Reply
New Member
Posts: 19
Registered: ‎03-05-2017
Kudos: 2

Re: USG Route VLAN over OpenVPN client

@apomper Hi, don’t think that’s necessarily correct as on the first screen print it clearly shows that “VPN Client” was available.

New Member
Posts: 6
Registered: a week ago

Re: USG Route VLAN over OpenVPN client

@hfxrzwAh, I missed that. Ignore me.

 

When trying to commit the VPN tunnel, I get the follow error:

 

admin@USG1# set interfaces openvpn vtun0 config-file /config/user-data/PureUK2.ovpn
[edit]
admin@USG1# commit
[ interfaces openvpn vtun0 ]
OpenVPN configuration error: Failed to start OpenVPN tunnel.

Commit failed

Anyone seen this before? I have my ovpn file loaded onto the USG along with the txt file for username & password. ca cert & TLS key also loaded.

opvn file looks like this:

client
dev 
tun
proto tcp
remote ukl2-ovpn-tcp.pointtoserver.com 80
persist-key
persist-tun
ca /config/user-data/ca.crt
tls-auth /config/user-data/Wdc.key 1
cipher AES-256-CBC
comp-lzo
verb 1
mute 20
route-method exe
route-delay 2
route 0.0.0.0 0.0.0.0
float
auth-user-pass /config/user-data/PureVPN.txt
auth-retry interact
ifconfig-nowarn
route-nopull
New Member
Posts: 14
Registered: ‎12-22-2015
Kudos: 14
Solutions: 1

Re: USG Route VLAN over OpenVPN client

@Hultnet, it does not need to be a unifi switch - any managed switch (that supports port-based VLANs) will do.  Of course, unifi switches are pretty inexpensive and have the advantage of simplicity.  Simply tag all traffic on a particular switch port with the "VPN" VID and off you go.

New Member
Posts: 14
Registered: ‎12-22-2015
Kudos: 14
Solutions: 1

Re: USG Route VLAN over OpenVPN client

@hfxrzw, in Unifi controller 5.6.x, a "VPN Client" network is a) still in beta, b) only supports PPTP config from the controller web interface, and c) it would still require CLI/config.json modification to "work" the way most people want it to work. 

 

The purpose of a VPN is to securely transport the contents - for various reasons.  PPTP is the VPN equivalent of transporting gold bullion in a sack made of dung - sure it might work for a while, but you're going to attract a lot of flies - and probably lose some gold.  No one should be using PPTP in 2019 (or in 1998 for that matter).  In 1998, there were few 'easy' options - in 2019, there are MANY.

 

If you REALLY want to use PPTP, and your provider supports it, then by all means, you can make it work.  But it's not nearly as secure (kinda the point of a VPN), and almost certainly no easier.

 

Randy

New Member
Posts: 18
Registered: ‎06-23-2016
Kudos: 1

Re: USG Route VLAN over OpenVPN client

How did you make the cert files?

i didn’t do those but mine works. 

 

How to setup the files. It doesn’t really say in the guide.

New Member
Posts: 6
Registered: a week ago

Re: USG Route VLAN over OpenVPN client

It seems different providers vary. The VPN i was using supplied cert & key files with the ovpn file. I've since switched to Nord and I can get the tunnel active.

admin@USG:~$ show interfaces openvpn
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description
---------    ----------                        ---  -----------
vtun0        10.7.7.3/24                       u/u

All the other commands commit perfectly fine as well. However, when I create the JSON file, the USG fails to provision and I get the following error in the controller

configuration commit error. Error message: { "DELETE" : { "failure" : "0" , "success" : "1"} , "SESSION_ID" : "cdd190a831880a2c1e1638ce8b" , "SET" : { "error" : { "interfaces ethernet eth0 vif 101 address 192.168.2.0/24" : "Can not assign network address as IP address\n\n￿0\nValue validation failed\n"} , "failure" : "1" , "success" : "1"}}

Initially I was trying to route VLAN10 to the VPN which was a different subnet etc. So to try and eliminate anything I might be doing wrong, I followed the instructions exactly. Create VLAN101 on 192.168.2.0/24 and used the JSON file from this post. But I still get the same error Man Sad

Anyone have any ideas?

Ubiquiti Employee
Posts: 1,125
Registered: ‎02-28-2017
Kudos: 339
Solutions: 114

Re: USG Route VLAN over OpenVPN client

@apomper You're trying to assign an interface a network address, it'll work if you put 192.168.2.1/24 rather than 2.0/24.

Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 6
Registered: a week ago

Re: USG Route VLAN over OpenVPN client

@UBNT-jaffe I'm getting more errors now Smiley Sad I'm probably doing something really simple wrong! Could you have a quick glance over my JSON please?

Spoiler
{
"firewall": {
"modify": {
"SOURCE_ROUTE": {
"rule": {
"10": {
"action": "modify",
"description": "route vlan 101 to ExpressVPN",
"modify": {
"table": "1"
},
"source": {
"address": "192.168.2.0/24"
}
}
}
}
}
},
"interfaces": {
"ethernet": {
"eth0": {
"vif": {
"101": {
"address": [
"192.168.2.1/24"
],
"firewall": {
"in": {
"modify": "SOURCE_ROUTE",
"name": "LAN_IN"
}
}
}
}
}
},
"openvpn": {
"vtun0": {
"config-file": "/config/openvpn/NordVPN3.ovpn"
}
}
},
"protocols": {
"static": {
"table": {
"1": {
"interface-route": {
"192.168.0.0/24": {
"next-hop-interface": {
"eth0": "''"
}
},
"0.0.0.0/0": {
"next-hop-interface": {
"vtun0": "''"
}
}
}
}
}
}
},
"service": {
"nat": {
"rule": {
"5004": {
"description": "masq to vpn vtun0",
"destination": {
"address": "0.0.0.0/0"
},
"outbound-interface": "vtun0",
"type": "masquerade"
}
}
}
}
}

 

Ubiquiti Employee
Posts: 1,125
Registered: ‎02-28-2017
Kudos: 339
Solutions: 114

Re: USG Route VLAN over OpenVPN client

@apomper The JSON seems to be formatted correctly. What errors are you hitting?

