How to access your Ubiquiti home-network via OpenVPN and certificate authentication

In this tutorial we will setup OpenVPN SSL authentication on your Ubiquiti USG which will then allow you to access your home-network remotely and securely via TLS certificate authentication which then can be used on any client platform to remotely connect to your home-network. In my setup I use the Ubiquiti CloudKey to manage the network.

Setting up OpenVPN certificate authentication

1. Connect to your Ubiquiti USG via SSH and install Easy RSA which simplifies key generation and management:

2. Next we do the initial setup and setup the CA certificate (adjust the certificate information accordingly):

3) We then need to generate the server key and certificate:

4. The next step is generating the DH parameters – this will take a VERY long time (in my case about 8-10 minutes)

5. For each VPN user you need to create a key-set:

6. To persist the keys over reboots, we create a persistent directory on the USG and copy all the key files (remember to recopy all files if you add or remove users):

 

7. Create the .ovpn client configuration file – you can import the file into any OpenVPN client (i.e. send the .ovpn file to your iOS device and then open it via the OpenVPN client):

In the above .ovpn configuration file replace the “—–BEGIN CERTIFICATE—– / —–END CERTIFICATE—–” sections with the content of the respective files.

8. Connect to the CloudKey (or UniFi controller) and update the config.gateway.json file:

In the above configuration adjust the VPN subnet / DNS. You also might want to remove the DNS, SNMP, UPNP2 and MSS-clamping sections if they are not relevant to you (for me those were necessary due to my upstream fibre-provider). If your USG connects via PPPOE to a layer2 device, change the nat-rule #5010’s interface from “eth0” to “pppoe0”.

Once you have updated the USG and the device completed provisioning, your VPN server will start (you can see this in /var/log/messages on your USG):

Connecting to your Ubiquiti OpenVPN server via OS X

If you are a Mac user, you want to use SetApp as it comes with a huge bundle of apps for a very small monthly fee. I use Shimo via SetApp which allows you to import the .ovpn file you created in section #7 above:

 

Connecting to your Ubiquiti OpenVPN server via iOS

If you need to connect to your home-network via your iOS devices, you need to download the OpenVPN Client from the iTunes store. Once installed, you can just email your .ovpn file to your iOS device and opening the attachment will automatically import it into the iOS OpenVPN client:

 

Print Friendly, PDF & Email