Passing OpenVPN through ER-X



  • I have a desire to pass OpenVPN traffic through my ER-X to an internal device. Do I need to open any more ports other than 1194/UDP? I see that OpenVPN can be configured to also use the standard 443/TCP.

    Here's my situation:

    Cable modem with single static IP (can't purchase additional IPs) -> ER-X

    ER-X port 0 - cable modem
    ER-X port 1 - Guest network
    ER-X port 2 - USG firewall (Running OpenVPN)

    I want no communications between port 1 and port 2 (thanks Scott for the link)
    I need to pass incoming OpenVPN traffic from the single existing IP to port 2 (actually the statically assigned IP of the USG)



  • @Dashrender said in Passing OpenVPN through ER-X:

    I have a desire to pass OpenVPN traffic through my ER-X to an internal device. Do I need to open any more ports other than 1194/UDP? I see that OpenVPN can be configured to also use the standard 443/TCP.

    Here's my situation:

    Cable modem with single static IP (can't purchase additional IPs) -> ER-X

    ER-X port 0 - cable modem
    ER-X port 1 - Guest network
    ER-X port 2 - USG firewall (Running OpenVPN)

    I want no communications between port 1 and port 2 (thanks Scott for the link)
    I need to pass incoming OpenVPN traffic from the single existing IP to port 2 (actually the statically assigned IP of the USG)

    OpenVPN can use any port you want.

    But you are going to NAT this. I expect problems.



  • You're probably better off not using the standard port just because of all the port scanning.

    NAT shouldn't be a problem with openvpn.

    But why do you have two router/firewalls?



  • @Pete-S said in Passing OpenVPN through ER-X:

    You're probably better off not using the standard port just because of all the port scanning.

    NAT shouldn't be a problem with openvpn.

    But why do you have two router/firewalls?

    The people who are going to be VPNing in won't know how to change ports... plus changing ports is just security through obscurity... so meh! Either OpenVPN is OK to publish, or it's not.

    As for why two firewalls - because I can't get a second IP from the ISP... I'm limited to one on this connection, and I want to split it between two networks.



  • @JaredBusch said in Passing OpenVPN through ER-X:

    But you are going to NAT this. I expect problems.

    yeah - this is also my concern.



  • @Dashrender said in Passing OpenVPN through ER-X:

    USG firewall (Running OpenVPN)

    Can it even do this? I would have to go through the controller settings to find out.

    The EdgeMax line cannot do it in the GUI.



  • @Dashrender said in Passing OpenVPN through ER-X:

    I want no communications between port 1 and port 2 (thanks Scott for the link)

    You supplied no link, so we have no idea WTF you are talking about.

    If someone read before the edit, I misread port numbers.

    This is a simple firewall rule the Ubiquiti help documents have great examples. I can pull live rules from deployed systems if you want.



  • @JaredBusch said in Passing OpenVPN through ER-X:

    @Dashrender said in Passing OpenVPN through ER-X:

    USG firewall (Running OpenVPN)

    Can it even do this? I would have to go through the controller settings to find out.

    The EdgeMax line cannot do it in the GUI.

    Neither can do it in the GUI (as far as I know). The HVAC company tells me that they had so many issues with the Windows 10 IPSec client connecting to USG VPN enabled firewalls, that UBNT themselves gave them directions on how to install OpenVPN and they've been deploying that and it's working for them.

    Now - I have no fraking clue why they are using USGs instead of EdgeRouters - I asked, they had no answer.



  • @Dashrender said in Passing OpenVPN through ER-X:

    Neither can do it in the GUI (as far as I know). The HVAC company tells me that they had so many issues with the Windows 10 IPSec client connecting to USG VPN enabled firewalls, that UBNT themselves gave them directions on how to install OpenVPN and they've been deploying that and it's working for them.

    This would be because Windows 10 is not designed to have an always on IPSEC connection.

    Additionally, IPSEC is the wrong choice for a not always on VPN connection. That would be L2TP/IPSEC and that works flawlessly in Windows 10.

    But L2TP is also not something you setup in the Unifi controller. It only enables PPTP last time I looked.

    There is so much wrong with this entire scenario.



  • @JaredBusch said in Passing OpenVPN through ER-X:

    @Dashrender said in Passing OpenVPN through ER-X:

    Neither can do it in the GUI (as far as I know). The HVAC company tells me that they had so many issues with the Windows 10 IPSec client connecting to USG VPN enabled firewalls, that UBNT themselves gave them directions on how to install OpenVPN and they've been deploying that and it's working for them.

    This would be because Windows 10 is not designed to have an always on IPSEC connection.

    Additionally, IPSEC is the wrong choice for a not always on VPN connection. That would be L2TP/IPSEC and that works flawlessly in Windows 10.

    But L2TP is also not something you setup in the Unifi controller. It only enables PPTP last time I looked.

    There is so much wrong with this entire scenario.

    So, as you mention, no L2TP/IPSEC, means they moved to OpenVPN to have a working solution.



