Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/dougsland/unifi-openvpn
Tutorial how to enable OpenVPN Server in Unifi and set a client via Fedora/NetworkManager
https://github.com/dougsland/unifi-openvpn
fedora firewall linux networkmanager networkmanager-openvpn openvpn ubiquiti ubiquiti-unifi-controller unifi
Last synced: 4 days ago
JSON representation
Tutorial how to enable OpenVPN Server in Unifi and set a client via Fedora/NetworkManager
- Host: GitHub
- URL: https://github.com/dougsland/unifi-openvpn
- Owner: dougsland
- Created: 2020-11-12T00:36:23.000Z (about 4 years ago)
- Default Branch: main
- Last Pushed: 2021-04-03T11:22:55.000Z (over 3 years ago)
- Last Synced: 2024-12-14T11:12:12.519Z (9 days ago)
- Topics: fedora, firewall, linux, networkmanager, networkmanager-openvpn, openvpn, ubiquiti, ubiquiti-unifi-controller, unifi
- Homepage:
- Size: 3.17 MB
- Stars: 7
- Watchers: 5
- Forks: 5
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
- [Tutorial: How to enable openvpn server in Unifi device?](#tutorial--how-to-enable-openvpn-server-in-unifi-device-)
* [0 Internet Providers (Modem to Security Gateway)](#Internet-Providers)
+ [Comcast](#Comcast)
+ [Comcast Business](#Comcast-Business)
* [1 Enable SSH auth](#1-enable-ssh-auth)
* [2 Security Gateway - Install easy-rsa](#2-security-gateway---install-easy-rsa)
* [3 Security Gateway - Generate the client/server/ca keys](#3-security-gateway---generate-the-keys)
+ [3.1 CA](#31-ca)
+ [3.2 Server](#32-server)
+ [3.3 Client](#33-client)
+ [3.4 Generate Diffie Hellman](#34-generate-diffie-hellman)
+ [3.5 Copy the keys](#35-copy-the-keys)
* [4 Controller - Create config.gateway.json file](#4-controller---create-configgatewayjson-file)
* [5 Firewall](#5-firewall)
+ [LAN IN](#lan-in)
+ [LAN OUT](#lan-out)
* [6 Client](#6-client)
+ [Fedora 33](#fedora-33)
- [Network Manager Settings](#network-manager-settings)
- [Packages](#packages)
* [Android App (Optional)](#android-app)
* [Console client using ovpn file (Optional)](#console-client-using-ovpn-file)
* [Radius (Optional)](#radius)
* [Useful links](#useful-links)# Tutorial: How to enable openvpn server in Unifi device?
Steps how to configure openvpn in the Unifi## Internet Providers
Feel free to contribute via PullRequest adding your local Internet Provider Settings from any part of the world.Please note:
The tutorial assumes users will physically connect (i.e: RJ45 cables) the **Internet Provider modem into the Security Gateway device**.### Comcast
#### Comcast Business
It's recommended to **change the default password** for the admin of the modem: **cusadmin**
The default passwords are: **highspeed** or **CantTouchThis** as [described by comcast](https://business.comcast.com/help-and-support/internet/setup-manage-comcast-wifi-business-wireless-gateway/#:~:text=Go%20to%20http%3A%2F%2F10.1,highspeed%20or%20CantTouchThis%20for%20Password)![](png/comcast/comcast1.png)
![](png/comcast/comcast2.png)
![](png/comcast/comcast3.png)
![](png/comcast/comcast4.png)
![](png/comcast/comcast5.png)
![](png/comcast/comcast6.png)
![](png/comcast/comcast7.png)
![](png/comcast/comcast8.png)
![](png/comcast/comcast9.png)
![](png/comcast/comcast10.png)
![](png/comcast/comcast11.png)## 1 Enable SSH auth
1) Enable in the controlle SSH authentication via Advanced Features
- Controller -> Settings -> Site -> DEVICE AUTHENTICATION
[**x**] Enable SSH Authentication![](/png/controller/controller-enable-ssh-auth.png)
## 2 Security Gateway - Install easy-rsa
Security Gateway login as **admin** and install easy-rsa for generating the keys
```
$ ssh admin@SECURITY_GATEWAY_IP
$ sudo su -
# curl -O http://ftp.us.debian.org/debian/pool/main/e/easy-rsa/easy-rsa_2.2.2-1_all.deb
# sudo dpkg -i easy-rsa_2.2.2-1_all.deb
```## 3 Security Gateway - Generate the keys
### 3.1 CA
Common Name is "**OpenVPN CA**"
```
# cd /usr/share/easy-rsa
. vars
./clean-all
./build-ca
```### 3.2 Server
