How Can We Help?
OpenVPN Setup & Configuration on UniFi Security Gateway – Step by Step Guide
This article is located at: https://community.ui.com/questions/OpenVPN-Setup-and-Configuration-on-UniFi-Security-Gateway-Step-by-Step-Guide/2a12e083-03fe-47de-be21-36e7cbba6ccb
This guide is on the UniFi web site and was not created by HavenZone. We found it to be very helpful and would like to share it. The link above will bring you directly to the page it was located at on the ui.com web site.
In this topic, I want to explain how you can add / run openvpn server to / on your UniFi Security Gateway.
There are couple different articles and blogs page which explain these steps but I decided to put all the steps on one single post for the people who want to use openvpn server on their USG and I hope, it will be easy for them to follow these steps.
As you may already noticed, somehow on Ubiquiti USGs, we don’t have OpenVPN Server.
ps: For the last more than 5 firmware version on USG, I’m using OpenVPN Server on it and so far the firmware update didn’t cause any problem on my OpenVPN Server setup / configuration. Please keep in your mind that, it’s not an official configration to have this feature and I cannot take any responsibility if something will be wrong with your product!
Step 1: Authentication Requirement for OpenVPN (Let’s use built-in Radius Server on USG);
- On all UniFi Security Controllers there is already Radius Server in place which you can use for OpenVPN authentication. It also gives you flexibility to add / remove users from UniFi Controller GUI, directly so you can easily manage your openvpn user access.
- Access to your UniFi Controller and open Services page under Settings
- Enable Radius Server under Radius –> Server tab and put add a secret key in the same page (note it on side, you will use it in the later configuration steps)
- Under Users tab, dd your OpenVPN Users
- For security purposes, in my opinion, it will be add these openvpn users to different VLAN. When you are creating your users you can add VLAN information on the same page.
Step 2: Configuring easy-rsa and Key Generation
- You need to connect to your USG via SSH
- ssh admin@Your_USG_IP_Address (you need to use the password which configured under Site Settings page.
- Then use the below commands to generate your keys for openvpn
#Download required easy-rsa package on USG
sudo bash
curl -O http://ftp.us.debian.org/debian/pool/main/e/easy-rsa/easy-rsa_2.2.2-1~bpo70+1_all.deb
sudo dpkg -i easy-rsa_2.2.2-1~bpo70+1_all.deb
# Generate Keys
cd /usr/share/easy-rsa
. vars
./clean-all
./build-ca
# You can give a Comman Name like “OpenVPN CA”
./build-key-server server
# You can set the common name as “server”
# When asked type ‘yes’ to sign the certificate and then ‘commit’ the configuration.
./build-dh
# You need to copy the generated keys to /config/auth/keys/ folder
mkdir /config/auth/keys/
cp keys/* /config/auth/keys/
Step 3: Configuring OpenVPN on UniFi Security Gateway
– Use the below commands to configure your openvpn setup on USG
configure
set interfaces openvpn vtun0 mode server
# You need to use a subnet which is not used in any other interface or network on your USG Configuration
set interfaces openvpn vtun0 server subnet 10.1.1.0/24
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/keys/ca.crt
set interfaces openvpn vtun0 tls cert-file /config/auth/keys/server.crt
set interfaces openvpn vtun0 tls key-file /config/auth/keys/server.key
set interfaces openvpn vtun0 tls dh-file /config/auth/keys/dh2048.pem
set interfaces openvpn vtun0 encryption aes128
set interfaces openvpn vtun0 openvpn-option “–keepalive 8 30”
set interfaces openvpn vtun0 openvpn-option “–comp-lzo”
set interfaces openvpn vtun0 openvpn-option “–duplicate-cn”
set interfaces openvpn vtun0 openvpn-option “–user nobody –group nogroup”
set interfaces openvpn vtun0 openvpn-option “–plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn”
set interfaces openvpn vtun0 openvpn-option “–client-cert-not-required –username-as-common-name”
set interfaces openvpn vtun0 openvpn-option “–verb 1”
set interfaces openvpn vtun0 openvpn-option “–proto udp6”
set interfaces openvpn vtun0 openvpn-option “–port 1194”
set interfaces openvpn vtun0 openvpn-option “–push redirect-gateway def1”
set interfaces openvpn vtun0 openvpn-option “–push dhcp-option DNS 8.8.8.8”
set interfaces openvpn vtun0 openvpn-option “–push dhcp-option DNS 8.8.4.4”
# You need to configure the firewall to be sure that USG will accept OpenVPN connection from WAN Interface
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 description “Allow OpenVPN clients in”
set firewall name WAN_LOCAL rule 20 destination port 1194
set firewall name WAN_LOCAL rule 20 log disable
set firewall name WAN_LOCAL rule 20 protocol udp
# Optional! If you need, you can configure IPv6 setting with following below steps
set firewall ipv6-name wan_local-6 rule 20 action accept
set firewall ipv6-name wan_local-6 rule 20 description “Allow OpenVPN clients in”
set firewall ipv6-name wan_local-6 rule 20 destination port 1194
set firewall ipv6-name wan_local-6 rule 20 log disable
set firewall ipv6-name wan_local-6 rule 20 protocol udp
# You need to configure your USG with below commands to allow traffic from OpenVPN users to Internet
set service nat rule 5010 description “Masquerade for WAN”
set service nat rule 5010 outbound-interface eth0
set service nat rule 5010 type masquerade
commit
save
exit
Step 4: Create a .ovpn file
- Now, you need to create .ovpn file and you need to use this file on each OpenVPN users device which the user will use openvpn to connect to USG with a OpenVPN client application
client
float
dev tun
# Please edit below hostname, it needs to point your USG’s WAN IP address (you can also use USG’s WAN IP address instead hostname)
remote my.hostname.com 1194 udp
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
cipher AES-128-CBC
comp-lzo
verb 3
<ca>
—–BEGIN CERTIFICATE—–
# put your certificate block here. Copy it from your /config/auth/keys/ca.crt file on your USG
—–END CERTIFICATE—–
</ca>
# This certificate is a random one. In .ovpn file requires a random certificate but it’s not using it. If you wish you can decide to leave it as it is.
<cert>
—–BEGIN CERTIFICATE—–
MIIB1jCCAT+gAwIBAgIEAmLSTjANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpP
cGVuVlBOIENBMB4XDTEzMDExNzAyMTExMloXDTIzMDEyMjAyMTExMlowKDEmMCQG
A1UEAxQdZnJyaWN0aW9uQGdtYWlsLmNvbV9BVVRPTE9HSU4wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBALVEXIZYYu1Inmejuo4Si6Eo5AguTX5sg1pGbLkJSTR4
BXQsy6ocUnZ9py8htYkipkUUhjY7zDu+wJlUtWnVCwCYtewYfEc/+azH7+7eU6ue
T2K2IKdik1KWhdtNbaNphVvSlgdyKiuZDTCedptgWyiL50N7FMcUUMjjXYh/hftB
AgMBAAGjIDAeMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgeAMA0GCSqGSIb3
DQEBBQUAA4GBABhVzSYXHlQEPNaKGmx9hMwwnNKcHgD9cCmC9lX/KR2Y+vT/QGxK
7sYlJInb/xmpa5TUQYc1nzDs9JBps1mCtZbYNNDpYnKINAKSDsM+KOQaSYQ2FhHk
bmBZk/K96P7VntzYI5S02+hOWnvjq5Wk4gOt1+L18+R/XujuxGbwnHW2
—–END CERTIFICATE—–
</cert>
# This certificate is a random one. In .ovpn file requires a random certificate but it’s not using it. If you wish you can decide to leave it as it is.
