}
			},
			"rule": {
				"5003": {
					"destination": {
						"address": "10.0.72.0/24"
					},
					"outbound-interface": "vtun0",
					"type": "masquerade"
				}
			}
		}
	}
}

Unfortunately there is something wrong with the .json file as it won't load (though it does not cause a boot loop). The config only works if manually entered and will not persist across reboot or reprovision.

 

I would be greatful if anyone could point out my syntax mistake in the above code.


Thanks all!

New Member
Posts: 3
Registered: ‎02-17-2016
Kudos: 1

Re: Setting up OpenVPN client in USG

I've figured out what my issue was here. The syntax was just a little screwy so i'm posting the corrections here. Hope it helps someone else. The reprovision of the config.gateway.json file works.

 

{
	"interfaces": {
		"openvpn": {
			"vtun0": {
				"config-file": "/config/openvpn/client.conf"
			}
		}
	},
	"protocols": {
		"static": {
			"interface-route": {
				"172.16.100.0/24": {
					"next-hop-interface": {
						"vtun0": "''"
					}
				},
				"10.0.99.0/24": {
					"next-hop-interface": {
						"vtun0": "''"
					}
				},
				"192.168.0.0/24": {
					"next-hop-interface": {
						"vtun0": "''"
					}
				},
				"10.0.72.0/24": {
					"next-hop-interface": {
						"vtun0": "''"
					}
				}
			}
		}
	},
	"service": {
		"nat": {
			"rule": {
				"5000": {
					"destination": {
						"address": "172.16.100.0/24"
					},
					"outbound-interface": "vtun0",
					"type": "masquerade"
				},
				"5001": {
					"destination": {
						"address": "10.0.99.0/24"
					},
					"outbound-interface": "vtun0",
					"type": "masquerade"
				},
				"5002": {
					"destination": {
						"address": "192.168.0.0/24"
					},
					"outbound-interface": "vtun0",
					"type": "masquerade"
				},
				"5003": {
					"destination": {
						"address": "10.0.72.0/24"
					},
					"outbound-interface": "vtun0",
					"type": "masquerade"
				}
			}
		}
	}
}
New Member
Posts: 15
Registered: ‎01-30-2017
Kudos: 11

Re: Setting up OpenVPN client in USG

Any way to run openvpn so that you can toggle split-tunneling on and off?

 

 

New Member
Posts: 3
Registered: ‎03-12-2017
Kudos: 1

Re: Setting up OpenVPN client in USG

 

I am stuck in that post. The 3rd part seems difficult

New Member
Posts: 2
Registered: ‎06-17-2016
Kudos: 1

Re: Setting up OpenVPN client in USG

Ryan,
I don't think there is an easy way to do that unless the gui version gets fixed soon. I know they are working on making the openvpn stuff actually work.
New Member
Posts: 2
Registered: ‎06-17-2016
Kudos: 1

Re: Setting up OpenVPN client in USG

If you are referring to the .json file it is a little difficult to be honest. It will cause a provisioning loop if you don't have the syntax perfect. Just have it checked in a json validator site first and you should be ok.
I use a text editor in plain text to get the copy correct and then I rename the config.gateway.json file to .old if it already exists and then place the new one using vim or sftp.
This config has survived multiple firmware updates and subnet additions. I hope this helps.
New Member
Posts: 15
Registered: ‎01-30-2017
Kudos: 11

Re: Setting up OpenVPN client in USG

Thanks. That is what I was afraid of. I did create a second vtun1 interface that listens on a different port, but my client doesn't connect to it.
New Member
Posts: 15
Registered: ‎01-30-2017
Kudos: 11

Re: Setting up OpenVPN client in USG

Hi, I've got a "nice" json file, with two openvpn tunnels terminanting, a split tunnel on vtun0 and a full tunnel on vtun1. They are both listening on different ports. Sadly, the second one never replies to client requests. I have zero idea why.

New Member
Posts: 3
Registered: ‎01-08-2017
Kudos: 2

Re: Setting up OpenVPN client in USG

There seems to be a "VPN Client" option in the Controller GUI, under networks.

 

How does one use this without SSH'ing into the USG device itself?

 

Many thanks in advance!

Member
Posts: 298
Registered: ‎06-16-2017
Kudos: 204
Solutions: 6

Re: Setting up OpenVPN client in USG

Ok, thank you all for this nice thread. I got it working without masquerading which is not ideal in this case, at least not for me, because masquerading hides the actual source on the remote lan and limits firewalling.

 

Before I show you the solution, a few notes:

1. use the directory /config/user-data/ to place the openvpn.conf and all the cert, key, crt, etc files. This is considered safe and should persist between provisions and fimware upgrades;

2. I could only find the solution by adding a Site-to-Site OpenVPN client using the WebUI (on version 5.6.19) and than checking the config.boot file on the USG to see what config parameters were added. So if the instructions below do not work for you, you could take clues from this approach.

 

The solution:

Forget all static routes and masquerading. All you need is have the OpenVPN server push the routes to the USG and than this in your config.gateway.json:

 

{
"interfaces": {
"openvpn": {
"vtun0": {
"firewall": {
"in": {
"name": "LAN_IN"
},
"local": {
"name": "LAN_LOCAL"
},
"out": {
"name": "LAN_OUT"
}
},
"config-file": "/config/user-data/openvpn.conf"
}
}
}
}

 

This thing took some 5 hours out of my life, hopefully I will save you some hours. I used "topology subnet" on m the server.