  • @Dashrender said in Passing OpenVPN through ER-X:

    @JaredBusch said in Passing OpenVPN through ER-X:

    @Dashrender said in Passing OpenVPN through ER-X:

    Neither can do it in the GUI (as far as I know). The HVAC company tells me that they had so many issues with the Windows 10 IPSec client connecting to USG VPN enabled firewalls, that UBNT themselves gave them directions on how to install OpenVPN and they've been deploying that and it's working for them.

    This would be because Windows 10 is not designed to have an always on IPSEC connection.

    Additionally, IPSEC is the wrong choice for a not always on VPN connection. That would be L2TP/IPSEC and that works flawlessly in Windows 10.

    But L2TP is also not something you setup in the Unifi controller. It only enables PPTP last time I looked.

    There is so much wrong with this entire scenario.

    So, as you mention, no L2TP/IPSEC, means they moved to OpenVPN to have a working solution.

    .................

    No OpenVPN either... Both could be enabled manually. Why move to such an unsupported solution like OpenVPN with no native Windows functionality. Stupid all the way around.



  • @JaredBusch said in Passing OpenVPN through ER-X:

    @Dashrender said in Passing OpenVPN through ER-X:

    @JaredBusch said in Passing OpenVPN through ER-X:

    @Dashrender said in Passing OpenVPN through ER-X:

    Neither can do it in the GUI (as far as I know). The HVAC company tells me that they had so many issues with the Windows 10 IPSec client connecting to USG VPN enabled firewalls, that UBNT themselves gave them directions on how to install OpenVPN and they've been deploying that and it's working for them.

    This would be because Windows 10 is not designed to have an always on IPSEC connection.

    Additionally, IPSEC is the wrong choice for a not always on VPN connection. That would be L2TP/IPSEC and that works flawlessly in Windows 10.

    But L2TP is also not something you setup in the Unifi controller. It only enables PPTP last time I looked.

    There is so much wrong with this entire scenario.

    So, as you mention, no L2TP/IPSEC, means they moved to OpenVPN to have a working solution.

    .................

    No OpenVPN either... Both could be enabled manually. Why move to such an unsupported solution like OpenVPN with no native Windows functionality. Stupid all the way around.

    Don't ask me - I don't work there.



  • @Dashrender said in Passing OpenVPN through ER-X:

    @Pete-S said in Passing OpenVPN through ER-X:

    You're probably better off not using the standard port just because of all the port scanning.

    NAT shouldn't be a problem with openvpn.

    But why do you have two router/firewalls?

    The people who are going to be VPNing in won't know how to change ports... plus changing ports is just security through obscurity... so meh! Either OpenVPN is OK to publish, or it's not.

    As for why two firewalls - because I can't get a second IP from the ISP... I'm limited to one on this connection, and I want to split it between two networks.

    The users don't change ports. Have you used openvpn? You set up a profile for the user and it has all the info in it.

    It's super easy to set up clients.



  • @Pete-S said in Passing OpenVPN through ER-X:

    @Dashrender said in Passing OpenVPN through ER-X:

    @Pete-S said in Passing OpenVPN through ER-X:

    You're probably better off not using the standard port just because of all the port scanning.

    NAT shouldn't be a problem with openvpn.

    But why do you have two router/firewalls?

    The people who are going to be VPNing in won't know how to change ports... plus changing ports is just security through obscurity... so meh! Either OpenVPN is OK to publish, or it's not.

    As for why two firewalls - because I can't get a second IP from the ISP... I'm limited to one on this connection, and I want to split it between two networks.

    The users don't change ports. Have you used openvpn? You set up a profile for the user and it has all the info in it.

    It's super easy to set up clients.

    Nope, I haven't.



  • @Dashrender said in Passing OpenVPN through ER-X:

    @JaredBusch said in Passing OpenVPN through ER-X:

    @Dashrender said in Passing OpenVPN through ER-X:

    @JaredBusch said in Passing OpenVPN through ER-X:

    @Dashrender said in Passing OpenVPN through ER-X:

    Neither can do it in the GUI (as far as I know). The HVAC company tells me that they had so many issues with the Windows 10 IPSec client connecting to USG VPN enabled firewalls, that UBNT themselves gave them directions on how to install OpenVPN and they've been deploying that and it's working for them.

    This would be because Windows 10 is not designed to have an always on IPSEC connection.

    Additionally, IPSEC is the wrong choice for a not always on VPN connection. That would be L2TP/IPSEC and that works flawlessly in Windows 10.

    But L2TP is also not something you setup in the Unifi controller. It only enables PPTP last time I looked.

    There is so much wrong with this entire scenario.

    So, as you mention, no L2TP/IPSEC, means they moved to OpenVPN to have a working solution.

    .................

    No OpenVPN either... Both could be enabled manually. Why move to such an unsupported solution like OpenVPN with no native Windows functionality. Stupid all the way around.

    Don't ask me - I don't work there.

    Really, the IT company / arm of the HVAC should be configuring ALL of this. Why are you even involved? Other than maybe auditing them.



