OpenVPN Setup & Configuration on UniFi Security Gateway – Step by Step Guide

You are here:
< All Topics

This article is located at:

This guide is on the UniFi web site and was not created by HavenZone. We found it to be very helpful and would like to share it. The link above will bring you directly to the page it was located at on the web site.

In this topic, I want to explain how you can add / run openvpn server to / on your UniFi Security Gateway.

There are couple different articles and blogs page which explain these steps but I decided to put all the steps on one single post for the people who want to use openvpn server on their USG and I hope, it will be easy for them to follow these steps.

As you may already noticed, somehow on Ubiquiti USGs, we don’t have OpenVPN Server.

ps: For the last more than 5 firmware version on USG, I’m using OpenVPN Server on it and so far the firmware update didn’t cause any problem on my OpenVPN Server setup / configuration. Please keep in your mind that, it’s not an official configration to have this feature and I cannot take any responsibility if something will be wrong with your product!

Step 1: Authentication Requirement for OpenVPN (Let’s use built-in Radius Server on USG);

  • On all UniFi Security Controllers there is already Radius Server in place which you can use for OpenVPN authentication. It also gives you flexibility to add / remove users from UniFi Controller GUI, directly so you can easily manage your openvpn user access.
  • Access to your UniFi Controller and open Services page under Settings
  • Enable Radius Server under Radius –> Server tab and put add a secret key in the same page (note it on side, you will use it in the later configuration steps)
  • Under Users tab, dd your OpenVPN Users
  • For security purposes, in my opinion, it will be add these openvpn users to different VLAN. When you are creating your users you can add VLAN information on the same page.

Step 2: Configuring easy-rsa and Key Generation

  • You need to connect to your USG via SSH
  • ssh admin@Your_USG_IP_Address (you need to use the password which configured under Site Settings page.
  • Then use the below commands to generate your keys for openvpn

#Download required easy-rsa package on USG

sudo bash

curl -O

sudo dpkg -i easy-rsa_2.2.2-1~bpo70+1_all.deb

# Generate Keys

cd /usr/share/easy-rsa

. vars



# You can give a Comman Name like “OpenVPN CA”

./build-key-server server

# You can set the common name as “server”

# When asked type ‘yes’ to sign the certificate and then ‘commit’ the configuration.


# You need to copy the generated keys to /config/auth/keys/ folder

mkdir /config/auth/keys/

cp keys/* /config/auth/keys/

Step 3: Configuring OpenVPN on UniFi Security Gateway

– Use the below commands to configure your openvpn setup on USG


set interfaces openvpn vtun0 mode server

# You need to use a subnet which is not used in any other interface or network on your USG Configuration

set interfaces openvpn vtun0 server subnet

set interfaces openvpn vtun0 tls ca-cert-file /config/auth/keys/ca.crt

set interfaces openvpn vtun0 tls cert-file /config/auth/keys/server.crt

set interfaces openvpn vtun0 tls key-file /config/auth/keys/server.key

set interfaces openvpn vtun0 tls dh-file /config/auth/keys/dh2048.pem

set interfaces openvpn vtun0 encryption aes128

set interfaces openvpn vtun0 openvpn-option “–keepalive 8 30”

set interfaces openvpn vtun0 openvpn-option “–comp-lzo”

set interfaces openvpn vtun0 openvpn-option “–duplicate-cn”

set interfaces openvpn vtun0 openvpn-option “–user nobody –group nogroup”

set interfaces openvpn vtun0 openvpn-option “–plugin /usr/lib/openvpn/ openvpn”

set interfaces openvpn vtun0 openvpn-option “–client-cert-not-required –username-as-common-name”

set interfaces openvpn vtun0 openvpn-option “–verb 1”

set interfaces openvpn vtun0 openvpn-option “–proto udp6”

set interfaces openvpn vtun0 openvpn-option “–port 1194”

set interfaces openvpn vtun0 openvpn-option “–push redirect-gateway def1”

set interfaces openvpn vtun0 openvpn-option “–push dhcp-option DNS”

set interfaces openvpn vtun0 openvpn-option “–push dhcp-option DNS”