Common Name is "**server**"
```
# ./build-key-server server
```### 3.3 Client
```
# ./build-key client
```
### 3.4 Generate Diffie Hellman
```
# ./build-dh
```### 3.5 Copy the keys
```
# mkdir /config/auth/keys/
# cp keys/* /config/auth/keys/
```## 4 Controller - Create config.gateway.json file
Controller login as **root**
```
$ ssh root@CONTROLLER_IP
$ sudo su -
# cd /srv/unifi/data/sites/default
# vi config.gateway.json
```
[See this working example of config.gateway.json](https://github.com/dougsland/unifi-openvpn/blob/main/CONTROLLER/srv/unifi/data/sites/default/config.gateway.json)## 5 Firewall
![](png/controller/firewall/unifi-firewall.png)### LAN IN
![](png/controller/firewall/LAN_IN/unifi-firewall01.png)
![](png/controller/firewall/LAN_IN/unifi-firewall02.png)
![](png/controller/firewall/LAN_IN/unifi-firewall03.png)### LAN OUT
![](png/controller/firewall/LAN_OUT/unifi-lanout00.png)
![](png/controller/firewall/LAN_OUT/unifi-lanout01.png)
![](png/controller/firewall/LAN_OUT/unifi-lanout02.png)## 6 Client
### Fedora 33```
$ cat /etc/fedora-release
Fedora release 33 (Thirty Three)dnf install NetworkManager-l2tp \
NetworkManager-l2tp-gnome \
NetworkManager-strongswan-gnome \
NetworkManager-strongswan -y# systemctl restart NetworkManager
```
#### Network Manager Settings![](/png/NetworkManager/unifi_add_vpn_00.png)
![](/png/NetworkManager/unifi_add_vpn_01.png)
![](/png/NetworkManager/unifi_add_vpn_02.png)
![](/png/NetworkManager/unifi_add_vpn_03.png)
![](/png/NetworkManager/unifi_add_vpn_04.png)
![](/png/NetworkManager/unifi_add_vpn_05.png)
![](/png/NetworkManager/unifi_add_vpn_06.png)#### Packages
```
$ rpm -qa | grep NetworkManager
NetworkManager-l2tp-gnome-1.8.2-2.fc33.x86_64
NetworkManager-openvpn-gnome-1.8.12-1.fc33.1.x86_64
NetworkManager-ssh-1.2.11-2.fc33.x86_64
NetworkManager-vpnc-1.2.6-5.fc33.x86_64
NetworkManager-vpnc-gnome-1.2.6-5.fc33.x86_64
NetworkManager-ssh-gnome-1.2.11-2.fc33.x86_64
NetworkManager-openvpn-1.8.12-1.fc33.1.x86_64
NetworkManager-openconnect-gnome-1.2.6-5.fc33.x86_64
NetworkManager-strongswan-gnome-1.5.0-2.fc33.x86_64
NetworkManager-pptp-1.2.8-2.fc33.1.x86_64
NetworkManager-openconnect-1.2.6-5.fc33.x86_64
NetworkManager-l2tp-1.8.2-2.fc33.x86_64
NetworkManager-strongswan-1.5.0-2.fc33.x86_64
NetworkManager-pptp-gnome-1.2.8-2.fc33.1.x86_64
NetworkManager-libnm-1.26.4-1.fc33.x86_64
NetworkManager-1.26.4-1.fc33.x86_64
NetworkManager-wwan-1.26.4-1.fc33.x86_64
NetworkManager-bluetooth-1.26.4-1.fc33.x86_64
NetworkManager-adsl-1.26.4-1.fc33.x86_64
NetworkManager-ppp-1.26.4-1.fc33.x86_64
NetworkManager-team-1.26.4-1.fc33.x86_64
NetworkManager-wifi-1.26.4-1.fc33.x86_64
NetworkManager-config-connectivity-fedora-1.26.4-1.fc33.noarch
```## Android App
Optional step.
Use your [client.ovpn](https://raw.githubusercontent.com/dougsland/unifi-openvpn/main/client/ovpn/client.ovpn) with the [Android app](https://play.google.com/store/apps/details?id=net.openvpn.openvpn)
## Console client using ovpn file
Optional step.
```
# openvpn --config filename.ovpn
```
[See this client.ovpn example](https://raw.githubusercontent.com/dougsland/unifi-openvpn/main/client/ovpn/client.ovpn)## Radius
Optional Step.
1) Enable Radius (Optional if you are using only auth keys)
- Controller -> Settings -> Services -> Radius
- Server tab
- Create secret
- Authentication Port: 1812
- AccountingPort: 1813
- Account Interim Interval: 600
- Tunnelled Reply: ON- Users tab
- Name: YOUR_USERNAME
- Password: YOUR_PASSWORD
- Tunnel Type: 3- Layer Two Tunneling Protocol (L2TP)
- Tunnel Medium Type: 1- IPv4 (IP version 4)## Useful links
[UniFi - Accounts and Passwords for Controller, Cloud Key and Othe Devices](https://help.ui.com/hc/en-us/articles/204909374-UniFi-Accounts-and-Passwords-for-Controller-Cloud-Key-and-Other-Devices)
https://blog.configwizard.xyz/configuring-openvpn-on-a-unifi-security-gateway/
https://medium.com/server-guides/how-to-setup-an-openvpn-server-on-a-unifi-usg-e33ea2f6725d