{"id":16652920,"url":"https://github.com/dougsland/unifi-openvpn","last_synced_at":"2025-09-05T10:33:22.032Z","repository":{"id":64114323,"uuid":"312126267","full_name":"dougsland/unifi-openvpn","owner":"dougsland","description":"Tutorial how to enable OpenVPN Server in Unifi and set a client via Fedora/NetworkManager","archived":false,"fork":false,"pushed_at":"2021-04-03T11:22:55.000Z","size":3322,"stargazers_count":7,"open_issues_count":0,"forks_count":5,"subscribers_count":5,"default_branch":"main","last_synced_at":"2024-12-27T21:04:17.780Z","etag":null,"topics":["fedora","firewall","linux","networkmanager","networkmanager-openvpn","openvpn","ubiquiti","ubiquiti-unifi-controller","unifi"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dougsland.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-11-12T00:36:23.000Z","updated_at":"2024-10-05T05:22:20.000Z","dependencies_parsed_at":"2023-01-14T22:45:29.016Z","dependency_job_id":null,"html_url":"https://github.com/dougsland/unifi-openvpn","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dougsland%2Funifi-openvpn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dougsland%2Funifi-openvpn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dougsland%2Funifi-openvpn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dougsland%2Funifi-openvpn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dougsland","download_url":"https://codeload.github.com/dougsland/unifi-openvpn/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":232037337,"owners_count":18463715,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fedora","firewall","linux","networkmanager","networkmanager-openvpn","openvpn","ubiquiti","ubiquiti-unifi-controller","unifi"],"created_at":"2024-10-12T09:30:34.200Z","updated_at":"2024-12-31T23:47:08.894Z","avatar_url":"https://github.com/dougsland.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"- [Tutorial: How to enable openvpn server in Unifi device?](#tutorial--how-to-enable-openvpn-server-in-unifi-device-)\n  * [0 Internet Providers (Modem to Security Gateway)](#Internet-Providers)\n    + [Comcast](#Comcast)\n      + [Comcast Business](#Comcast-Business)\n  * [1 Enable SSH auth](#1-enable-ssh-auth)\n  * [2 Security Gateway - Install easy-rsa](#2-security-gateway---install-easy-rsa)\n  * [3 Security Gateway - Generate the client/server/ca keys](#3-security-gateway---generate-the-keys)\n    + [3.1 CA](#31-ca)\n    + [3.2 Server](#32-server)\n    + [3.3 Client](#33-client)\n    + [3.4 Generate Diffie Hellman](#34-generate-diffie-hellman)\n    + [3.5 Copy the keys](#35-copy-the-keys)\n  * [4 Controller - Create config.gateway.json file](#4-controller---create-configgatewayjson-file)\n  * [5 Firewall](#5-firewall)\n    + [LAN IN](#lan-in)\n    + [LAN OUT](#lan-out)\n  * [6 Client](#6-client)\n    + [Fedora 33](#fedora-33)\n      - [Network Manager Settings](#network-manager-settings)\n      - [Packages](#packages)\n  * [Android App (Optional)](#android-app)\n  * [Console client using ovpn file (Optional)](#console-client-using-ovpn-file)\n  * [Radius (Optional)](#radius)\n  * [Useful links](#useful-links)\n\n# Tutorial: How to enable openvpn server in Unifi device?