ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Passing OpenVPN through ER-X

    Scheduled Pinned Locked Moved IT Discussion
    openvpner-x
    27 Posts 5 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JaredBuschJ
      JaredBusch @Dashrender
      last edited by

      @Dashrender said in Passing OpenVPN through ER-X:

      USG firewall (Running OpenVPN)

      Can it even do this? I would have to go through the controller settings to find out.

      The EdgeMax line cannot do it in the GUI.

      DashrenderD 1 Reply Last reply Reply Quote 0
      • JaredBuschJ
        JaredBusch @Dashrender
        last edited by JaredBusch

        @Dashrender said in Passing OpenVPN through ER-X:

        I want no communications between port 1 and port 2 (thanks Scott for the link)

        You supplied no link, so we have no idea WTF you are talking about.

        If someone read before the edit, I misread port numbers.

        This is a simple firewall rule the Ubiquiti help documents have great examples. I can pull live rules from deployed systems if you want.

        1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender @JaredBusch
          last edited by

          @JaredBusch said in Passing OpenVPN through ER-X:

          @Dashrender said in Passing OpenVPN through ER-X:

          USG firewall (Running OpenVPN)

          Can it even do this? I would have to go through the controller settings to find out.

          The EdgeMax line cannot do it in the GUI.

          Neither can do it in the GUI (as far as I know). The HVAC company tells me that they had so many issues with the Windows 10 IPSec client connecting to USG VPN enabled firewalls, that UBNT themselves gave them directions on how to install OpenVPN and they've been deploying that and it's working for them.

          Now - I have no fraking clue why they are using USGs instead of EdgeRouters - I asked, they had no answer.

          JaredBuschJ 1 Reply Last reply Reply Quote 0
          • JaredBuschJ
            JaredBusch @Dashrender
            last edited by

            @Dashrender said in Passing OpenVPN through ER-X:

            Neither can do it in the GUI (as far as I know). The HVAC company tells me that they had so many issues with the Windows 10 IPSec client connecting to USG VPN enabled firewalls, that UBNT themselves gave them directions on how to install OpenVPN and they've been deploying that and it's working for them.

            This would be because Windows 10 is not designed to have an always on IPSEC connection.

            Additionally, IPSEC is the wrong choice for a not always on VPN connection. That would be L2TP/IPSEC and that works flawlessly in Windows 10.

            But L2TP is also not something you setup in the Unifi controller. It only enables PPTP last time I looked.

            There is so much wrong with this entire scenario.

            DashrenderD 1 Reply Last reply Reply Quote 0
            • DashrenderD
              Dashrender @JaredBusch
              last edited by

              @JaredBusch said in Passing OpenVPN through ER-X:

              @Dashrender said in Passing OpenVPN through ER-X:

              Neither can do it in the GUI (as far as I know). The HVAC company tells me that they had so many issues with the Windows 10 IPSec client connecting to USG VPN enabled firewalls, that UBNT themselves gave them directions on how to install OpenVPN and they've been deploying that and it's working for them.

              This would be because Windows 10 is not designed to have an always on IPSEC connection.

              Additionally, IPSEC is the wrong choice for a not always on VPN connection. That would be L2TP/IPSEC and that works flawlessly in Windows 10.

              But L2TP is also not something you setup in the Unifi controller. It only enables PPTP last time I looked.

              There is so much wrong with this entire scenario.

              So, as you mention, no L2TP/IPSEC, means they moved to OpenVPN to have a working solution.

              JaredBuschJ 1 Reply Last reply Reply Quote 0
              • JaredBuschJ
                JaredBusch @Dashrender
                last edited by

                @Dashrender said in Passing OpenVPN through ER-X:

                @JaredBusch said in Passing OpenVPN through ER-X:

                @Dashrender said in Passing OpenVPN through ER-X:

                Neither can do it in the GUI (as far as I know). The HVAC company tells me that they had so many issues with the Windows 10 IPSec client connecting to USG VPN enabled firewalls, that UBNT themselves gave them directions on how to install OpenVPN and they've been deploying that and it's working for them.

                This would be because Windows 10 is not designed to have an always on IPSEC connection.

                Additionally, IPSEC is the wrong choice for a not always on VPN connection. That would be L2TP/IPSEC and that works flawlessly in Windows 10.

                But L2TP is also not something you setup in the Unifi controller. It only enables PPTP last time I looked.

                There is so much wrong with this entire scenario.

                So, as you mention, no L2TP/IPSEC, means they moved to OpenVPN to have a working solution.

                .................

                No OpenVPN either... Both could be enabled manually. Why move to such an unsupported solution like OpenVPN with no native Windows functionality. Stupid all the way around.