I would change the "modify table" to "2" instead of 1. I've seen issues with next-hop-interface routes being added to table 1. Also the interface route for 192.168.0.0/24 being pointed out eth0 probably will break some things in the network. Interface routes only work on point-to-point network, an ethernet network that isn't a /30 will need a "next-hop" route pointing to a specific gateway address.

Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 6
Registered: a week ago

Re: USG Route VLAN over OpenVPN client

@UBNT-jaffeI've been able to clear the errors and get the USG to provision. As suspected, it was something silly. I was using eth0 instead of eth1 Smiley Frustrated

 

Initially I didnt have comms between the LAN and VLAN101. However changing the modify table from 1 to 2 fixed that. So thank you.

However I'm now faced with traffic not appearing to be routed via the VPN. A PC on the VLAN is showing the ISP IP. So any guidance on that would be greatly appreciated.

 

Updated JSON:

Spoiler
{
  "firewall": {
    "modify": {
      "SOURCE_ROUTE": {
        "rule": {
          "10": {
            "action": "modify",
            "description": "route vlan 101 to ExpressVPN",
            "modify": {
              "table": "1"
            },
            "source": {
              "address": "192.168.2.1/24"
            }
          }
        }
      }
    }
  },
  "interfaces": {
    "ethernet": {                             
      "eth1": {                                             
        "vif": {                                
          "101": {                                 
            "address": [            
              "192.168.2.1/24"
            ],                             
            "firewall": {           
              "in": {         
              "modify": "SOURCE_ROUTE",
       "name": "LAN_IN"
       }
            }                                     
          }                                       
        }                                               
      }                                                       
    },                                                              
    "openvpn": {
      "vtun0": {
        "config-file": "/config/openvpn/NordVPN3.ovpn"
      }
    }
  },
  "protocols": {
    "static": {
      "table": {
        "2": {
          "interface-route": {
            "192.168.0.0/24": {
              "next-hop-interface": {
                "eth1": "''"
              }
            },
            "0.0.0.0/0": {
              "next-hop-interface": {
                "vtun0": "''"
              }
            }
          }
        }
      }
    }
  },
  "service": {
    "nat": {
      "rule": {
        "5004": {
          "description": "masq to vpn vtun0",
          "destination": {
            "address": "0.0.0.0/0"
          },
          "outbound-interface": "vtun0",
          "type": "masquerade"
        }
      }
    }
  }
}
New Member
Posts: 2
Registered: ‎04-01-2018

Re: USG Route VLAN over OpenVPN client

@apomper Your firewall rule still references table 1, but in your protocols you changed the label to talbe "2".  Change your firewall rule to:  set firewall modify SOURCE_ROUTE rule 10 modify table 2

 

  "firewall": {
    "modify": {
      "SOURCE_ROUTE": {
        "rule": {
          "10": {
            "action": "modify",
            "description": "route vlan 101 to ExpressVPN",
            "modify": {
              "table": "2"

New Member
Posts: 18
Registered: ‎06-23-2016
Kudos: 1

Re: USG Route VLAN over OpenVPN client

@UBNT-jaffe, is there a way to be able to swap vpn service in an easier way instead of making a set interface, change file source and pass file each time?

 

I'd more like a drop down or something on the dashboard changing the service.

 

Possible?

New Member
Posts: 19
Registered: ‎03-05-2017
Kudos: 2

Re: USG Route VLAN over OpenVPN client

When I use the "set" command I get a message back that it's a wrong command. Any advise? Thanks.

New Member
Posts: 18
Registered: ‎06-23-2016
Kudos: 1

Re: USG Route VLAN over OpenVPN client

@hfxrzw are you doing it in configure mode?

New Member
Posts: 19
Registered: ‎03-05-2017
Kudos: 2

Re: USG Route VLAN over OpenVPN client

Hi, sorry, was following above instructions. What is "Configure" mode and how do I get there? Thanks!

New Member
Posts: 18
Registered: ‎06-23-2016
Kudos: 1

Re: USG Route VLAN over OpenVPN client

@hfxrzw, bud... read the guide. It’s all there. It’s a key function to set the config file.

 

in ssh to the usg. 

 

Type configure and you’re in the configure mode. Then you do the set interface thingy.. the rest is in the guide on the first thread page.

New Member
Posts: 19
Registered: ‎03-05-2017
Kudos: 2

Re: USG Route VLAN over OpenVPN client

[ Edited ]

Which guide? I'm following the first post....? Thanks!

 

BTW, if I do the exit after the commit I get the below

 

root@USG-3P# exit
Warning: configuration changes have not been saved.
exit

 

How do I find out why it isn't being saved?

New Member
Posts: 18
Registered: ‎06-23-2016
Kudos: 1

Re: USG Route VLAN over OpenVPN client

The guide is what you’re reading on the first page.

I get the same.
Then if you write “show interfaces openvpn” you’ll see that the file is set.


Reply