Site to Site VPN using Asus Merlin Router and Unifi USG-Pro4
Site to Site VPN using Asus Merlin Router and Unifi USG-Pro4
I decided recently to replace my Asus RT-N66U. It served me well over many years but I had become frustrated that Asus had stopped patching and maintaining the firmware. I also noticed over time strange things would occur at times with the Asus Router. So I figured after some recommendations from friends that the Ubiquiti Unifi USG-Pro4 was probably the best option. So one of the things I needed to replicate was my Site to Site VPN that I had in place with my Asus RT-N66U running the Merlin firmware. This was not a straight forward conversion but it was possible after all. Below is the configuration needed to make this work along with some other custom settings for DNS and a Pseudo Ethernet Interface so I can manage my cable modem while it’s in bridge modem and the DHCP lease is lost due to some sort of issue with my cable providers network. Also for folks that weren’t quite sure as Ubiquiti doesn’t document that the /config folder on the USG-PRO-4 is not replaced or deleted during a firmware upgrade.
Unifi USG-Pro4 config.gateway.json this file is placed on the Unifi Controller or CloudKey device.
{
"firewall": {
"name": {
### THIS SECTION CONFIGURES THE FIREWALL TO ALLOW LOCAL VPN SERVER TRAFFIC
"WAN_LOCAL": {
"rule": {
"20": {
"action": "accept",
"description": "Allow OpenVPN clients in",
"destination": {
"port": "1194"
},
"log": "disable",
"protocol": "tcp"
}
}
}
}
},
### THIS SECTION CONFIGURES A PSEUDO ETHERNET INTERFACE FOR MANAGING THE CABLE MODEM WHEN IN BRIDGE MODEM
"interfaces": {
"pseudo-ethernet": {
"peth0": {
"address": [
"10.0.0.2/24"
],
"description": "Access to Modem",
"firewall": {
"in": {
"name": "WAN_IN"
},
"local": {
"name": "WAN_LOCAL"
},
"out": {
"name": "WAN_OUT"
}
},
"link": "eth2"
}
},
### THIS SECTION CONFIGURES A LOCAL VPN SERVER USING MUTUAL AUTH CERTIFICATES
"openvpn": {
"vtun0": {
"encryption": "aes256",
"mode": "server",
"openvpn-option": [
"--keepalive 8 30",
"--comp-lzo",
"--duplicate-cn",
"--user nobody --group nogroup",
"--verb 1",
"--proto tcp",
"--port 1194",
"--push redirect-gateway def1",
"--push dhcp-option DNS 10.69.69.1"
],
"server": {
"subnet": "10.71.71.0/24"
},
"tls": {
"ca-cert-file": "/config/openvpn/internal_ca.pem",
"cert-file": "/config/openvpn/internal_server.pem",
"dh-file": "/config/openvpn/internal_dh.pem",
"key-file": "/config/openvpn/internal_server_key.pem"
}
},
### THIS SECTION CONFIGURES A SITE TO SITE TUNNEL BETWEEN THE USG-PRO4 and an Asus Merlin Router
"vtun1": {
"config-file": "/config/openvpn/remote.ovpn"
}
}
},
"service": {
### THIS SECTION CONFIGURES THE NAT RULE FOR THE PSEUDO ETHERNET INTERFACE FOR MANAGING THE CABLE MODEM WHEN IN BRIDGE MODEM
"nat": {
"rule": {
"5000": {
"description": "masquerade for Modem",
"outbound-interface": "peth0",
"source": {
"group": {
"network-group": "corporate_network"
}
},
"type": "masquerade"
}
}
},
### THIS SECTION CONFIGURES CUSTOM DNSMASQ TO SUPPORT A LOCAL BIND SERVER MANAGING MY LOCAL FORWARD ZONE AND PTR ZONES
"dns": {
"forwarding": {
"cache-size": "10000",
"except-interface": [
"eth2"
],
"options": [
"server=/senia.org/10.69.69.3",
"server=/69.69.10.in-addr.arpa/10.69.69.3",
"server=/68.69.10.in-addr.arpa/10.69.69.3",
"server=/68.68.10.in-addr.arpa/10.69.69.3",
"server=/70.70.10.in-addr.arpa/10.69.69.3",
"server=/71.71.10.in-addr.arpa/10.69.69.3",
"resolv-file=/etc/resolv.conf.dhclient-new-eth2"
]
}
}
}
}
And this file is the remote.ovpn file stored in /config/openvpn on the USG-Pro-4
client dev tun proto tcp-client remote remote.example.com 1194 float comp-lzo adaptive keepalive 15 60 auth-user-pass /config/openvpn/remote.key remote-cert-tls server -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- resolv-retry infinite nobind float keepalive 15 60 remote-cert-tls server ns-cert-type server route-nopull route 10.68.68.0 255.255.255.0 route 10.9.0.0 255.255.255.0 reneg-sec 432000