                DashrenderD 1 Reply Last reply Reply Quote 0
                • DashrenderD
                  Dashrender @JaredBusch
                  last edited by

                  @JaredBusch said in Passing OpenVPN through ER-X:

                  @Dashrender said in Passing OpenVPN through ER-X:

                  @JaredBusch said in Passing OpenVPN through ER-X:

                  @Dashrender said in Passing OpenVPN through ER-X:

                  Neither can do it in the GUI (as far as I know). The HVAC company tells me that they had so many issues with the Windows 10 IPSec client connecting to USG VPN enabled firewalls, that UBNT themselves gave them directions on how to install OpenVPN and they've been deploying that and it's working for them.

                  This would be because Windows 10 is not designed to have an always on IPSEC connection.

                  Additionally, IPSEC is the wrong choice for a not always on VPN connection. That would be L2TP/IPSEC and that works flawlessly in Windows 10.

                  But L2TP is also not something you setup in the Unifi controller. It only enables PPTP last time I looked.

                  There is so much wrong with this entire scenario.

                  So, as you mention, no L2TP/IPSEC, means they moved to OpenVPN to have a working solution.

                  .................

                  No OpenVPN either... Both could be enabled manually. Why move to such an unsupported solution like OpenVPN with no native Windows functionality. Stupid all the way around.

                  Don't ask me - I don't work there.

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • 1
                    1337 @Dashrender
                    last edited by 1337

                    @Dashrender said in Passing OpenVPN through ER-X:

                    @Pete-S said in Passing OpenVPN through ER-X:

                    You're probably better off not using the standard port just because of all the port scanning.

                    NAT shouldn't be a problem with openvpn.

                    But why do you have two router/firewalls?

                    The people who are going to be VPNing in won't know how to change ports... plus changing ports is just security through obscurity... so meh! Either OpenVPN is OK to publish, or it's not.

                    As for why two firewalls - because I can't get a second IP from the ISP... I'm limited to one on this connection, and I want to split it between two networks.

                    The users don't change ports. Have you used openvpn? You set up a profile for the user and it has all the info in it.

                    It's super easy to set up clients.

                    DashrenderD 1 Reply Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender @1337
                      last edited by

                      @Pete-S said in Passing OpenVPN through ER-X:

                      @Dashrender said in Passing OpenVPN through ER-X:

                      @Pete-S said in Passing OpenVPN through ER-X:

                      You're probably better off not using the standard port just because of all the port scanning.

                      NAT shouldn't be a problem with openvpn.

                      But why do you have two router/firewalls?

                      The people who are going to be VPNing in won't know how to change ports... plus changing ports is just security through obscurity... so meh! Either OpenVPN is OK to publish, or it's not.

                      As for why two firewalls - because I can't get a second IP from the ISP... I'm limited to one on this connection, and I want to split it between two networks.

                      The users don't change ports. Have you used openvpn? You set up a profile for the user and it has all the info in it.

                      It's super easy to set up clients.

                      Nope, I haven't.

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Dashrender
                        last edited by

                        @Dashrender said in Passing OpenVPN through ER-X:

                        @JaredBusch said in Passing OpenVPN through ER-X:

                        @Dashrender said in Passing OpenVPN through ER-X:

                        @JaredBusch said in Passing OpenVPN through ER-X:

                        @Dashrender said in Passing OpenVPN through ER-X:

                        Neither can do it in the GUI (as far as I know). The HVAC company tells me that they had so many issues with the Windows 10 IPSec client connecting to USG VPN enabled firewalls, that UBNT themselves gave them directions on how to install OpenVPN and they've been deploying that and it's working for them.

                        This would be because Windows 10 is not designed to have an always on IPSEC connection.

                        Additionally, IPSEC is the wrong choice for a not always on VPN connection. That would be L2TP/IPSEC and that works flawlessly in Windows 10.

                        But L2TP is also not something you setup in the Unifi controller. It only enables PPTP last time I looked.

                        There is so much wrong with this entire scenario.

                        So, as you mention, no L2TP/IPSEC, means they moved to OpenVPN to have a working solution.

                        .................

                        No OpenVPN either... Both could be enabled manually. Why move to such an unsupported solution like OpenVPN with no native Windows functionality. Stupid all the way around.

                        Don't ask me - I don't work there.

                        Really, the IT company / arm of the HVAC should be configuring ALL of this. Why are you even involved? Other than maybe auditing them.

                        DashrenderD 1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @scottalanmiller
                          last edited by

                          @scottalanmiller said in Passing OpenVPN through ER-X:

                          @Dashrender said in Passing OpenVPN through ER-X:

                          @JaredBusch said in Passing OpenVPN through ER-X:

                          @Dashrender said in Passing OpenVPN through ER-X:

                          @JaredBusch said in Passing OpenVPN through ER-X:

                          @Dashrender said in Passing OpenVPN through ER-X:

                          Neither can do it in the GUI (as far as I know). The HVAC company tells me that they had so many issues with the Windows 10 IPSec client connecting to USG VPN enabled firewalls, that UBNT themselves gave them directions on how to install OpenVPN and they've been deploying that and it's working for them.