# You need to configure the firewall to be sure that USG will accept OpenVPN connection from WAN Interface

set firewall name WAN_LOCAL rule 20 action accept

set firewall name WAN_LOCAL rule 20 description “Allow OpenVPN clients in”

set firewall name WAN_LOCAL rule 20 destination port 1194

set firewall name WAN_LOCAL rule 20 log disable

set firewall name WAN_LOCAL rule 20 protocol udp

# Optional! If you need, you can configure IPv6 setting with following below steps

set firewall ipv6-name wan_local-6 rule 20 action accept

set firewall ipv6-name wan_local-6 rule 20 description “Allow OpenVPN clients in”

set firewall ipv6-name wan_local-6 rule 20 destination port 1194

set firewall ipv6-name wan_local-6 rule 20 log disable

set firewall ipv6-name wan_local-6 rule 20 protocol udp

# You need to configure your USG with below commands to allow traffic from OpenVPN users to Internet

set service nat rule 5010 description “Masquerade for WAN”

set service nat rule 5010 outbound-interface eth0

set service nat rule 5010 type masquerade




Step 4: Create a .ovpn file

  • Now, you need to create .ovpn file and you need to use this file on each OpenVPN users device which the user will use openvpn to connect to USG with a OpenVPN client application



dev tun

# Please edit below hostname, it needs to point your USG’s WAN IP address (you can also use USG’s WAN IP address instead hostname)

remote 1194 udp

resolv-retry infinite





cipher AES-128-CBC


verb 3



# put your certificate block here. Copy it from your /config/auth/keys/ca.crt file on your USG



# This certificate is a random one. In .ovpn file requires a random certificate but it’s not using it. If you wish you can decide to leave it as it is.















# This certificate is a random one. In .ovpn file requires a random certificate but it’s not using it. If you wish you can decide to leave it as it is.



















Step 5: Configuring OpenVPN to use Radius for authentication

– You need to create ‘pam_radius_auth.conf” file in USG under /etc/pam_radius_auth.conf and you need to as Radius Server IP address which should be your USG. Add the below line into this file;


– You need to create another file in USG called ‘openvpn” under /etc/pam.d/openvpn and add the below lines into that file;

auth sufficient debug

account sufficient

session sufficient

Step 6: Test your configuration

– Connect to your USG via OpenVPN from your client with using username and password which you configured in Step 1 (Under Radius Settings Configuration Page on USG GUI)You should be able to connect to your USG via OpenVPN client application from your test client. (Do not try to connect when you are still connected to the same network with your USG! Otherwise you will not able to connect and it will give you error!)

Step 7: You need to be sure that your configuration will be persistent even when you reboot your USG or after firmware upgrade. If you will not complete this step, your configuration files will be overwritten on USG after provisioning from UniFi Controller.

– You need add a script on USG under /config/scripts folder. Follow the next steps;

– You need to copy ‘pam_radius_auth.conf’ and ‘openvpn’ files which you created in Step 5 under /config/script/openvpnconfiguration/ folder.

– Create a script file with the following steps;

#vi /config/script/


readonly logFile=”/var/log/postprovision.log”

#restore the ssmtp configuration

cp /config/scripts/openvpnconfiguration/pam_radius_auth.conf /etc

cp /config/scripts/openvpnconfiguration/openvpn /etc/pam.d/openvpn

#the following lines remove the postprovision scheduled task

#do not modify below this line

source /opt/vyatta/etc/functions/script-template

configure > ${logFile}

delete system task-scheduler task postprovision >> ${logFile}

commit >> ${logFile}

save >> ${logFile}


#end no edit


– You need to mark your script as executable with the following command;

sudo chmod +x /config/scripts/

– Finally, you need to update your config with the following commands;


set system task-scheduler task postprovision executable path “/config/scripts/”

set system task-scheduler task postprovision interval 3m




– You can review the log file from USG GUI or CLI with the following command;

show log | grep openvpn

Step 8: Bonus Step – config.gateway.json configuration file (optional step)

– When I completed my configuration, I noticed that my task scheduler configuration is not working and due to this reason whenever I reboot my USG device, OpenVPN configuration was not working properly. So I decided to add task-schedule configuration in ‘config.gateway.json’ file which you can find it in your UniFi Controller system. If you are using Linux for your UniFi Controller setup then the file should be under ‘/var/lib/unifi/sites/default/‘ folder. For other operating systems, you may need to double check it with UniFi Controller Administration Guide.

