Unifi OpenVPN Server

Рет қаралды 32,667

Күн бұрын

In this video I go over how to setup a OpenVPN Server in Unifi network. I also create a DDNS server and traffic management rules to only allow our VPN users access to my Synology NAS
▶ Hire us on our website
mactelecomnetworks.com/
▶ Get Mactelecom Merch 👕
mactelecomstore.com
▶ Join our Discord Channel:
/ discord
------------------------------------------------------------------------------------
Affiliates I use:
▶ VOIP.MS
www.voip.ms/en/code/Mactelecom
▶Canadian Amazon Store front:
www.amazon.ca/shop/mactelecom...
▶USA Amazon store front:
www.amazon.com/shop/macteleco...
------------------------------------------------------------------------------------
▶ Find us on social media:
▶ Instagram:
/ mactelecomnetworks
▶ Facebook:
/ mactelecomnetworks
▶ Twitter:
/ mactelecomn
▶ TikTok:
/ mactelecomnetworks
▶ Linkedin:
/ cody-maccallum-29311b6b
▶ Twitch:
/ frozil3
0:00 Intro
0:48 Creating DDNS
2:05 Creating OpenVPN Server
4:40 Creating Traffic management rules
6:30 Final thoughts

Пікірлер: 84

@spokdayz Жыл бұрын

Hey Cody, love ur job ! Keep going

@terrorwolf0213 Жыл бұрын

That's a great Video! Let's hope they'll release IKEV2 at some point.

@gizmoboy253 Жыл бұрын

Keep up the great work

@MactelecomNetworks Жыл бұрын

Thanks Matt 😊

@tfacter Жыл бұрын

I love this feature and have had it running since possible. My family members have UDR's and I have the SE. With Netflix cutting down on password sharing, I've been able to use this to forward all traffic from their respective apple tv's through the vpn

@AngelusHD Жыл бұрын

how did you do that, are there links provided to set such a thing up?

@agad7792 Жыл бұрын

Very solid

@Solanum.95 Жыл бұрын

Great video! Could you make a video on a OpenVPN Site to Site later on as well? Would like to see it! Keep up the good work!

@alexfleener Жыл бұрын

Hurray for dark mode! Thanks. Cody 😊

@muazabbas73 Жыл бұрын

Awesome!

@MactelecomNetworks Жыл бұрын

Thanks for watching

@ronm6585 Жыл бұрын

Thanks.

@vladjirasek Жыл бұрын

Thanks for the video. Does this OpenVPN implementation support static IP assignments for the vpn clients?

@przeniko Жыл бұрын

Hi this is very useful tutorial. I wonder how to add speed limit over the VPN connection?

@darealdynasty Жыл бұрын

Great video as always my man 🇨🇦...Im curious...when you created that allow rule, did it automatically build out a route for that traffic flow? Would be interesting to see how it builds out the route. I know there are options for manually configuring routes.

@MactelecomNetworks Жыл бұрын

Ya it’s all automatic I didn’t do anything else. I’m sure you can go into the cli and see how it routes it

@darealdynasty Жыл бұрын

@@MactelecomNetworks makes sense brother. Appreciate your great work as always Sir.

@AviatorMike777 Жыл бұрын

Great video. The only thing that stinks with using OpenVPN on a UDM is that it’s only TCP-based and not UDP. Not very efficient for an IPSec tunnel. Let’s hope Ubiquiti changes that or at least gives you an option between the two. Furthermore, you can only create one OpenVPN tunnel/server. Let’s hope they change that as well in the future.

@canadianwildlifeservice8883 Жыл бұрын

Using TCP on port 443 for OpenVPN can be useful for bypassing firewalls that block other outbound ports since it looks like normal HTTPS traffic.

@gaijinboricua Жыл бұрын

Any information on the network speed impact when doing this in an UDM Pro? Does it really go down to 800 Mbps?

@zwstyles621 Жыл бұрын

Does this mean that I can finally route my clients to use the UDM as an exit point out to the internet. For a while I have been trying to work out how to get my remote site a to egress to the internet via site b. If I set up a client on site b and create the appropriate rule, do you think I will be able to achieve this? As always thanks for the great videos.

