Reply
New Member
Posts: 14
Registered: ‎12-22-2015
Kudos: 14
Solutions: 1

USG Route VLAN over OpenVPN client

[ Edited ]

There are a lot of posts related to this topic - with a lot of folks running into problems.  Perhaps my notes will help.

 

The intent is to have a separate network - both WiFi and Ethernet - that will be routed to the Internet via a private VPN.  In my particular case, I'm using ExpressVPN - but any other reasonable VPN (Nord for example) would be the same.  Hence anything I plug into specified ports on my wired network will be routed to the internet via this VPN, and anything connected to a particular WiFi network will be as well.  All other normal traffic remains unaffected and is simply routed to the Internet via my usual ISP connection.

 

First, use the controller's GUI to create a new 'corperate' network and assign it a VLAN ID of 101.

 

Screen Shot 2017-11-20 at 5.21.31 PM.png

 

Note that I've chosen a network that is outside my normal LAN - in this case 192.168.2.1/24 with an appropriate DHCP server and scope.

 

Note that by default the USG will be servicing DNS requests (indicated by "DHCP Name Server = Auto").  The result is that client DNS queries will go to the USG.  If the entry is cached, the USG will respond.  If not, the USG will forward the query to external nameservers for resolution.  This is important to note as it is the USG that will be making the internet-facing DNS query - and not the client itself.  Therefore when we later create our source routing rules, DNS queries will NOT go via the VPN.

 

For some, this may not be a problem.  However, if privacy is really a concern, then a LOT can be learned by just snooping DNS queries.  Hence consider changing to a "DHCP Name Server = Manual" for the "private" subnet and entering the DNS servers specified by your VPN provider.

 

Next, create a new wireless network and assign it to VLAN 101 as well.  Note that the network name in the previous step and the SSID below can be anything you wish.

 

Screen Shot 2017-11-20 at 5.24.13 PM.png

 

At this point you'll want to make sure that any managed switch ports connecting the USG to APs are configured as 'trunks' - or able to pass 'all' VLAN IDs.  If you're using a UniFi switch, the default configuration will be to only allow the "LAN" network onto each port.

 

Allow these changes to provision and then test to ensure you can connect to the new wireless network and still reach the Internet as you normally would.

  

That's all we can do via the controllers UI - so now it's time to ssh to the USG itself.

 

 As of the time of this writing, there is no web GUI based means of creating an OpenVPN client on the USG.  Fortunately, it's not that hard.  Transfer the OpenVPN configuration file to the USG using your favorite method - usually the files are small enough that you can just copy/paste the contents right into a file being edited within your ssh session (tutorial on vi or whatever editor prefer is up to the reader).

 

Name the file something logical - in my case ExpressVPN.ovpn - and place it in the /config/user-data directory.  It's important to use this directory as it's contents will be persistent access re-provisioning.

 

Two small changes will be required to most OpenVPN config files.  First, we need to add:

 

 

route-nopull

 

Most VPN services will push routes to the client that direct all traffic over the tunnel.  Very typically, this is done by adding 2 routes - 0.0.0.0/1 and 128.0.0.0/1 - both via the tunnel.  This works because the higher the mask, the higher the priority in the routing table.  I.e. 0.0.0.0/1 is more specific and therefore is processed before 0.0.0.0/0 (the default route likely pointing out the normal WAN interface).  Because 0.0.0.0/1 only matches half of all IP4 addresses, a second route of 128.0.0.0/1 is also added to cover the other half.  Inserting a 'route-nopull' into the openvpn configuration file instructs openvpn to NOT get routes from the server.

 

The second change required is to move the userid/password from this config file to a separate txt file.  Look for the following line in your ovpn config file:

 

auth-user-pass

and replace it with:

 

auth-user-pass /config/user-data/ExpressVPN.txt

This new file (which you must create) should have only 2 lines - your username on the first line, and your password on the second.