 

Explanation for why it works now:

The vtun0 interface does not belongto any of the WAN IN, LAN In, etc firewall rules if it is not explicitly added there with the parameters in the text above. Once you add it to LAN IN, LAN OUT, LAN LOCAL, all the default firewalling rules wll take effect on the vtun0 interface and it will wor just like the other LAN interfaces.

 

By the way, pay attention to MTU of your OpenVPN connection, if you get strange packet loss try to reduce the MTU to MTU-40 and see if it works. If on PPPOE do MTU-60. The conf option mssfix on openvpn.conf is responsible for MTU:

mssfix 1420

 

This is necessary because the USG will not use its usual tricks to find out the right MTU on your manual VPN interface, so you must take care of it yourself.

 

 

Member
Posts: 298
Registered: ‎06-16-2017
Kudos: 204
Solutions: 6

Re: Setting up OpenVPN client in USG

Interesting, I had a non-working OpenVPN site-to-site tunnel but when I deleted it (I created only to see how it was changing the configuration of the USG), I lost connectivity to remote site. So off I went and figured there was more to it than what I wrote in the previous post.

 

Here is the final file that is working even after I removed the OpenVPN site-to-site I had created using the Web interface:

 

Notes: replace the remote subnet 10.0.0.0/14 to what suits you

 

{
	"firewall": {
		"group": {
			"network-group": {
				"remote_site_vpn_network": {
					"network": [
						"10.0.0.0/14"
					]
				}
			}
		}
	},
	"interfaces": {
		"openvpn": {
			"vtun0": {
				"firewall": {
					"in": {
						"name": "LAN_IN"
					},
					"local": {
						"name": "LAN_LOCAL"
					},
					"out": {
						"name": "LAN_OUT"
					}
				},
				"config-file": "/config/user-data/openvpn.conf"
			}
		}
	}
}
New Member
Posts: 3
Registered: ‎01-20-2016

Re: Setting up OpenVPN client in USG

mbello,

Disclaimer: I am a prosumer who uses Unifi for its mesh connectivity in my Faraday cage house.  I am not a networking professional (which will be obvious from my post).

 

Thanks for your guidance.  I was able to get NordVPN working on the USG.  My download/upload speeds are terrible considering I have Google Fiber.  They seem to consistently top out at 8mbps (wired) versus 30mbps to 200mbps using their dedicated app for my wired iMac.  When I run show interfaces openvpn detail

I get lots of dropped packets under TX.  I also used 

https://community.ubnt.com/t5/UniFi-Routing-Switching/Routing-traffic-from-one-sub-net-VLAN-to-NordV...

to get it working.

 

I changed the paramater tun-mtu in the NordVPN file to 40 and 60 as shown in your example.  Those were terrible.  I increased it from 1500 (default) and also changed mssfix value to 1420.  Again results were worse.

 

I emailed NordVPN as well.

 

Do you have any other suggestions?

 

Thank you for your time.

 

New Member
Posts: 25
Registered: ‎05-24-2016
Kudos: 1
Solutions: 1

Re: Setting up OpenVPN client in USG

@mbello,

 

Amazing write up! Thanks for the additional detail.

 

To the best of my knowledge I've done everything you said and my local clients on the LAN still cannot ping. I validated the json, I validated the reprovision worked (using configure->show interfaces openvpn) and everything looks as expected. But nothing on LAN can ping through the USG.

 

# show interfaces openvpn
openvpn vtun0 {
config-file /config/user-data/openvpn.ovpn
firewall {
in {
name LAN_IN
}
local {
name LAN_LOCAL
}
out {
name LAN_OUT
}
}
}

Now I can ping from the USG to my VPN server

 

USG# ping 192.168.254.1
PING 192.168.254.1 (192.168.254.1) 56(84) bytes of data.
64 bytes from 192.168.254.1: icmp_req=1 ttl=64 time=94.0 ms
64 bytes from 192.168.254.1: icmp_req=2 ttl=64 time=79.9 ms
64 bytes from 192.168.254.1: icmp_req=3 ttl=64 time=70.7 ms
64 bytes from 192.168.254.1: icmp_req=4 ttl=64 time=65.5 ms
64 bytes from 192.168.254.1: icmp_req=5 ttl=64 time=71.7 ms
^C
--- 192.168.254.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 65.561/76.437/94.081/9.955 ms 

 

That seems to show the proper config of your most recent setup. And that output comes from the USG itself, so provisioning worked. But my LAN can't ping the other side.

 

LAPTOP$ ping 192.168.254.1
PING 192.168.254.1 (192.168.254.1) 56(84) bytes of data.
^C
--- 192.168.254.1 ping statistics ---
204 packets transmitted, 0 received, 100% packet loss, time 210486ms

 

New Member
Posts: 1
Registered: ‎12-28-2017

Re: Setting up OpenVPN client in USG

@cryptothief

 

Hi,

 

Any luck with that?

 

Having the same issue, from USG connection to hosts on other side of the tunnel works but not from any  client in the local LAN Man Sad

 

Cheers