@mattguyatt Жыл бұрын

Great video thanks! Quick question, is every traffic rule processed no matter what? I would have thought the traffic would have been immediately dropped after hitting your first block rule and disregarded your allow rule? Or are the rules processed from bottom to top?

@MactelecomNetworks Жыл бұрын

There is no way to order traffic management rules as of yet and not sure if there will be. So if you add allow rules under block rules it still works

@pantag2 7 ай бұрын

So, is it better to do the VPN set up on the Unifi or on Synology side? Also, what about Tailscale, as a replacement for all these VPN configurations?

@TheRealscarab Жыл бұрын

Did you had success with Stripe / payment logistic yet with the new captive portal page?

Жыл бұрын

Hey Cody! A month ago, DNSoMatic and Cloudflare DDNS (dyndns) stopped working on my UXG. Nothing's working so I have to use MarcsUpdater. Have you been able to make it work recently?

@canadianwildlifeservice8883 Жыл бұрын

What do you guys think? I'm using the free home edition of Sophos Firewall with one of their access points. The access point is about to reach end-of-life later this year and will no longer function. Their newer access points are super expensive (we're talking almost $350 for the better entry-level models) and then you can only use them with Sophos firewalls. I have some Tp-link Omada switches and a controller. I would either stick with Sophos and go with a tp-link Omada access point which would make the most sense right now, or dump Sophos altogether and go with Ubiquity now that they are working on having OpenVPN server in their devices. From a security standpoint, Ubiquity is a kid's toy compared to Sophos, but Sophos can be a real pain to configure all the time and requires extensive amounts of configuration to keep working.

@jcb5388 Жыл бұрын

Does this allow WAN traffic to be sent? If your outside the home and connect to the VPN and do a what is my ip does it show the VPN IP and DNS or your cellular IP and DNS?

@pe1pqx321 5 ай бұрын

Hi Cody, This OpenVPN setup works nice, however I cannot get out again via the internet. (Internet pass-throug?) The OpenVPN clients will not get an Gateway IP adress and are not able te get out to the web again. I like to use OpenVPN on my smartphone (when not at home) to use 2 Pi-Holes on my phone also. (I really hate annoying advertisements, and do not want to install "an other app" in my android phone) The only (known to me that is) work around is to "allow access to LAN/VLAN" to get internet on my smartphone. Big security risk here is access to all de LAN devices are allowed, no blocking is in place then. What I like to achieve: internet access with add-block capabilities AND access to selected devices (only NAS and LAN printer for example), but no access to Unifi Console via VPN. Equipment: UDM-Pro, Unifi OS 3.2.9, Unifi Network 8.028 with a 1/1gbit fiber connection.

@gonxme4 11 ай бұрын

What are the max simultaneous users at the time on OpenVPN? Can we do 10 users? Also, with OpenVPN, can we have more than 5 concurrent users on RDP on different computers?

@johnmoricone294 5 ай бұрын

Hi there, I've been using L2TP VPN on my USG Pro. It stopped working and Ubiquiti says my ISP is blocking the signal/traffic. The ISP says they don't do that. It's been a run around. Will this help me VPN back into my network or is it another round of back and forth? What are your thoughts on my current situation? Thank you

@davidesguerra7837 4 ай бұрын

Do you use dynamic IP from ISP

@AnandakrishnanM27 Жыл бұрын

hi, how can I make the ddns update my ip automatically on the unifi device itself?

@manslayerdbzgt Жыл бұрын

Hey Cody does open VPN I tried all the settings does it not work with starlink I was thinking the dynamic DNS would maybe work with it but it'll probably doesn't cuz starling shares but I thought I don't know maybe I thought wrong or thought right or maybe I did something wrong but I followed all your steps to tea and it did not connect to the starlink but also open VPN the dynamic DNS name said I hit activate but it says I can't activate my name unless I pay money so I'm kind of confused cuz you made it seem like there was no paying for it so I just want to know

@Jupiter0ne Жыл бұрын

Hi Cody. Is this setup an alternative to the WireGuard video you previously created? In other words, is OpenVPN just another way for allowing remote access INTO your network? If so, I'm curious what the differences are. This setup seemed way more involved than the WireGuard setup.