 

Now you can configure the OpenVPN interface and test the connection.  To make changed on the USG's command line, you need to use the 'configure' interface - accessed by simply typing:

 

configure

 

set interfaces openvpn vtun0 config-file /config/user-data/ExpressVPN.ovpn

 

Whenever changes are complete and you want to apply them to the running configuration, simply type:

 

commit;exit

At this point, it's useful to make sure your new VPN is working.

 

show interfaces openvpn 
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                 
---------    ----------                        ---  -----------                 
vtun0        10.x.x.154                      u/u           

Note that the status is "u/u" - meaning that the interface is 'up and 'linked'.  You can also take a look at the routing table and confirm everything is as it should be:

 

show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - ISIS, B - BGP, > - selected route, * - FIB route

S>* 0.0.0.0/0 [1/0] via 75.x.x.1, eth2
C>* 10.30.27.185/32 is directly connected, vtun0
C>* 75.x.x.0/24 is directly connected, eth2
C>* 127.0.0.0/8 is directly connected, lo
C>* 192.168.2.0/24 is directly connected, eth0.101
C>* 192.168.14.0/23 is directly connected, eth0

 

Note here that theres' a single default route  (0.0.0.0/0) to the ISP via the WAN interface (eth2), and just the IP of the "tun" mode VPN (i.e. layer 3).

 

Now we need to build a static routing table that points to our new VPN interface:

 

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0

 

Next we need to define our routing policy.  We want to match any traffic from subnet 192.168.2.0/24 and send it into the new routing table we've just created:

 

set firewall modify SOURCE_ROUTE rule 10 description ‘Route all traffic from eth0.101 to VPN’
set firewall modify SOURCE_ROUTE rule 10 source address 192.168.2.0/24
set firewall modify SOURCE_ROUTE rule 10 modify table 1

Note that the interface name for the VLAN is in the description for reference - 'eth0.101'.  You'll need to verify the name of your LAN interface using:

 

show interfaces ethernet 
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                
---------    ----------                        ---  -----------                
eth0         192.168.14.254/23                 u/u                             
eth0.101     192.168.2.1/24                    u/u                     

In the case of a USG Pro 4, there are 4 ethernet interfaces and by default, the normal LAN is on eth0.  The original USG I believe had LAN on eth1.

 

Other than the description, there's only 2 real lines of configuration here.  The first dictates what we want to match for this policy.  In this case, we want the entire subnet assigned to VLAN 2 to be matched.  However, you could use other patterns:

 

set firewall modify SOURCE_ROUTE rule 10 source address                
Possible completions:
  <x.x.x.x>	IP address to match
  <x.x.x.x/x>	Subnet to match
  <x.x.x.x>-<x.x.x.x>
  		IP range to match
  !<x.x.x.x>	Match everything except the specified address
  !<x.x.x.x/x>	Match everything except the specified subnet
  !<x.x.x.x>-<x.x.x.x>
  		Match everything except the specified range

The second line of configuration indicates that matching traffic should be directed to routing 'table 1'.

 

Note that 'table 1' created earlier has only one entry - a default route heading out the VPN.  The result is that there is no provision for the 192.168.2.0/24 subnet to communicate with the regular LAN.  If you need clients on this network to communiate with the rest of your LAN (rather than just the internet via a VPN), then we need to add a second entry to 'table 1':

 

set protocols static table 1 interface-route 192.168.14.0/23 next-hop-interface eth0

 

 

Now we need to attach the new policy we created to the VLAN interface:

 

set interfaces ethernet eth0 vif 101 firewall in modify SOURCE_ROUTE

Finally, we need to masquerade addresses heading out over VPN as in this case, it is directly to the Internet.  Obviously if your VPN terminated to another private site, you would'nt need to do this (but you would still need a means routing '192.168.2.0/24' traffic back from the other end).

 

set service nat rule 5004 description "masq to vpn vtun0"
set service nat rule 5004 destination address 0.0.0.0/0
set service nat rule 5004 outbound-interface vtun0
set service nat rule 5004 type masquerade

That's it.  At this point if you are connected to the ExpressVPN wireless network or to the ExpressVPN ethernet network, all traffic will be routed to the Internet over the VPN.  If not, traffic will go direct via you're regular ISP connection unaffected.

 

Below is the json that can be merged with whatever else you have going on in your custom config.

 

 

{
  "firewall": {
    "modify": {
      "SOURCE_ROUTE": {
        "rule": {
          "10": {
            "action": "modify",
            "description": "route vlan 101 to ExpressVPN",
            "modify": {
              "table": "1"
            },
            "source": {
              "address": "192.168.2.0/24"
            }
          }
        }
      }
    }
  },
  "interfaces": {
    "ethernet": {                              
      "eth0": {                                              
        "vif": {                                 
          "101": {                                  
            "address": [             
              "192.168.2.0/24" 
            ],                              
            "firewall": {            
              "in": {          
              "modify": "SOURCE_ROUTE",
	      "name": "LAN_IN"
	      }
            }                                      
          }                                        
        }                                                
      }                                                        
    },                                                               
    "openvpn": {
      "vtun0": {
        "config-file": "/config/user-data/ExpressVPN.ovpn"
      }
    }
  },
  "protocols": {
    "static": {
      "table": {
        "1": {
          "interface-route": {
            "192.168.14.0/23": {
              "next-hop-interface": {
                "eth0": "''"
              }
            },
            "0.0.0.0/0": {
              "next-hop-interface": {
                "vtun0": "''"
              }
            }
          }
        }
      }
    }
  },
  "service": {
    "nat": {
      "rule": {
        "5004": {
          "description": "masq to vpn vtun0",
          "destination": {
            "address": "0.0.0.0/0"
          },
          "outbound-interface": "vtun0",
          "type": "masquerade"
        }
      }
    }
  }
}

 

New Member
Posts: 3
Registered: ‎12-20-2017

Re: USG Route VLAN over OpenVPN client

Thanks for that @RFehr !!   I'm not sure if I've made some mistake in transcribing your instructions, my USG 3P and it's version behave somewhat differently (besides the port differences, which I substitued for), or there are typos in your instructions, but things aren't working for me when I try to follow in your footsteps.

 

What's working for me:

  • My added VLAN network is hooked up fine to my additional WLAN as verified by joining the latter, getting a DHCP-assigned IP, and then being able to browse the internet as usual.
  • The OpenVPN tunnel connects from the USG to my provider as checked by the "show interfaces openvpn" resulting in "U/U", the "show ip route" results having the expected entry to reach the VPN provider, and my provider's website showing the OpenVPN connection as valid.

However, when I go through the next steps to connect the two, using appropriate substitutions for my 3P's interfaces and my local IP ranges, things break down.   I tried putting in all the manual "set" statements, committing them (no errors shown), exiting (no errors), and then "cat /config/config.boot" to see that they were all stored.  But:

  • I don't have a SOURCE_ROUTE entry under "firewall"
  • The "protocols" section doesn't contain a "table 1"
  • The "services" "nat" section doesn't contain anything but the default rules (6001-6003).  Explicitly my added rule 5004 doesn't show up.

Would you expect any differences between whatever USG device you have and a USG 3P on latest firmware (4.4.12.5032482) to respond differently or need different syntax when doing the "set" statements?  As a possible point of illustration, when I look at my /config/config.boot, it doesn't contain JSON with the same structure as you show for your config.gateway.json -- "vif 101" instead of "vif" : "101".   

 

If so, is there any convenient place to lookup the changes that I would need to make?

 

Alternatively, could you double-check your notes and make sure you don't have any typos in the below "set" lines?  Or in what needs to be done AFTER committing those lines?   For example, do I need to reboot the USG for the changes to take effect or something like that?

 

I'll keep trying to figure this out.   Would just like to double-check with you as I do.

New Member
Posts: 3
Registered: ‎12-20-2017

Re: USG Route VLAN over OpenVPN client

After a few more hours of trying things out, I have my routed VLAN through USG running OpenVPN working.   I had some typos in what I'd run, but I also figured out that "cat /config/config.boot" doesn't show the same level of detail as "show configuration" does.   When I did the latter, I saw all the results of the "set" commands and found my typos.

 

Thanks again!

New Member
Posts: 1
Registered: ‎05-02-2017

Re: USG Route VLAN over OpenVPN client

Thank you very much. 

 

This is exactly what I was looking for.

I use it with AirVPN and it works great!!!!

New Member
Posts: 1
Registered: ‎07-07-2018

Re: USG Route VLAN over OpenVPN client

Thanks for the post. This was very helpful. I set it up to VPN to the UK so that I can watch BBC iPlayer. I set up manual DNS server addresses in the VLAN, but still this VPN connection is leaking DNS (as tested with dnsleaktest.com). The VLAN for this VPN connection still uses my ISP's DNS settings and BBC iPlayer doesn't work because of this. How to we make sure the manual DNS entries *really* work for the VLAN?
New Member
Posts: 2
Registered: ‎07-17-2018

Re: USG Route VLAN over OpenVPN client

Hi,

 

first of all thanks for the tutorial.

 

Unfortunately I can't get it to work properly. :-(

 

Everything is setup just as you said, but when a VLAN-connected client tries to open a website through the VPN, I always see the message "martian source 192.168.30.50 from <IP>, on dev vtun0" inside /var/log/messages

I also see the "masquerade" rules are getting hit.

 

My "config.gateway.json" can be found at the bottom of this post.

 

It would be awsome, if someone can help me through this.

 

eth1.3000 is my VPN-VLAN.

 

config.gateway.json:

{
  "firewall": {
    "modify": {
      "SOURCE_ROUTE": {
        "rule": {
          "10": {
            "action": "modify",
            "description": "route vlan 3000 to VPN",
            "modify": {
              "table": "1"
            },
            "source": {
              "address": "192.168.30.0/24"
            }
          }
        }
      }
    }
  },
  "interfaces": {
    "ethernet": {                              
      "eth1": {                                              
        "vif": {                                 
          "3000": {                                  
            "address": [             
              "192.168.30.1/24" 
            ],                              
            "firewall": {            
              "in": {          
              "modify": "SOURCE_ROUTE",
	      "name": "LAN_IN"
	      }
            }                                      
          }                                        
        }                                                
      }                                                        
    },                                                               
    "openvpn": {
      "vtun0": {
        "config-file": "/config/user-data/vpn.ovpn"
      }
    }
  },
  "protocols": {
    "static": {
      "table": {
        "1": {
          "interface-route": {
            "0.0.0.0/0": {
              "next-hop-interface": {
                "vtun0": "''"
              }
            }
          }
        }
      }
    }
  },
  "service": {
    "nat": {
      "rule": {
	    "1001": {
          "description": "DNS Redirect",
          "destination": {
            "address": "!192.168.7.6",
            "port": "53"
          },
          "inbound-interface": "eth1",
          "inside-address": {
            "address": "192.168.7.6"
          },
          "log": "disable",
          "protocol": "tcp_udp",
          "type": "destination"
		},
		
		"1002": {
          "description": "DNS Redirect",
          "destination": {
            "address": "!192.168.7.6",
            "port": "53"
          },
          "inbound-interface": "eth1.500",
          "inside-address": {
            "address": "192.168.7.6"
          },
          "log": "disable",
          "protocol": "tcp_udp",
          "type": "destination"
		},
		
		"1003": {
          "description": "DNS Redirect",
          "destination": {
            "address": "!192.168.7.6",
            "port": "53"
          },
          "inbound-interface": "eth1.600",
          "inside-address": {
            "address": "192.168.7.6"
          },
          "log": "disable",
          "protocol": "tcp_udp",
          "type": "destination"
		},
		
		"1004": {
          "description": "DNS Redirect",
          "destination": {
            "address": "!192.168.7.6",
            "port": "53"
          },
          "inbound-interface": "eth1.700",
          "inside-address": {
            "address": "192.168.7.6"
          },
          "log": "disable",
          "protocol": "tcp_udp",
          "type": "destination"
		},
		
