• Tutorial: How to enable openvpn server in Unifi device?
  • 0 Internet Providers (Modem to Security Gateway)
    • Comcast
      • Comcast Business
  • 1 Enable SSH auth
  • 2 Security Gateway - Install easy-rsa
  • 3 Security Gateway - Generate the client/server/ca keys
    • 3.1 CA
    • 3.2 Server
    • 3.3 Client
    • 3.4 Generate Diffie Hellman
    • 3.5 Copy the keys
  • 4 Controller - Create config.gateway.json file
  • 5 Firewall
    • LAN IN
    • LAN OUT
  • 6 Client
    • Fedora 33
      • Network Manager Settings
      • Packages
  • Android App (Optional)
  • Console client using ovpn file (Optional)
  • Radius (Optional)
  • Useful links

Tutorial: How to enable openvpn server in Unifi device?

Steps how to configure openvpn in the Unifi

Internet Providers

Feel free to contribute via PullRequest adding your local Internet Provider Settings from any part of the world.

Please note:
The tutorial assumes users will physically connect (i.e: RJ45 cables) the Internet Provider modem into the Security Gateway device.

Comcast

Comcast Business

It's recommended to change the default password for the admin of the modem: cusadmin
The default passwords are: highspeed or CantTouchThis as described by comcast

1 Enable SSH auth

1. Enable in the controlle SSH authentication via Advanced Features
   • Controller -> Settings -> Site -> DEVICE AUTHENTICATION
     [x] Enable SSH Authentication

2 Security Gateway - Install easy-rsa

Security Gateway login as admin and install easy-rsa for generating the keys

$ ssh admin@SECURITY_GATEWAY_IP
$ sudo su -
# curl -O http://ftp.us.debian.org/debian/pool/main/e/easy-rsa/easy-rsa_2.2.2-1_all.deb
# sudo dpkg -i easy-rsa_2.2.2-1_all.deb

3 Security Gateway - Generate the keys

3.1 CA

Common Name is "OpenVPN CA"

# cd /usr/share/easy-rsa
. vars
./clean-all
./build-ca

3.2 Server

Common Name is "server"

# ./build-key-server server

3.3 Client

# ./build-key client

3.4 Generate Diffie Hellman

# ./build-dh

3.5 Copy the keys

# mkdir /config/auth/keys/
# cp keys/* /config/auth/keys/

4 Controller - Create config.gateway.json file

Controller login as root

$ ssh root@CONTROLLER_IP
$ sudo su -
# cd /srv/unifi/data/sites/default  
# vi config.gateway.json

See this working example of config.gateway.json

5 Firewall

LAN IN

LAN OUT

6 Client

Fedora 33

$ cat /etc/fedora-release 
Fedora release 33 (Thirty Three)

dnf install NetworkManager-l2tp \
              NetworkManager-l2tp-gnome \
              NetworkManager-strongswan-gnome \
              NetworkManager-strongswan -y

# systemctl restart NetworkManager

Network Manager Settings

Packages

$ rpm -qa | grep NetworkManager
NetworkManager-l2tp-gnome-1.8.2-2.fc33.x86_64
NetworkManager-openvpn-gnome-1.8.12-1.fc33.1.x86_64
NetworkManager-ssh-1.2.11-2.fc33.x86_64
NetworkManager-vpnc-1.2.6-5.fc33.x86_64
NetworkManager-vpnc-gnome-1.2.6-5.fc33.x86_64
NetworkManager-ssh-gnome-1.2.11-2.fc33.x86_64
NetworkManager-openvpn-1.8.12-1.fc33.1.x86_64
NetworkManager-openconnect-gnome-1.2.6-5.fc33.x86_64
NetworkManager-strongswan-gnome-1.5.0-2.fc33.x86_64
NetworkManager-pptp-1.2.8-2.fc33.1.x86_64
NetworkManager-openconnect-1.2.6-5.fc33.x86_64
NetworkManager-l2tp-1.8.2-2.fc33.x86_64
NetworkManager-strongswan-1.5.0-2.fc33.x86_64
NetworkManager-pptp-gnome-1.2.8-2.fc33.1.x86_64
NetworkManager-libnm-1.26.4-1.fc33.x86_64
NetworkManager-1.26.4-1.fc33.x86_64
NetworkManager-wwan-1.26.4-1.fc33.x86_64
NetworkManager-bluetooth-1.26.4-1.fc33.x86_64
NetworkManager-adsl-1.26.4-1.fc33.x86_64
NetworkManager-ppp-1.26.4-1.fc33.x86_64
NetworkManager-team-1.26.4-1.fc33.x86_64
NetworkManager-wifi-1.26.4-1.fc33.x86_64
NetworkManager-config-connectivity-fedora-1.26.4-1.fc33.noarch

Android App

Optional step.

Use your client.ovpn with the Android app

Console client using ovpn file

Optional step.

# openvpn --config filename.ovpn

See this client.ovpn example

Radius

Optional Step.

1. Enable Radius (Optional if you are using only auth keys)

   • Controller -> Settings -> Services -> Radius

   • Server tab

     • Create secret
     • Authentication Port: 1812
     • AccountingPort: 1813
     • Account Interim Interval: 600
     • Tunnelled Reply: ON

   • Users tab

     • Name: YOUR_USERNAME
     • Password: YOUR_PASSWORD
     • Tunnel Type: 3- Layer Two Tunneling Protocol (L2TP)
     • Tunnel Medium Type: 1- IPv4 (IP version 4)

Useful links

UniFi - Accounts and Passwords for Controller, Cloud Key and Othe Devices
https://blog.configwizard.xyz/configuring-openvpn-on-a-unifi-security-gateway/
https://medium.com/server-guides/how-to-setup-an-openvpn-server-on-a-unifi-usg-e33ea2f6725d