How to access your Ubiquiti home-network via OpenVPN and certificate authentication

  • sriramvt

    Thanks for the write up mate. Do you happen to know if USG allows to reconfigure the OpenVPN port to TCP 443? I would prefer to have TCP port 443 since it is rarely blocked by ISP’s and corporate networks.

    • I have not tried this myself, but I am pretty sure that if you change reference to port=1194 with port=443 in the above instructions it will just work. As long as you do not have a 443 open on the WAN interface on the USG, you will be fine.

      • sriramvt

        Got it. Thanks for the response Gerd. I will check and see if it works.

        • Great! Let me know how it turns out, I will then update the blog post.

  • Piet Puck

    Thanks for this, i am almost there but still am not able to connect via openvpn client on Android.
    /var/log/message looks like this
    Jan 15 17:41:30 firewall openvpn[6320]: xx.xxx.xxx.xx:7906 TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
    Jan 15 17:41:30 firewall openvpn[6320]: xx.xxx.xxx.xx:7906 TLS Error: TLS object -> incoming plaintext read error
    Jan 15 17:41:30 firewall openvpn[6320]: 84.241.195.22:7906 TLS Error: TLS handshake failed

    My .ovpn file contains these entries:
    client
    float
    dev tun
    remote mrpcvermaat.noip.me 4443 udp
    resolv-retry 30
    nobind
    persist-key
    persist-tun
    #auth-user-pass
    cipher AES-256-CBC
    auth-nocache
    comp-lzo
    verb 1
    auth sha256
    ns-cert-type server
    remote-cert-ku a0 88
    remote-cert-tls server
    ifconfig-nowarn
    tls-client
    setenv CLIENT_CERT 0
    #tls-version-min 1.2
    (and then the certificate parts)

    Any tips to help me out ?

    • Mine just worked out of the box. I looked at my .ovpn-file and it does not have so many details. To rule out any domain/cert issues, try the below and use the IP-address:
      —- .ovpn-file
      client
      float
      dev tun
      remote [THE-IP-ADDRESS] 1194 udp
      resolv-retry infinite
      nobind
      persist-key
      persist-tun
      cipher AES-256-CBC
      comp-lzo
      verb 5

      ….

      ….

      ….

      —- .ovpn file

      • Piet Puck

        If i use this my openvpn app gives an error: OpenVPN core error : mbed TLS: error parsing cert certificate : x509 – Format not recognized as DER or PEM.
        Sure i dont have to store the cert or key files on my mobile ?