<key>
—–BEGIN PRIVATE KEY—–
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALVEXIZYYu1Inmej
uo4Si6Eo5AguTX5sg1pGbLkJSTR4BXQsy6ocUnZ9py8htYkipkUUhjY7zDu+wJlU
tWnVCwCYtewYfEc/+azH7+7eU6ueT2K2IKdik1KWhdtNbaNphVvSlgdyKiuZDTCe
dptgWyiL50N7FMcUUMjjXYh/hftBAgMBAAECgYEAsNjgOEYVRhEaUlzfzmpzhakC
SKT8AALYaAPbYO+ZVzJdh8mIbg+xuF7A9G+7z+5ZL35lrpXKnONuvmlxkK5ESwvV
Q7EOQYCZCqa8xf3li3GUBLwcwXKtOUr3AYXhdbOh2viQdisD4Ky7H6/Nd3yMc3bu
R4pErmWeHei+l6dIwAECQQDqljNxi9babmHiei6lHaznCMg5+jfAyDXgHvO/afFr
1bDQVDTDK+64kax4E9pvDZC6B/HGse9hOUGWXTjb0WZBAkEAxdAw/14iJIUcE5sz
HDy2R0RmbUQYFjrNgBCi5tnmr1Ay1zHAs1VEF+Rg5IOtCBO50I9jm4WCSwCtN6zF
FoFVAQJAUGfBJDcZIm9ZL6ZPXJrqS5oP/wdLmtFE3hfd1gr7C8oHu7BREWB6h1qu
8c1kPlI4+/qDHWaZtQpJ977mIToJwQJAMcgUHKAm/YPWLgT31tpckRDgqgzh9u4z
e1A0ft5FlMcdFFT8BuWlblHWJIwSxp6YO6lqSuBNiuyPqxw6uVAxAQJAWGxOgn2I
fGkWLLw4WMpkFHmwDVTQVwhTpmMP8rWGYEdYX+k9HeOJyVMrJKg2ZPXOPtybrw8T
PUZE7FgzVNxypQ==
—–END PRIVATE KEY—–
</key>
Step 5: Configuring OpenVPN to use Radius for authentication
– You need to create ‘pam_radius_auth.conf” file in USG under /etc/pam_radius_auth.conf and you need to as Radius Server IP address which should be your USG. Add the below line into this file;
RADIUSSERVERIP SHAREDSECRET
– You need to create another file in USG called ‘openvpn” under /etc/pam.d/openvpn and add the below lines into that file;
auth sufficient pam_radius_auth.so debug
account sufficient pam_permit.so
session sufficient pam_permit.so
Step 6: Test your configuration
– Connect to your USG via OpenVPN from your client with using username and password which you configured in Step 1 (Under Radius Settings Configuration Page on USG GUI). You should be able to connect to your USG via OpenVPN client application from your test client. (Do not try to connect when you are still connected to the same network with your USG! Otherwise you will not able to connect and it will give you error!)
Step 7: You need to be sure that your configuration will be persistent even when you reboot your USG or after firmware upgrade. If you will not complete this step, your configuration files will be overwritten on USG after provisioning from UniFi Controller.
– You need add a script on USG under /config/scripts folder. Follow the next steps;
– You need to copy ‘pam_radius_auth.conf’ and ‘openvpn’ files which you created in Step 5 under /config/script/openvpnconfiguration/ folder.
– Create a script file with the following steps;
#vi /config/script/postprovision.sh
#!/bin/vbash
readonly logFile=”/var/log/postprovision.log”
#restore the ssmtp configuration
cp /config/scripts/openvpnconfiguration/pam_radius_auth.conf /etc
cp /config/scripts/openvpnconfiguration/openvpn /etc/pam.d/openvpn
#the following lines remove the postprovision scheduled task
#do not modify below this line
source /opt/vyatta/etc/functions/script-template
configure > ${logFile}
delete system task-scheduler task postprovision >> ${logFile}
commit >> ${logFile}
save >> ${logFile}
#exit
#end no edit
exit
– You need to mark your script as executable with the following command;
sudo chmod +x /config/scripts/postprovision.sh
– Finally, you need to update your config with the following commands;
configure
set system task-scheduler task postprovision executable path “/config/scripts/postprovision.sh”
set system task-scheduler task postprovision interval 3m
commit
save
exit
– You can review the log file from USG GUI or CLI with the following command;
show log | grep openvpn
Step 8: Bonus Step – config.gateway.json configuration file (optional step)
– When I completed my configuration, I noticed that my task scheduler configuration is not working and due to this reason whenever I reboot my USG device, OpenVPN configuration was not working properly. So I decided to add task-schedule configuration in ‘config.gateway.json’ file which you can find it in your UniFi Controller system. If you are using Linux for your UniFi Controller setup then the file should be under ‘/var/lib/unifi/sites/default/‘ folder. For other operating systems, you may need to double check it with UniFi Controller Administration Guide.
