While house OpenVPN on Unifi Security Gateway

Internet access discussion, including Fusion, IP Broadband, and Gigabit Fiber!
8 posts Page 1 of 1
by Backmarker » Wed Oct 10, 2018 11:26 am
I am a long time sonic.net customer who moved to FTTN service. The trade-off of ATT snooping one my traffic for speed seemed reasonable. Today I run OpenVPN on our most active devices, but I hate that fact that ATT is snooping on all the IoT devices, random old tablets, game console, etc. I'd like to vpn all of my traffic, and not have to maintain a separate clients on each device (many of which can't run openvpn like my sprinkler controller)

I'm fortunate that my LAN/WLAN are all on Unifi products, including their excellent Unifi Security Gateway (USG). I'd like to take advantage of built in OpenVPN support and encrypt ALL of my WAN traffic to sonic to keep ATT out of our business. What's that quote, "I have nothing to hide, but nothing to share"?

Has anyone successfully configured this type of setup? while I have a (very dated) CS degree, I am not an expert on CLI, VPNs, et al. Looking for a simple setup guide. Here is what I have done, but doesn't seem to do anything (whatsmyip still shows ATT IP)
1. sonic.net openvpn server/port. I found this, is it correct? port 1194
2. My own actual ATT IP and an open UDP port on the USG
3. My 2048 bit shared secret, I generated this on the USG via CLI and copied it in to the config, had to manually delete all whitespaces (used this very sparse and low value guide: https://help.ubnt.com/hc/en-us/articles ... o-Site-VPN)
4. Created a WAN local rule on the USG for the port specified in step 2, open for UDP inbound

Can anyone advise?
by Guest » Fri Oct 12, 2018 6:21 am
I'm a big supporter of Ubiquiti products including the USGs but they are certainly limited in VPN client support. This is the main reason I've stuck with pfSense - much more flexibility/configurable options and you can choose the hardware that fits your needs. Once IDS/IPS is enabled on the USG throughput is limited to 85Mbps and hardware offload is disabled so hardware is also on the lower end... Can't beat the price though.

Regarding your question it still appears there's no easy way of configuring the USG as a VPN client as you've found out but you can follow this thread with the hope better OpenVPN client support (other than PPTP) gets added: https://community.ubnt.com/t5/UniFi-Rou ... -p/1882164

As an FYI the lead USG developer came from the pfSense team so all hope is not lost :)
by msandrof » Sun Oct 21, 2018 10:04 pm
Are you trying to set up your USG as a VPN client or are you trying to allow remote users VPN access to your LAN? Both are possible with the USG. I've set up the latter and it works well enough for my needs. The setup is not all that simple and will probably depend on the complexity of your LAN. I'll see if I can locate the howtos I used.
by irenazakrajsek » Mon Oct 22, 2018 5:10 pm
Hi I am the original poster in this thread.

To be clear, my use case is to setup my router as a client of the sonic VPN and route 100% of my WAN traffic through openVPN to keep ATT from packet sniffing my family's data and selling it to slavebook and Scroogle among other bad actor Internet advertising/privacy theft organizations.

Having dug in more deeply, what I have learned is that I need to create some config files on the Unifi Security Gateway that will tell it to route all traffic to the VPN server hosted by sonic. Having read pages of unifi threads it sounds like this is possible but unfortunately not supported in the UI.

I am looking to use this guide: https://nordvpn.com/tutorials/edgerouter/openvpn/

Couple of questions:
1. can someone please confirm that the sonic.net VPN server IP is and that the VPN server is listening on port 1194
2. How does sonic support generation of certificate? I had to download a pre-configured client for my userid/password that I am guessing embeds the cert? Trying to figure out how to parse all of this as it is a binary file in the VPN client
3. I found how to generate a key on the USG as shown in the file example above, so that seems easy

If this seems like a bad approach let me know. I also have a quad core Mac mini server in DMZ I could use as VPN client and route traffic through it I suppose, has more CPU power than the USG. I'm just trying to keep my family's privacy
by Guest » Tue Oct 23, 2018 6:23 am
Couple of questions:
1. can someone please confirm that the sonic.net VPN server IP is and that the VPN server is listening on port 1194
2. How does sonic support generation of certificate? I had to download a pre-configured client for my userid/password that I am guessing embeds the cert? Trying to figure out how to parse all of this as it is a binary file in the VPN client

1. Yes, that is the correct IP and port although I prefer to use the hostname (ovpn.sonic.net) in case the IP changes.
2. You need to download Sonic's .ovpn file from https://ovpn.sonic.net (select login instead of connect).
3. These options will help you from having to manually reconnect/re-authenticate the client after VPN server outages, maintenance, etc.:

Code: Select all

reneg-sec 604800;
pull-filter ignore "auth-token";

What you want to do is perfectly reasonable (heck, I run two different VPN clients on pfSense); just unfortunate that the USG lacks a basic VPN client function which most consumer grade routers (yuck) now come with. Also, that guide refers to Ubiquiti's Edge router... Not sure that the USG functions the same but possible I suppose.
by msandrof » Tue Oct 23, 2018 9:46 am
USG does have client vpn from the UI but it is very limited. While I really love the UniFi stuff, some critical areas are still lacking.
by forest » Wed Oct 24, 2018 4:48 pm
I've never touched a Unifi device, so can't offer any specific directions, but since I have done what you ask on Edgerouters, I would expect it to be possible on the USG as well. Here are a few tips that might apply to your device:

  • Your client certificate is embedded in the .ovpn file that Sonic's vpn server will generate for you. Sonic won't accept one that you generate yourself.
  • Ubiquiti's current EdgeOS release for Edgerouters includes OpenVPN 2.3, which Sonic's production server stopped supporting a couple of months ago. (It now requires a TLS version newer than what OpenVPN 2.3 offers.) The result is a TLS handshake failure when attempting to start a VPN session. If you run in to this problem on the USG, you might consider postponing this project, finding a device with newer (and easier) OpenVPN support, or using Sonic's beta VPN server (warning: it's not well-supported) until Ubiquiti's next major OS version is released. The new Edgerouter EdgeOS is currently in alpha; I don't know if the USG's OS releases are at the same stage.
  • It might be wise to first get familiar with command line OpenVPN on a workstation, and then once you have it working, move your new knowledge and configuration file over to the USG. This way you won't have to tackle as many unfamiliar / unknown variables at once.
  • EdgeOS can be configured to launch the openvpn client at boot, but it does not detect session failures or restart the client when needed. You'll have to handle that either manually or with scripts / cron jobs.
  • Sonic's VPN sessions are directly exposed to the internet; they do not come with the security perks of NAT. This is a good thing in that few restrictions are imposed on you, but a setting up a firewall would be wise. (EdgeOS can be configured to provide a firewall, NAT, or both.)
  • The Ubiquiti forums will probably be your best source for help on this project.
by irenazakrajsek » Sat Nov 10, 2018 11:54 am
Very helpful, thanks forest!
8 posts Page 1 of 1

Who is online

In total there are 6 users online :: 0 registered, 0 hidden and 6 guests (based on users active over the past 5 minutes)
Most users ever online was 422 on Sat May 26, 2012 5:28 am

Users browsing this forum: No registered users and 6 guests