\nSteps how to configure openvpn in the Unifi\n\n## Internet Providers\nFeel free to contribute via PullRequest adding your local Internet Provider Settings from any part of the world.  \n\nPlease note:  \nThe tutorial assumes users will physically connect (i.e: RJ45 cables) the **Internet Provider modem into the Security Gateway device**.  \n\n\n### Comcast\n#### Comcast Business\nIt's recommended to **change the default password** for the admin of the modem: **cusadmin**  \nThe default passwords are: **highspeed** or **CantTouchThis** as [described by comcast](https://business.comcast.com/help-and-support/internet/setup-manage-comcast-wifi-business-wireless-gateway/#:~:text=Go%20to%20http%3A%2F%2F10.1,highspeed%20or%20CantTouchThis%20for%20Password)\n\n![](png/comcast/comcast1.png)\n![](png/comcast/comcast2.png)\n![](png/comcast/comcast3.png)\n![](png/comcast/comcast4.png)\n![](png/comcast/comcast5.png)\n![](png/comcast/comcast6.png)\n![](png/comcast/comcast7.png)\n![](png/comcast/comcast8.png)\n![](png/comcast/comcast9.png)\n![](png/comcast/comcast10.png)\n![](png/comcast/comcast11.png)\n\n\n## 1 Enable SSH auth\n1) Enable in the controlle SSH authentication via Advanced Features\n    - Controller -\u003e Settings -\u003e Site -\u003e DEVICE AUTHENTICATION  \n      [**x**] Enable SSH Authentication\n\n![](/png/controller/controller-enable-ssh-auth.png)\n\n## 2 Security Gateway - Install easy-rsa\n\nSecurity Gateway login as **admin** and install easy-rsa for generating the keys\n\n```\n$ ssh admin@SECURITY_GATEWAY_IP\n$ sudo su -\n# curl -O http://ftp.us.debian.org/debian/pool/main/e/easy-rsa/easy-rsa_2.2.2-1_all.deb\n# sudo dpkg -i easy-rsa_2.2.2-1_all.deb\n```\n\n## 3 Security Gateway - Generate the keys\n### 3.1 CA\nCommon Name is \"**OpenVPN CA**\"\n```\n# cd /usr/share/easy-rsa\n. vars\n./clean-all\n./build-ca\n```\n\n### 3.2 Server\nCommon Name is \"**server**\"\n```\n# ./build-key-server server\n```\n\n### 3.3 Client\n```\n# ./build-key client\n```\n### 3.4 Generate Diffie Hellman\n```\n# ./build-dh\n```\n\n### 3.5 Copy the keys\n```\n# mkdir /config/auth/keys/\n# cp keys/* /config/auth/keys/\n```\n\n## 4 Controller - Create config.gateway.json file\n\nController login as **root**\n\n```\n$ ssh root@CONTROLLER_IP\n$ sudo su -\n# cd /srv/unifi/data/sites/default  \n# vi config.gateway.json\n```\n[See this working example of config.gateway.json](https://github.com/dougsland/unifi-openvpn/blob/main/CONTROLLER/srv/unifi/data/sites/default/config.gateway.json)\n\n## 5 Firewall\n![](png/controller/firewall/unifi-firewall.png)\n\n### LAN IN\n![](png/controller/firewall/LAN_IN/unifi-firewall01.png)\n![](png/controller/firewall/LAN_IN/unifi-firewall02.png)\n![](png/controller/firewall/LAN_IN/unifi-firewall03.png)\n\n### LAN OUT\n![](png/controller/firewall/LAN_OUT/unifi-lanout00.png)\n![](png/controller/firewall/LAN_OUT/unifi-lanout01.png)\n![](png/controller/firewall/LAN_OUT/unifi-lanout02.png)\n\n## 6 Client\n### Fedora 33\n\n```\n$ cat /etc/fedora-release \nFedora release 33 (Thirty Three)\n\ndnf install NetworkManager-l2tp \\\n              NetworkManager-l2tp-gnome \\\n              NetworkManager-strongswan-gnome \\\n              NetworkManager-strongswan -y\n\n# systemctl restart NetworkManager\n\n```\n#### Network Manager Settings\n\n![](/png/NetworkManager/unifi_add_vpn_00.png)\n![](/png/NetworkManager/unifi_add_vpn_01.png)\n![](/png/NetworkManager/unifi_add_vpn_02.png)\n![](/png/NetworkManager/unifi_add_vpn_03.png)\n![](/png/NetworkManager/unifi_add_vpn_04.png)\n![](/png/NetworkManager/unifi_add_vpn_05.png)\n![](/png/NetworkManager/unifi_add_vpn_06.png)\n\n#### Packages\n```\n$ rpm -qa | grep NetworkManager\nNetworkManager-l2tp-gnome-1.8.2-2.fc33.x86_64\nNetworkManager-openvpn-gnome-1.8.12-1.fc33.1.x86_64\nNetworkManager-ssh-1.2.11-2.fc33.x86_64\nNetworkManager-vpnc-1.2.6-5.fc33.x86_64\nNetworkManager-vpnc-gnome-1.2.6-5.fc33.x86_64\nNetworkManager-ssh-gnome-1.2.11-2.fc33.x86_64\nNetworkManager-openvpn-1.8.12-1.fc33.1.x86_64\nNetworkManager-openconnect-gnome-1.2.6-5.fc33.x86_64\nNetworkManager-strongswan-gnome-1.5.0-2.fc33.x86_64\nNetworkManager-pptp-1.2.8-2.fc33.1.x86_64\nNetworkManager-openconnect-1.2.6-5.fc33.x86_64\nNetworkManager-l2tp-1.8.2-2.fc33.x86_64\nNetworkManager-strongswan-1.5.0-2.fc33.x86_64\nNetworkManager-pptp-gnome-1.2.8-2.fc33.1.x86_64\nNetworkManager-libnm-1.26.4-1.fc33.x86_64\nNetworkManager-1.26.4-1.fc33.x86_64\nNetworkManager-wwan-1.26.4-1.fc33.x86_64\nNetworkManager-bluetooth-1.26.4-1.fc33.x86_64\nNetworkManager-adsl-1.26.4-1.fc33.x86_64\nNetworkManager-ppp-1.26.4-1.fc33.x86_64\nNetworkManager-team-1.26.4-1.fc33.x86_64\nNetworkManager-wifi-1.26.4-1.fc33.x86_64\nNetworkManager-config-connectivity-fedora-1.26.4-1.fc33.noarch\n```\n\n## Android App\n\nOptional step.\n\nUse your [client.ovpn](https://raw.githubusercontent.com/dougsland/unifi-openvpn/main/client/ovpn/client.ovpn) with the [Android app](https://play.google.com/store/apps/details?id=net.openvpn.openvpn)\n\n## Console client using ovpn file\n\nOptional step.\n\n```\n# openvpn --config filename.ovpn\n```\n[See this client.ovpn example](https://raw.githubusercontent.com/dougsland/unifi-openvpn/main/client/ovpn/client.ovpn)\n\n## Radius\n\nOptional Step.\n\n1) Enable Radius (Optional if you are using only auth keys)\n\n   - Controller -\u003e Settings -\u003e Services -\u003e Radius \n\n   - Server tab\n     - Create secret\n     - Authentication Port: 1812\n     - AccountingPort: 1813\n     - Account Interim Interval: 600\n     - Tunnelled Reply: ON\n\n   - Users tab\n     - Name: YOUR_USERNAME\n     - Password: YOUR_PASSWORD\n     - Tunnel Type: 3- Layer Two Tunneling Protocol (L2TP)\n     - Tunnel Medium Type: 1- IPv4 (IP version 4)\n\n## Useful links\n[UniFi - Accounts and Passwords for Controller, Cloud Key and Othe Devices](https://help.ui.com/hc/en-us/articles/204909374-UniFi-Accounts-and-Passwords-for-Controller-Cloud-Key-and-Other-Devices)  \nhttps://blog.configwizard.xyz/configuring-openvpn-on-a-unifi-security-gateway/  \nhttps://medium.com/server-guides/how-to-setup-an-openvpn-server-on-a-unifi-usg-e33ea2f6725d\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdougsland%2Funifi-openvpn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdougsland%2Funifi-openvpn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdougsland%2Funifi-openvpn/lists"}