                          This would be because Windows 10 is not designed to have an always on IPSEC connection.

                          Additionally, IPSEC is the wrong choice for a not always on VPN connection. That would be L2TP/IPSEC and that works flawlessly in Windows 10.

                          But L2TP is also not something you setup in the Unifi controller. It only enables PPTP last time I looked.

                          There is so much wrong with this entire scenario.

                          So, as you mention, no L2TP/IPSEC, means they moved to OpenVPN to have a working solution.

                          .................

                          No OpenVPN either... Both could be enabled manually. Why move to such an unsupported solution like OpenVPN with no native Windows functionality. Stupid all the way around.

                          Don't ask me - I don't work there.

                          Really, the IT company / arm of the HVAC should be configuring ALL of this. Why are you even involved? Other than maybe auditing them.

                          They aren't touching my firewall. I own the first firewall that traffic flows through.

                          If I could have a second IP, I'd have the following

                          Cable modem -> switch (port 2) -> USG

                          And this would be entirely their issue, but since I only have one IP, I need to split it over two networks.. one I will fully control, and one for the HVAC company.

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said in Passing OpenVPN through ER-X:

                            They aren't touching my firewall. I own the first firewall that traffic flows through.

                            But you should just port forward whatever port they request, right? Or tell them to choose an alternative if you are already using one. But other than port forwarding, isnt' that it?

                            DashrenderD 1 Reply Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender @scottalanmiller
                              last edited by

                              @scottalanmiller said in Passing OpenVPN through ER-X:

                              @Dashrender said in Passing OpenVPN through ER-X:

                              They aren't touching my firewall. I own the first firewall that traffic flows through.

                              But you should just port forward whatever port they request, right? Or tell them to choose an alternative if you are already using one. But other than port forwarding, isnt' that it?

                              That was/is the entire point of my OP. Do I need anything more than 1194/UDP (for default OpenVPN)?

                              Sure, they could tell me - but we already discussed that - they are seemingly clueless as they are only telling me - hey I need a static Ip and I need VPN access.
                              /sigh.

                              scottalanmillerS 2 Replies Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @Dashrender
                                last edited by

                                @Dashrender said in Passing OpenVPN through ER-X:

                                Sure, they could tell me - but we already discussed that - they are seemingly clueless as they are only telling me - hey I need a static Ip and I need VPN access.

                                Well just pass that off to them, have them make a list of what you need. Make them figure it out 🙂

                                1 Reply Last reply Reply Quote 3
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @Dashrender said in Passing OpenVPN through ER-X:

                                  That was/is the entire point of my OP. Do I need anything more than 1194/UDP (for default OpenVPN)?

                                  UDP and TCP are both default. They have to coordinate with you.

                                  1194 is default, but you OR they can change that.

                                  wrx7mW 1 Reply Last reply Reply Quote 1
                                  • wrx7mW
                                    wrx7m @scottalanmiller
                                    last edited by

                                    @scottalanmiller The other port is TCP 943. They allow for UDP or TCP connection. UDP 1194 is default. At least, on Access Server.

                                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @wrx7m
                                      last edited by

                                      @wrx7m said in Passing OpenVPN through ER-X:

                                      The other port is TCP 943.

                                      IANA doesn't have that port registered. But Apple uses it for ipcserver.

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller
                                        last edited by

                                        I can't find any references to OpenVPN using 943/TCP. You sure that that isn't a custom setting somewhere?

                                        1 wrx7mW 2 Replies Last reply Reply Quote 0
                                        • 1
                                          1337 @scottalanmiller
                                          last edited by 1337

                                          @scottalanmiller said in Passing OpenVPN through ER-X:

                                          I can't find any references to OpenVPN using 943/TCP. You sure that that isn't a custom setting somewhere?

                                          It has to be.

                                          From OpenVPN project doc:
                                          The official OpenVPN port number is 1194, but any port number between 1 and 65535 will work. If you don't provide the 'port' option, 1194 will be used.

                                          I always use another port, something non-standard. You have to when you have more than one tunnel on the same IP. Anyway, OpenVPN is as simple as http when it comes to what you have to do in the firewall and how you can route it - contrary to something like IPSEC.

                                          Clients use a config file (*.opvn), so they don't have to worry about ports, IPs and whatnot.

                                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @1337
                                            last edited by

                                            @Pete-S said in Passing OpenVPN through ER-X:

                                            It has to be.

                                            That's what I thought.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post