  • @scottalanmiller said in Passing OpenVPN through ER-X:

    @Dashrender said in Passing OpenVPN through ER-X:

    @JaredBusch said in Passing OpenVPN through ER-X:

    @Dashrender said in Passing OpenVPN through ER-X:

    @JaredBusch said in Passing OpenVPN through ER-X:

    @Dashrender said in Passing OpenVPN through ER-X:

    Neither can do it in the GUI (as far as I know). The HVAC company tells me that they had so many issues with the Windows 10 IPSec client connecting to USG VPN enabled firewalls, that UBNT themselves gave them directions on how to install OpenVPN and they've been deploying that and it's working for them.

    This would be because Windows 10 is not designed to have an always on IPSEC connection.

    Additionally, IPSEC is the wrong choice for a not always on VPN connection. That would be L2TP/IPSEC and that works flawlessly in Windows 10.

    But L2TP is also not something you setup in the Unifi controller. It only enables PPTP last time I looked.

    There is so much wrong with this entire scenario.

    So, as you mention, no L2TP/IPSEC, means they moved to OpenVPN to have a working solution.

    .................

    No OpenVPN either... Both could be enabled manually. Why move to such an unsupported solution like OpenVPN with no native Windows functionality. Stupid all the way around.

    Don't ask me - I don't work there.

    Really, the IT company / arm of the HVAC should be configuring ALL of this. Why are you even involved? Other than maybe auditing them.

    They aren't touching my firewall. I own the first firewall that traffic flows through.

    If I could have a second IP, I'd have the following

    Cable modem -> switch (port 2) -> USG

    And this would be entirely their issue, but since I only have one IP, I need to split it over two networks.. one I will fully control, and one for the HVAC company.



  • @Dashrender said in Passing OpenVPN through ER-X:

    They aren't touching my firewall. I own the first firewall that traffic flows through.

    But you should just port forward whatever port they request, right? Or tell them to choose an alternative if you are already using one. But other than port forwarding, isnt' that it?



  • @scottalanmiller said in Passing OpenVPN through ER-X:

    @Dashrender said in Passing OpenVPN through ER-X:

    They aren't touching my firewall. I own the first firewall that traffic flows through.

    But you should just port forward whatever port they request, right? Or tell them to choose an alternative if you are already using one. But other than port forwarding, isnt' that it?

    That was/is the entire point of my OP. Do I need anything more than 1194/UDP (for default OpenVPN)?

    Sure, they could tell me - but we already discussed that - they are seemingly clueless as they are only telling me - hey I need a static Ip and I need VPN access.
    /sigh.



  • @Dashrender said in Passing OpenVPN through ER-X:

    Sure, they could tell me - but we already discussed that - they are seemingly clueless as they are only telling me - hey I need a static Ip and I need VPN access.

    Well just pass that off to them, have them make a list of what you need. Make them figure it out 🙂



  • @Dashrender said in Passing OpenVPN through ER-X:

    That was/is the entire point of my OP. Do I need anything more than 1194/UDP (for default OpenVPN)?

    UDP and TCP are both default. They have to coordinate with you.

    1194 is default, but you OR they can change that.



  • @scottalanmiller The other port is TCP 943. They allow for UDP or TCP connection. UDP 1194 is default. At least, on Access Server.



  • @wrx7m said in Passing OpenVPN through ER-X:

    The other port is TCP 943.

    IANA doesn't have that port registered. But Apple uses it for ipcserver.



  • I can't find any references to OpenVPN using 943/TCP. You sure that that isn't a custom setting somewhere?



  • @scottalanmiller said in Passing OpenVPN through ER-X:

    I can't find any references to OpenVPN using 943/TCP. You sure that that isn't a custom setting somewhere?

    It has to be.

    From OpenVPN project doc:
    The official OpenVPN port number is 1194, but any port number between 1 and 65535 will work. If you don't provide the 'port' option, 1194 will be used.

    I always use another port, something non-standard. You have to when you have more than one tunnel on the same IP. Anyway, OpenVPN is as simple as http when it comes to what you have to do in the firewall and how you can route it - contrary to something like IPSEC.

    Clients use a config file (*.opvn), so they don't have to worry about ports, IPs and whatnot.



  • @Pete-S said in Passing OpenVPN through ER-X:

    It has to be.

    That's what I thought.



  • @scottalanmiller said in Passing OpenVPN through ER-X:

    I can't find any references to OpenVPN using 943/TCP. You sure that that isn't a custom setting somewhere?

    https://openvpn.net/vpn-server-resources/how-to-configure-the-openvpn-access-server/

    It must just be access server.



  • @wrx7m said in Passing OpenVPN through ER-X:

    @scottalanmiller said in Passing OpenVPN through ER-X:

    I can't find any references to OpenVPN using 943/TCP. You sure that that isn't a custom setting somewhere?

    https://openvpn.net/vpn-server-resources/how-to-configure-the-openvpn-access-server/

    It must just be access server.

    "TCP port 943 is the port where the web server interface is listening by default."

    Yeah, no web server in OpenVPN itself.


Log in to reply