Site to Site VPN using Asus Merlin Router and Unifi USG-Pro4

By | May 11, 2018

Site to Site VPN using Asus Merlin Router and Unifi USG-Pro4

I decided recently to replace my Asus RT-N66U. It served me well over many years but I had become frustrated that Asus had stopped patching and maintaining the firmware. I also noticed over time strange things would occur at times with the Asus Router. So I figured after some recommendations from friends that the Ubiquiti Unifi USG-Pro4 was probably the best option. So one of the things I needed to replicate was my Site to Site VPN that I had in place with my Asus RT-N66U running the Merlin firmware. This was not a straight forward conversion but it was possible after all. Below is the configuration needed to make this work along with some other custom settings for DNS and a Pseudo Ethernet Interface so I can manage my cable modem while it’s in bridge modem and the DHCP lease is lost due to some sort of issue with my cable providers network. Also for folks that weren’t quite sure as Ubiquiti doesn’t document that the /config folder on the USG-PRO-4 is not replaced or deleted during a firmware upgrade.

Unifi USG-Pro4 config.gateway.json this file is placed on the Unifi Controller or CloudKey device.

{
	"firewall": {
		"name": {
### THIS SECTION CONFIGURES THE FIREWALL TO ALLOW LOCAL VPN SERVER TRAFFIC
                        "WAN_LOCAL": {
                                "rule": {
                                        "20": {
                                                "action": "accept",
                                                "description": "Allow OpenVPN clients in",
                                                "destination": {
                                                        "port": "1194"
                                                },
                                                "log": "disable",
                                                "protocol": "tcp"
                                        }
                                }
                        }
		}
	},
### THIS SECTION CONFIGURES A PSEUDO ETHERNET INTERFACE FOR MANAGING THE CABLE MODEM WHEN IN BRIDGE MODEM
	"interfaces": { 
                "pseudo-ethernet": {
                        "peth0": {
                                "address": [
                                        "10.0.0.2/24"
                                ],
                                "description": "Access to Modem",
                                "firewall": {
                                        "in": {
                                                "name": "WAN_IN"
                                        },
                                        "local": {
                                                "name": "WAN_LOCAL"
                                        },
                                        "out": {
                                                "name": "WAN_OUT"
                                        }
                                },
                                "link": "eth2"
                        }
                },
### THIS SECTION CONFIGURES A LOCAL VPN SERVER USING MUTUAL AUTH CERTIFICATES
		"openvpn": { 
                        "vtun0": {
                                "encryption": "aes256",
                                "mode": "server",
                                "openvpn-option": [
                                        "--keepalive 8 30",
                                        "--comp-lzo",
                                        "--duplicate-cn",
                                        "--user nobody --group nogroup",
                                        "--verb 1",
                                        "--proto tcp",
                                        "--port 1194",
                                        "--push redirect-gateway def1",
                                        "--push dhcp-option DNS 10.69.69.1"
                                ],
                                "server": {
                                        "subnet": "10.71.71.0/24"
                                },
                                "tls": {
                                        "ca-cert-file": "/config/openvpn/internal_ca.pem",
                                        "cert-file": "/config/openvpn/internal_server.pem",
                                        "dh-file": "/config/openvpn/internal_dh.pem",
                                        "key-file": "/config/openvpn/internal_server_key.pem"
                                }
                        },
### THIS SECTION CONFIGURES A SITE TO SITE TUNNEL BETWEEN THE USG-PRO4 and an Asus Merlin Router
			"vtun1": { 
				"config-file": "/config/openvpn/remote.ovpn" 
			} 
		} 
	}, 
        "service": {
### THIS SECTION CONFIGURES THE NAT RULE FOR THE PSEUDO ETHERNET INTERFACE FOR MANAGING THE CABLE MODEM WHEN IN BRIDGE MODEM
                "nat": {
                        "rule": {
                                "5000": {
                                        "description": "masquerade for Modem",
                                        "outbound-interface": "peth0",
                                        "source": {
                                                "group": {
                                                        "network-group": "corporate_network"
                                                }
                                        },
                                        "type": "masquerade"
                                }
			}
		},
### THIS SECTION CONFIGURES CUSTOM DNSMASQ TO SUPPORT A LOCAL BIND SERVER MANAGING MY LOCAL FORWARD ZONE AND PTR ZONES
                "dns": {
                        "forwarding": {
                                "cache-size": "10000",
                                "except-interface": [
                                        "eth2"
                                ],
                                "options": [
                                        "server=/senia.org/10.69.69.3",
                                        "server=/69.69.10.in-addr.arpa/10.69.69.3",
                                        "server=/68.69.10.in-addr.arpa/10.69.69.3",
                                        "server=/68.68.10.in-addr.arpa/10.69.69.3",
                                        "server=/70.70.10.in-addr.arpa/10.69.69.3",
                                        "server=/71.71.10.in-addr.arpa/10.69.69.3",
					"resolv-file=/etc/resolv.conf.dhclient-new-eth2"
                                ]
                        }
                }
	}
}

And this file is the remote.ovpn file stored in /config/openvpn on the USG-Pro-4

client
dev tun
proto tcp-client
remote remote.example.com 1194
float
comp-lzo adaptive
keepalive 15 60
auth-user-pass /config/openvpn/remote.key
remote-cert-tls server

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----


-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----


-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

resolv-retry infinite
nobind
float
keepalive 15 60
remote-cert-tls server
ns-cert-type server
route-nopull
route 10.68.68.0 255.255.255.0
route 10.9.0.0 255.255.255.0
reneg-sec 432000