		"1005": {
          "description": "DNS Redirect",
          "destination": {
            "address": "!192.168.7.6",
            "port": "53"
          },
          "inbound-interface": "eth1.1000",
          "inside-address": {
            "address": "192.168.7.6"
          },
          "log": "disable",
          "protocol": "tcp_udp",
          "type": "destination"
		},
		
		"1006": {
          "description": "DNS Redirect",
          "destination": {
            "address": "!192.168.7.6",
            "port": "53"
          },
          "inbound-interface": "eth1.2000",
          "inside-address": {
            "address": "192.168.7.6"
          },
          "log": "disable",
          "protocol": "tcp_udp",
          "type": "destination"
		},
		
        "5004": {
          "description": "masq to vpn vtun0",
          "destination": {
            "address": "0.0.0.0/0"
          },
          "log": "disable",
          "outbound-interface": "vtun0",
          "type": "masquerade"
        }
      }
    }
  }
}

 

Thanks

New Member
Posts: 2
Registered: ‎04-01-2018

Re: USG Route VLAN over OpenVPN client

I just started having an issue with this config after the last round of cloud / firmware releases and found this article. Take a look at your source-validation settings and change it if it is set to strict. This should get your VPN back up and running.

 

 

https://help.ubnt.com/hc/en-us/articles/360005460813-UniFi-USG-Advanced-Policy-Based-Routing-#4

New Member
Posts: 1
Registered: ‎04-12-2018

Re: USG Route VLAN over OpenVPN client

Hello,

 

I tried the tutorial, but it did not worked for me. I tried to roll-back everything, but I receive the following error message:

 

 

Device name: Gateway

Site: Default

Message: Gateway[XX:XX:XX:XX:XX:XX] Configuration Commit Error. Error message: { "DELETE" : { "failure" : "0" , "success" : "1"} , "SESSION_ID" : "b32eb9e1a1cfde538456aa70b2" , "SET" : { "error" : { "interfaces ethernet eth1 vif 101 address 10.0.10.0/24" : "Can not assign network address as IP address\n\n?0\nValue validation failed\n"} , "failure" : "1" , "success" : "1"}}

In the list of Ethernet Interfaces eth1.101 is also still listed.

 

Has anyone an idea how to solve the problem?

New Member
Posts: 28
Registered: ‎01-10-2014
Kudos: 281

Re: USG Route VLAN over OpenVPN client

Here is a YouTube Video to walk you through it, This guide was used to make the video but there are a few updates to the process. 

 

https://youtu.be/_5hvuaNfptQ

 

New Member
Posts: 3
Registered: ‎08-29-2018

Re: USG Route VLAN over OpenVPN client

this might be me but how is the static route working for the default route

 

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0

 

You cannot have two default routes in the table 1, you will always have one from your ISP, you cannot add another one

 

Even when i try adding it to another table, it doesnt work?

 

is table 1 the default route table ?

 

any ideas

Emerging Member
Posts: 292
Registered: ‎09-23-2018
Kudos: 34
Solutions: 14

Re: USG Route VLAN over OpenVPN client

If I wanted to create a VPN to another location, I would have to download those respective files, and repeat this process again for the other location? Am I able to have multiple VPN locations on the USG?

 

E.G.: Have one network pointing to a US VPN and a second network pointing to a UK VPN? Am I able to have both within the same config file? Or would I have to overwrite my config to use a second location?

 

Something like below (added vtun1 on 192.168.3.0/24)

 

 

{
"firewall": {
"modify": {
"SOURCE_ROUTE": {
"rule": {
"10": {
"action": "modify",
"description": "route vlan 101 to ExpressVPN",
"modify": {
"table": "1"
},
"source": {
"address": "192.168.2.0/24"
}
"20": {
"action": "modify",
"description": "route vlan 102 to ExpressVPN",
"modify": {
"table": "1"
},
"source": {
"address": "192.168.3.0/24"
}
}
}
}
}
},
"interfaces": {
"ethernet": {
"eth0": {
"vif": {
"101": {
"address": [
"192.168.2.0/24"
],
"firewall": {
"in": {
"modify": "SOURCE_ROUTE",
"name": "LAN_IN"
}
}
}
"102": {
"address": [
"192.168.3.0/24"
],
"firewall": {
"in": {
"modify": "SOURCE_ROUTE",
"name": "LAN_IN"
}
}
}
}
}
},
"openvpn": {
"vtun0": {
"config-file": "/config/user-data/ExpressVPN.ovpn"
}
"vtun1": {
"config-file": "/config/user-data/ExpressVPN2.ovpn"
}
}
},
"protocols": {
"static": {
"table": {
"1": {
"interface-route": {
"192.168.14.0/23": {
"next-hop-interface": {
"eth0": "''"
}
},
"0.0.0.0/0": {
"next-hop-interface": {
"vtun0": "''"
}
}
}
}
}
}
},
"service": {
"nat": {
"rule": {
"5004": {
"description": "masq to vpn vtun0",
"destination": {
"address": "0.0.0.0/0"
},
"outbound-interface": "vtun0",
"type": "masquerade"
}
"5005": {
"description": "masq to vpn vtun1",
"destination": {
"address": "0.0.0.0/0"
},
"outbound-interface": "vtun1",
"type": "masquerade"
}
}
}
}
}

 

New Member
Posts: 19
Registered: ‎06-23-2016
Kudos: 1

Re: USG Route VLAN over OpenVPN client

Hey guys,

 

Is there a must to do this with a Cloud Key installed or can I do it without?

Trying to transfer the json file to my USG but I can't find the folders.

 

Thanks

 

 // M

Ubiquiti Employee
Posts: 1,126
Registered: ‎02-28-2017
Kudos: 339
Solutions: 114

Re: USG Route VLAN over OpenVPN client

@Hultnet The config.gateway.json file lives on the UniFi controller, not the USG itself. If it was on the USG itself, the config.gateway.json file wouldn't necessarily be needed at all (because the USG obtains its configuration from the controller.

The controller doesn't have to be a cloud key, the controller software can live on any Linux/Ubunutu, mac osx, or windows machine. For more context on the config.gateway.json file you can look here: https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration

Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 19
Registered: ‎06-23-2016
Kudos: 1

Re: USG Route VLAN over OpenVPN client

Thanks, realized it now when (on my mac) went in to the controller file.

Just bought a cloud key which will make stuff a little bit easier. 

 

New Member
Posts: 19
Registered: ‎06-23-2016
Kudos: 1

Re: USG Route VLAN over OpenVPN client

Hey,

 

I got it working over wifi, yey!

But now what.. how to connect my wired device into my private network?

 

I tried to make a fixed IP to it. But, it does seem to assign the other LAN IP all the time.

Do I need to to something else in the json-file?

 

Thanks in advance!

 

Skärmavbild 2019-01-07 kl. 21.56.25.png

New Member
Posts: 5
Registered: ‎05-17-2017

Re: USG Route VLAN over OpenVPN client

Have you configured the ports on your switch to belong to the "VPN Network" VLAN?

New Member
Posts: 19
Registered: ‎06-23-2016
Kudos: 1

Re: USG Route VLAN over OpenVPN client

I realized this morning that I need a unifi switch to .. so, I ordered one in which I can manage the ports to route to the device.

New Member
Posts: 19
Registered: ‎03-05-2017
Kudos: 2

Re: USG Route VLAN over OpenVPN client

For the OP. Why did you choose for a "Corporate" network set-up instead of a "VPN Client"?

 

Further thanks for a good guide!

New Member
Posts: 6
Registered: 2 weeks ago

Re: USG Route VLAN over OpenVPN client

@hfxrzwhere for the same question. A newer method I've seen uses the VPN client and not Corporate network. So I'm wondering if this is a new addition?

New Member
Posts: 19
Registered: ‎06-23-2016
Kudos: 1

Re: USG Route VLAN over OpenVPN client

Hey,

 

Newer method you say. Can you please link to the other one? =)

 

Thanks

 

Reply