– Basically, open your ‘’config.gateway.jason’ file and add the following lines after system section;
– Sometimes editing config.gateway.json file could be a bit tricky since you need to be very careful with the brackets. I recommend you to reboot your USG device and for provision after you did this change to be sure that everything is working with out any problem.
"system": { "task-scheduler": { "task": { "postprovision": { "executable": { "path": "/config/scripts/postprovision.sh" }, "interval": "3m" } } } } } 
Step 9: Congratulations! You did it ? Enjoy!
Update! 14 February 2019 – Step 10 and Step 11
Step 10: Optional Firewall Configuration
– If you started to use OpenVPN on you USG than you may probably noticed that OpenVPN Users can access to any subnet / network in your network!
– The reason behind this, basically vtun0 interface (which we configured in Step 3) is not part of any other interface group like LAN, WAN, Guest. So this is why OpenVPN User can access to any IP / Network by default.
– If you want to apply Firewall policies on OpenVPN Users than you need to add below lines to your config.gateway.json file before starting on Firewall configuration, below lines should be under “vtun0” config in config,gateway.json file;
"interfaces": { "openvpn": { "vtun0": { "firewall": { "in": { "name": "LAN_IN" }, "local": { "name": "LAN_LOCAL" }, "out": { "name": "LAN_OUT" } } } } }, – Now, do force provision to your USG from UniFi Controller to be sure that new config.gateway.json configuration is applied to your USG.
– Finally, now you can start to create your Firewall rules for your OpenVPN Users. In below example i added two rules under LAN IN Firewall Rules. Rule 2001 is to drop all connection from OpenVPN Users and Rule 2000 is to allow only to specofic IP addresses from OpenVPN Users
– And as a last step you need to add another Firewall rule on Lan OUT interface since we need to allow return traffic for the session to established.
Lan OUT Rule should be like below; you only need to allow ‘Established” states!
Now you can create additional firewall rules for OpenVPN Users to allow them only needed destination IPs / Networks.
Step: 11 If you want to do more granular configuration, there are couple of tricky points that you need to be aware of;
– When you complete Step 10 which allows you to apply firewall rules on OpenVPN Users, you will noticed that OpenVPN Users will able to communicate with the internal allowed IP addresses but they will not able to communicate with Internet. Because in UniFi USG firewall configuration there is no option to apply firewall rules from LAN_IN interface to WAN_OUT or eth0 interface. I think firewall configuration page should be more flexible to allow these configurations in a easy way. It can be really possible to have netscreen like configuration gui. If they can do it, that will be extremely useful.
– Anyway, having said that of course there is a workaround to allow internet access for OpenVPN Users (if it’s really needed)
– Basically, you need to add couple of tricky config on firewall rules which you created in Step 10.
– Check the below screenshot which will give you the main idea to allow internet access OpenVPN Users while they are only accessing to allowed internal IP addresses.
Rule 2000 details should be like below screenshot. Which you are allowing OpenVPN Users to access needed internal IP addresses (Source Group points OpenVPN Users subnet and Destination Group points IP Addresses that OpenVPN Users can access)
Here is the tricky part. While Rule 2000 allows OpenVPN Users to access internal allowed IP addresses, Rule 2001 blocks all the other connections from OpenVPN Users.
In Rule 2001 is drop rule and basically, i added OpenVPN Users Subnet as a source group and added LAN Subnet & Guest Subnet & OpenVPN Subnet as destination group.
Because i don’t want to allow OpenVPN Users to access any Local IP Addresses expect Allowed IP list in Rule 2000. But I need to allow the rest of the communication to anyother destinations, in this case basically it’s internet since we blocked the all internal subnets with rule 2001.
Below is the example LAN & Guest & OpenVPN Subnet Group that i used in Rule 2001 under LAN_IN firewall policy set as destination group. (Do not worry, these are not my internal subnets, i changed them just to give you an example ? )
Please replace the below IP addresses with your OpenVPN Users Subnet which you configured in step 3 and add your LAN Subnet, Guest Subnet, etc.
And the OpenVPN_Subnet group that i used in LAN_IN firewall policies. Please replace the below IP address with your OpenVPN Users Subnet which you configured in step 3
Enjoy!
