Skip to content

Instantly share code, notes, and snippets.

@dbrosy

dbrosy/Unifi USG OpenVPN NordVPN.md

Last active November 29, 2024 06:37
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save dbrosy/48792dcf1690dd10dfaabf26ee346502 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save dbrosy/48792dcf1690dd10dfaabf26ee346502 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Unifi USG OpenVPN NordVPN.md

Run as root

sudo -i

Create openvpn directory and set permissions

cd /config
mkdir openvpn
chmod 777 openvpn

Create Auth file in openvpn directory

cd /openvpn
vi nordvpnauth.txt

Enter following 2 lines replacing with your details:
username
password

esc :wq

Copy nordvpn ovpn file to openvpn directory

Edit ovpn file

change 'auth-user-pass' to 'auth-user-pass /config/openvpn/nordvpnauth.txt'
change 'pull' to 'route-nopull'
exit # sudo

1. Setup the VPN tunnels

sudo -i
configure
set interfaces openvpn vtun0 config-file /config/openvpn/us1437.nordvpn.com.udp1194.ovpn
set interfaces openvpn vtun0 description 'US OpenVPN tunnel'

commit

2. Route the appropriate devices though the related VPN tunnels

set service nat rule 5001 description 'Route US OpenVPN clients'
set service nat rule 5001 log disable
set service nat rule 5001 outbound-interface vtun0
set service nat rule 5001 source address 192.168.99.0/24
set service nat rule 5001 type masquerade
 
set service nat rule 5002 description 'Route all other clients'
set service nat rule 5002 log disable
set service nat rule 5002 outbound-interface eth0
set service nat rule 5002 source address 192.168.1.0/24
set service nat rule 5002 type masquerade

3. Create a static route using interface vTun0 as next-hop:

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0

commit

4. Create a firewall modify rule for each host you want to route through the Open VPN tunnel.

set firewall modify OPENVPN-US rule 5001 description 'Allow US clients to access vtun0'
set firewall modify OPENVPN-US rule 5001 source address 192.168.99.0/24
set firewall modify OPENVPN-US rule 5001 modify table 1

commit

5. Apply the firewall modify rule "in" to your LAN interface.

set interfaces ethernet eth1 vif 100 firewall in modify OPENVPN-US

commit
save
exit # configure
exit # sudo

6. Convert to config.gateway.json

mca-ctrl -t dump-cfg > config.gateway.json

remove unwanted sections and save

7. Testing

show interfaces
show nat rules
show interfaces openvpn detail
show firewall modify statistics

8. Restart OpenVPN

configure
set interfaces openvpn vtun0 disable
commit
delete interfaces openvpn vtun0 disable
commit
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment