ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Passing OpenVPN through ER-X

    Scheduled Pinned Locked Moved IT Discussion
    openvpner-x
    27 Posts 5 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JaredBuschJ
      JaredBusch @Dashrender
      last edited by

      @Dashrender said in Passing OpenVPN through ER-X:

      I have a desire to pass OpenVPN traffic through my ER-X to an internal device. Do I need to open any more ports other than 1194/UDP? I see that OpenVPN can be configured to also use the standard 443/TCP.

      Here's my situation:

      Cable modem with single static IP (can't purchase additional IPs) -> ER-X

      ER-X port 0 - cable modem
      ER-X port 1 - Guest network
      ER-X port 2 - USG firewall (Running OpenVPN)

      I want no communications between port 1 and port 2 (thanks Scott for the link)
      I need to pass incoming OpenVPN traffic from the single existing IP to port 2 (actually the statically assigned IP of the USG)

      OpenVPN can use any port you want.

      But you are going to NAT this. I expect problems.

      DashrenderD 1 Reply Last reply Reply Quote 0
      • 1
        1337
        last edited by

        You're probably better off not using the standard port just because of all the port scanning.

        NAT shouldn't be a problem with openvpn.

        But why do you have two router/firewalls?

        DashrenderD 1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender @1337
          last edited by

          @Pete-S said in Passing OpenVPN through ER-X:

          You're probably better off not using the standard port just because of all the port scanning.

          NAT shouldn't be a problem with openvpn.

          But why do you have two router/firewalls?

          The people who are going to be VPNing in won't know how to change ports... plus changing ports is just security through obscurity... so meh! Either OpenVPN is OK to publish, or it's not.

          As for why two firewalls - because I can't get a second IP from the ISP... I'm limited to one on this connection, and I want to split it between two networks.

          1 1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender @JaredBusch
            last edited by

            @JaredBusch said in Passing OpenVPN through ER-X:

            But you are going to NAT this. I expect problems.

            yeah - this is also my concern.

            1 Reply Last reply Reply Quote 0
            • JaredBuschJ
              JaredBusch @Dashrender
              last edited by

              @Dashrender said in Passing OpenVPN through ER-X:

              USG firewall (Running OpenVPN)

              Can it even do this? I would have to go through the controller settings to find out.

              The EdgeMax line cannot do it in the GUI.

              DashrenderD 1 Reply Last reply Reply Quote 0
              • JaredBuschJ
                JaredBusch @Dashrender
                last edited by JaredBusch

                @Dashrender said in Passing OpenVPN through ER-X:

                I want no communications between port 1 and port 2 (thanks Scott for the link)

                You supplied no link, so we have no idea WTF you are talking about.

                If someone read before the edit, I misread port numbers.

                This is a simple firewall rule the Ubiquiti help documents have great examples. I can pull live rules from deployed systems if you want.

                1 Reply Last reply Reply Quote 0
                • DashrenderD
                  Dashrender @JaredBusch
                  last edited by

                  @JaredBusch said in Passing OpenVPN through ER-X:

                  @Dashrender said in Passing OpenVPN through ER-X:

                  USG firewall (Running OpenVPN)

                  Can it even do this? I would have to go through the controller settings to find out.

                  The EdgeMax line cannot do it in the GUI.

                  Neither can do it in the GUI (as far as I know). The HVAC company tells me that they had so many issues with the Windows 10 IPSec client connecting to USG VPN enabled firewalls, that UBNT themselves gave them directions on how to install OpenVPN and they've been deploying that and it's working for them.

                  Now - I have no fraking clue why they are using USGs instead of EdgeRouters - I asked, they had no answer.

                  JaredBuschJ 1 Reply Last reply Reply Quote 0
                  • JaredBuschJ
                    JaredBusch @Dashrender
                    last edited by

                    @Dashrender said in Passing OpenVPN through ER-X:

                    Neither can do it in the GUI (as far as I know). The HVAC company tells me that they had so many issues with the Windows 10 IPSec client connecting to USG VPN enabled firewalls, that UBNT themselves gave them directions on how to install OpenVPN and they've been deploying that and it's working for them.

                    This would be because Windows 10 is not designed to have an always on IPSEC connection.

                    Additionally, IPSEC is the wrong choice for a not always on VPN connection. That would be L2TP/IPSEC and that works flawlessly in Windows 10.

                    But L2TP is also not something you setup in the Unifi controller. It only enables PPTP last time I looked.

                    There is so much wrong with this entire scenario.

                    DashrenderD 1 Reply Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender @JaredBusch
                      last edited by

                      @JaredBusch said in Passing OpenVPN through ER-X:

                      @Dashrender said in Passing OpenVPN through ER-X:

                      Neither can do it in the GUI (as far as I know). The HVAC company tells me that they had so many issues with the Windows 10 IPSec client connecting to USG VPN enabled firewalls, that UBNT themselves gave them directions on how to install OpenVPN and they've been deploying that and it's working for them.

                      This would be because Windows 10 is not designed to have an always on IPSEC connection.

                      Additionally, IPSEC is the wrong choice for a not always on VPN connection. That would be L2TP/IPSEC and that works flawlessly in Windows 10.

                      But L2TP is also not something you setup in the Unifi controller. It only enables PPTP last time I looked.

                      There is so much wrong with this entire scenario.

                      So, as you mention, no L2TP/IPSEC, means they moved to OpenVPN to have a working solution.

                      JaredBuschJ 1 Reply Last reply Reply Quote 0
                      • JaredBuschJ
                        JaredBusch @Dashrender
                        last edited by

                        @Dashrender said in Passing OpenVPN through ER-X:

                        @JaredBusch said in Passing OpenVPN through ER-X:

                        @Dashrender said in Passing OpenVPN through ER-X:

                        Neither can do it in the GUI (as far as I know). The HVAC company tells me that they had so many issues with the Windows 10 IPSec client connecting to USG VPN enabled firewalls, that UBNT themselves gave them directions on how to install OpenVPN and they've been deploying that and it's working for them.

                        This would be because Windows 10 is not designed to have an always on IPSEC connection.

                        Additionally, IPSEC is the wrong choice for a not always on VPN connection. That would be L2TP/IPSEC and that works flawlessly in Windows 10.

                        But L2TP is also not something you setup in the Unifi controller. It only enables PPTP last time I looked.

                        There is so much wrong with this entire scenario.

                        So, as you mention, no L2TP/IPSEC, means they moved to OpenVPN to have a working solution.

                        .................

                        No OpenVPN either... Both could be enabled manually. Why move to such an unsupported solution like OpenVPN with no native Windows functionality. Stupid all the way around.

                        DashrenderD 1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @JaredBusch
                          last edited by

                          @JaredBusch said in Passing OpenVPN through ER-X:

                          @Dashrender said in Passing OpenVPN through ER-X:

                          @JaredBusch said in Passing OpenVPN through ER-X:

                          @Dashrender said in Passing OpenVPN through ER-X:

                          Neither can do it in the GUI (as far as I know). The HVAC company tells me that they had so many issues with the Windows 10 IPSec client connecting to USG VPN enabled firewalls, that UBNT themselves gave them directions on how to install OpenVPN and they've been deploying that and it's working for them.

                          This would be because Windows 10 is not designed to have an always on IPSEC connection.

                          Additionally, IPSEC is the wrong choice for a not always on VPN connection. That would be L2TP/IPSEC and that works flawlessly in Windows 10.

                          But L2TP is also not something you setup in the Unifi controller. It only enables PPTP last time I looked.

                          There is so much wrong with this entire scenario.

                          So, as you mention, no L2TP/IPSEC, means they moved to OpenVPN to have a working solution.

                          .................

                          No OpenVPN either... Both could be enabled manually. Why move to such an unsupported solution like OpenVPN with no native Windows functionality. Stupid all the way around.

                          Don't ask me - I don't work there.

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • 1
                            1337 @Dashrender
                            last edited by 1337

                            @Dashrender said in Passing OpenVPN through ER-X:

                            @Pete-S said in Passing OpenVPN through ER-X:

                            You're probably better off not using the standard port just because of all the port scanning.

                            NAT shouldn't be a problem with openvpn.

                            But why do you have two router/firewalls?

                            The people who are going to be VPNing in won't know how to change ports... plus changing ports is just security through obscurity... so meh! Either OpenVPN is OK to publish, or it's not.

                            As for why two firewalls - because I can't get a second IP from the ISP... I'm limited to one on this connection, and I want to split it between two networks.

                            The users don't change ports. Have you used openvpn? You set up a profile for the user and it has all the info in it.

                            It's super easy to set up clients.

                            DashrenderD 1 Reply Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender @1337
                              last edited by

                              @Pete-S said in Passing OpenVPN through ER-X:

                              @Dashrender said in Passing OpenVPN through ER-X:

                              @Pete-S said in Passing OpenVPN through ER-X:

                              You're probably better off not using the standard port just because of all the port scanning.

                              NAT shouldn't be a problem with openvpn.

                              But why do you have two router/firewalls?

                              The people who are going to be VPNing in won't know how to change ports... plus changing ports is just security through obscurity... so meh! Either OpenVPN is OK to publish, or it's not.

                              As for why two firewalls - because I can't get a second IP from the ISP... I'm limited to one on this connection, and I want to split it between two networks.

                              The users don't change ports. Have you used openvpn? You set up a profile for the user and it has all the info in it.

                              It's super easy to set up clients.

                              Nope, I haven't.

                              1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @Dashrender
                                last edited by

                                @Dashrender said in Passing OpenVPN through ER-X:

                                @JaredBusch said in Passing OpenVPN through ER-X:

                                @Dashrender said in Passing OpenVPN through ER-X:

                                @JaredBusch said in Passing OpenVPN through ER-X:

                                @Dashrender said in Passing OpenVPN through ER-X:

                                Neither can do it in the GUI (as far as I know). The HVAC company tells me that they had so many issues with the Windows 10 IPSec client connecting to USG VPN enabled firewalls, that UBNT themselves gave them directions on how to install OpenVPN and they've been deploying that and it's working for them.

                                This would be because Windows 10 is not designed to have an always on IPSEC connection.

                                Additionally, IPSEC is the wrong choice for a not always on VPN connection. That would be L2TP/IPSEC and that works flawlessly in Windows 10.

                                But L2TP is also not something you setup in the Unifi controller. It only enables PPTP last time I looked.

                                There is so much wrong with this entire scenario.

                                So, as you mention, no L2TP/IPSEC, means they moved to OpenVPN to have a working solution.

                                .................

                                No OpenVPN either... Both could be enabled manually. Why move to such an unsupported solution like OpenVPN with no native Windows functionality. Stupid all the way around.

                                Don't ask me - I don't work there.

                                Really, the IT company / arm of the HVAC should be configuring ALL of this. Why are you even involved? Other than maybe auditing them.

                                DashrenderD 1 Reply Last reply Reply Quote 0
                                • DashrenderD
                                  Dashrender @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in Passing OpenVPN through ER-X:

                                  @Dashrender said in Passing OpenVPN through ER-X:

                                  @JaredBusch said in Passing OpenVPN through ER-X:

                                  @Dashrender said in Passing OpenVPN through ER-X:

                                  @JaredBusch said in Passing OpenVPN through ER-X:

                                  @Dashrender said in Passing OpenVPN through ER-X:

                                  Neither can do it in the GUI (as far as I know). The HVAC company tells me that they had so many issues with the Windows 10 IPSec client connecting to USG VPN enabled firewalls, that UBNT themselves gave them directions on how to install OpenVPN and they've been deploying that and it's working for them.

                                  This would be because Windows 10 is not designed to have an always on IPSEC connection.

                                  Additionally, IPSEC is the wrong choice for a not always on VPN connection. That would be L2TP/IPSEC and that works flawlessly in Windows 10.

                                  But L2TP is also not something you setup in the Unifi controller. It only enables PPTP last time I looked.

                                  There is so much wrong with this entire scenario.

                                  So, as you mention, no L2TP/IPSEC, means they moved to OpenVPN to have a working solution.

                                  .................

                                  No OpenVPN either... Both could be enabled manually. Why move to such an unsupported solution like OpenVPN with no native Windows functionality. Stupid all the way around.

                                  Don't ask me - I don't work there.

                                  Really, the IT company / arm of the HVAC should be configuring ALL of this. Why are you even involved? Other than maybe auditing them.

                                  They aren't touching my firewall. I own the first firewall that traffic flows through.

                                  If I could have a second IP, I'd have the following

                                  Cable modem -> switch (port 2) -> USG

                                  And this would be entirely their issue, but since I only have one IP, I need to split it over two networks.. one I will fully control, and one for the HVAC company.

                                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @Dashrender
                                    last edited by

                                    @Dashrender said in Passing OpenVPN through ER-X:

                                    They aren't touching my firewall. I own the first firewall that traffic flows through.

                                    But you should just port forward whatever port they request, right? Or tell them to choose an alternative if you are already using one. But other than port forwarding, isnt' that it?

                                    DashrenderD 1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in Passing OpenVPN through ER-X:

                                      @Dashrender said in Passing OpenVPN through ER-X:

                                      They aren't touching my firewall. I own the first firewall that traffic flows through.

                                      But you should just port forward whatever port they request, right? Or tell them to choose an alternative if you are already using one. But other than port forwarding, isnt' that it?

                                      That was/is the entire point of my OP. Do I need anything more than 1194/UDP (for default OpenVPN)?

                                      Sure, they could tell me - but we already discussed that - they are seemingly clueless as they are only telling me - hey I need a static Ip and I need VPN access.
                                      /sigh.

                                      scottalanmillerS 2 Replies Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Dashrender
                                        last edited by

                                        @Dashrender said in Passing OpenVPN through ER-X:

                                        Sure, they could tell me - but we already discussed that - they are seemingly clueless as they are only telling me - hey I need a static Ip and I need VPN access.

                                        Well just pass that off to them, have them make a list of what you need. Make them figure it out 🙂

                                        1 Reply Last reply Reply Quote 3
                                        • scottalanmillerS
                                          scottalanmiller @Dashrender
                                          last edited by

                                          @Dashrender said in Passing OpenVPN through ER-X:

                                          That was/is the entire point of my OP. Do I need anything more than 1194/UDP (for default OpenVPN)?

                                          UDP and TCP are both default. They have to coordinate with you.

                                          1194 is default, but you OR they can change that.

                                          wrx7mW 1 Reply Last reply Reply Quote 1
                                          • wrx7mW
                                            wrx7m @scottalanmiller
                                            last edited by

                                            @scottalanmiller The other port is TCP 943. They allow for UDP or TCP connection. UDP 1194 is default. At least, on Access Server.

                                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post