– Basically, open your ‘’config.gateway.jason’ file and add the following lines after system section;

– Sometimes editing config.gateway.json file could be a bit tricky since you need to be very careful with the brackets. I recommend you to reboot your USG device and for provision after you did this change to be sure that everything is working with out any problem.

        "system": {                  "task-scheduler": {                          "task": {                                  "postprovision": {                                          "executable": {                                                  "path": "/config/scripts/"                                                     },                                                  "interval": "3m"                                             }                                     }                             }                     }  }

Step 9: Congratulations! You did it 😀 Enjoy!

Update! 14 February 2019 – Step 10 and Step 11

Step 10: Optional Firewall Configuration

– If you started to use OpenVPN on you USG than you may probably noticed that OpenVPN Users can access to any subnet / network in your network! 

– The reason behind this, basically vtun0 interface (which we configured in Step 3) is not part of any other interface group like LAN, WAN, Guest. So this is why OpenVPN User can access to any IP / Network by default.

– If you want to apply Firewall policies on OpenVPN Users than you need to add below lines to your config.gateway.json file before starting on Firewall configuration, below lines should be under “vtun0” config in config,gateway.json file;

	"interfaces": { 		"openvpn": { 			"vtun0": { 				"firewall": { 					"in": { 						"name": "LAN_IN" 					}, 					"local": { 						"name": "LAN_LOCAL" 					}, 					"out": { 						"name": "LAN_OUT" 					} 				}                            }                        }                    },

– Now, do force provision to your USG from UniFi Controller to be sure that new config.gateway.json configuration is applied to your USG.

– Finally, now you can start to create your Firewall rules for your OpenVPN Users. In below example i added two rules under LAN IN Firewall Rules. Rule 2001 is to drop all connection from OpenVPN Users and Rule 2000 is to allow only to specofic IP addresses from OpenVPN Users

– And as a last step you need to add another Firewall rule on Lan OUT interface since we need to allow return traffic for the session to established.

Lan OUT Rule should be like below; you only need to allow ‘Established” states!

Now you can create additional firewall rules for OpenVPN Users to allow them only needed destination IPs / Networks.

Step: 11 If you want to do more granular configuration, there are couple of tricky points that you need to be aware of;

– When you complete Step 10 which allows you to apply firewall rules on OpenVPN Users, you will noticed that OpenVPN Users will able to communicate with the internal allowed IP addresses but they will not able to communicate with Internet. Because in UniFi USG firewall configuration there is no option to apply firewall rules from LAN_IN interface to WAN_OUT or eth0 interface. I think firewall configuration page should be more flexible to allow these configurations in a easy way. It can be really possible to have netscreen like configuration gui. If they can do it, that will be extremely useful. 

– Anyway, having said that of course there is a workaround to allow internet access for OpenVPN Users (if it’s really needed) 

– Basically, you need to add couple of tricky config on firewall rules which you created in Step 10.

– Check the below screenshot which will give you the main idea to allow internet access OpenVPN Users while they are only accessing to allowed internal IP addresses.

Rule 2000 details should be like below screenshot. Which you are allowing OpenVPN Users to access needed internal IP addresses (Source Group points OpenVPN Users subnet and Destination Group points IP Addresses that OpenVPN Users can access)

Here is the tricky part. While Rule 2000 allows OpenVPN Users to access internal allowed IP addressesRule 2001 blocks all the other connections from OpenVPN Users.

In Rule 2001 is drop rule and basically, i added OpenVPN Users Subnet as a source group and added LAN Subnet & Guest Subnet & OpenVPN Subnet as destination group.

Because i don’t want to allow OpenVPN Users to access any Local IP Addresses expect Allowed IP list in Rule 2000. But I need to allow the rest of the communication to anyother destinations, in this case basically it’s internet since we blocked the all internal subnets with rule 2001.

Below is the example LAN & Guest & OpenVPN Subnet Group that i used in Rule 2001 under LAN_IN firewall policy set as destination group. (Do not worry, these are not my internal subnets, i changed them just to give you an example 😀 )

Please replace the below IP addresses with your OpenVPN Users Subnet which you configured in step 3 and add your LAN Subnet, Guest Subnet, etc.

And the OpenVPN_Subnet group that i used in LAN_IN firewall policiesPlease replace the below IP address with your OpenVPN Users Subnet which you configured in step 3


Table of Contents