How to set up an OpenVPN server on a Unifi USG

I love being able to jump back into my home network via OpenVPN, it’s much more secure, easier to set up and is supported by quite a few high-quality clients across all platforms.

OpenVPN server isn’t supported out of the box for the USG, so this will create a server that I have found persists even when the USG is reprovisioned by the controller.

There are a lot of steps, but it does deliver a strong and stable platform, so take it slowly and lets start.

Create the keys

Install Easyrsa service

sudo bash
curl -O http://ftp.us.debian.org/debian/pool/main/e/easy-rsa/easy-rsa_2.2.2-1~bpo70+1_all.deb
sudo dpkg -i easy-rsa_2.2.2–1~bpo70+1_all.deb

Generate your keys

cd /usr/share/easy-rsa
. vars
./clean-all
./build-ca

Give it a sensible common-name, something like: “OpenVPN CA”

./build-key-server server

Set the common name to “server”
Answer yes to signing the certificate and committing it.
Now create your client key

./build-key client1

Then run the following command (it take a while to complete)

./build-dh

Copy the generated files

mkdir /config/auth/keys/
cp keys/* /config/auth/keys/

Create an ovpn file

Customise the entries below for your address and the certificates you created earlier.

client
float
dev tun
remote my.domain.com 1194 udp
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-256-CBC
comp-lzo
verb 5
— — -BEGIN CERTIFICATE — — -
[Copy from USG using command sudo nano /config/auth/keys/ca.crt]
— — -END CERTIFICATE — — -
— — -BEGIN CERTIFICATE — — -
[Copy from USG using command sudo nano /config/auth/keys/client1.crt]
— — -END CERTIFICATE — — -
— — -BEGIN PRIVATE KEY — — -
[Copy from USG using command sudo nano /config/auth/keys/client1.key]
— — -END PRIVATE KEY — — -

Configure JSON to retain settings

In order to maintain the setup if the USG gets reprovisioned, you will need to configure the config.gateway.json file on the Unifi controller.

I found the simplest way was to SFTP into the CloudKey, then navigate to /srv/unifi/data/sites/default and open or create a new file for config.gateway.json (on ubuntu the location is /usr/lib/unifi/data/sites/)

This the configuration I’ve used above…

{
"firewall": {
"name": {
"WAN_LOCAL": {
"rule": {
"20": {
"action": "accept",
"description": "Allow OpenVPN clients in",
"destination": {
"port": "1194"
},
"log": "disable",
"protocol": "udp"
}
}
}
}
},
"interfaces": {
"openvpn": {
"vtun0": {
"encryption": "aes256",
"mode": "server",
"server": {
"push-route": "192.168.10.0/24",
"name-server": "192.168.10.1",
"subnet": "192.168.200.0/24"
},
"openvpn-option": [
"--keepalive 8 30",
"--comp-lzo",
"--duplicate-cn",
"--user nobody --group nogroup",
"--verb 1",
"--proto udp6",
"--port 1194",
"--push redirect-gateway def1"
],
"tls": {
"ca-cert-file": "/config/auth/keys/ca.crt",
"cert-file": "/config/auth/keys/server.crt",
"dh-file": "/config/auth/keys/dh2048.pem",
"key-file": "/config/auth/keys/server.key"
}
}
}
},
"service": {
"nat": {
"rule": {
"5010": {
"description": "Masquerade for WAN",
"outbound-interface": "eth0",
"type": "masquerade"
}
}
}
}
}

For these changes to take effect, you will need to go to the Unifi dashboard and reprovision the security gateway in order to deploy the settings.

Monitor OpenVPN Server

To check the server status

show openvpn status server