@MactelecomNetworks Жыл бұрын

They are both used to login to your network remotely it’s just a personal preference. I wouldn’t think this is anymore involved and there is a lot of other things you can do with OpenVPN over wireguard. I may do a video comparing all of them

@Jupiter0ne Жыл бұрын

@@MactelecomNetworks With the various VPN options, a comparison video would be great!

@ezln028 Жыл бұрын

Hey Cody i have my cable modem as bridge mode but every time the model gets a new ip my udm pro looses wan and the only way to get it back online is to factory reset the modem.

@VinayJhinkoe 7 ай бұрын

How many concurrent users can connect with this?

@Firebirdgm2000 9 ай бұрын

How do I prevent the clients from accessing the other network if the VPN goes down?

@user-up6qv4sx8r Жыл бұрын

is it possible to add 2fa with openvpn

@mathewcampisi7594 Жыл бұрын

Hey Bro awesome videos, can you show how to connect to cloudflare? Also you have any vids on site to site connections with cloud providers? I have aws, and oracle cloud. Thanks in advance for any help you can give.

@eduardovazquez3357 Жыл бұрын

Can you make a video of site to site using openvpn

@ThePcarneiro 10 ай бұрын

Hello, great video. I also have it working but found an issue. I cant setup tunneling on the Android openvpn client. as soon as I connect al my web trafic goes trough the UNIFI. I tried anualy editing the config file adding route-nopull settings but no luck. could you please test or give some help? many thanks

@eduardovazquez3357 Жыл бұрын

How can I block the vpn clientes to been able to access the web interface of the UDM

@friteradgurka 10 ай бұрын

this don't work for me... I upload the file to OpenVPN Connect on android, add username and password i try and connect, but it instantly fails. blinking ON and then OFF in a fraction of a second. No error or even a log event. What do i do? any ideas?

@stephenfgdl Жыл бұрын

It sucks that this doesn't work on USG PRO

@JoerBrando Жыл бұрын

Is this new version changing anything on the Site-to-Site side of things? Or is it mainly just for clients to connect? I have a client who needs a Site-to-Site VPN between 2 sites, where 1 site has static IP but the other is behind CG-NAT. Any ideas how to solve this in UniFi?

@MactelecomNetworks Жыл бұрын

So this is just for client to site. Ubiquiti is coming out with a new VPN for site to site check it out here ( need an EA account) community.ui.com/questions/Introducing-the-Magic-Site-to-Site-VPN-feature/5caa6244-6cae-472a-ac79-6922c211fe43

@perrenud8282 8 ай бұрын

Hi Cody. please comment on the subject of using hotel WiFi to use internet or Teams meeting thru openVPN on Dream Machine but not exposing internal nodes for employies. Thank you in advance Best regards Per

@perrenud8282 8 ай бұрын

Solved it it was easy

@andydawson5341 Жыл бұрын

If we have a range of static WAN IPs. Is it possible to use a WAN IP address other than the default UDM Pro WAN IP address for outgoing traffic to go through?.

@MactelecomNetworks Жыл бұрын

Yup you can !

@andydawson5341 Жыл бұрын

@@MactelecomNetworks hah! 😂 maybe I should have asked how? I was surprised the vpn couldn’t directly connect to a vlan that had already been created, that would have solved it!

@Jim-tw4ck Жыл бұрын

Do they still have the issue where traffic management rules don't order properly as additional rules are added in 7.4.156? In the past if you added a rule that needed to be higher in the list you'd have to remove everything and add them all again in the correct order.

@MactelecomNetworks Жыл бұрын

Nope seems its been corrected. I do know I was having that issues in a previous video but seems good now

@Devilz4Cry Жыл бұрын

Hi, can anybody tell me how many openvpn tunnels are possible with the Dream Machine Pro. I don't find any specs in the internet

@MactelecomNetworks Жыл бұрын

you can do 1

@hufftechsolutions7903 Жыл бұрын

Not sure why UI has to make it this difficult. On Untangle, it takes 20 sec to setup and just works. I've set and re-set this up multiple times and can never hit anything on my network while on VPN. I get my 192.168.2.x IP but can't talk to 192.168.1.x...no rules or traffic management. So damn frustrating

@JorgeHerrera0720 Жыл бұрын

Is there no way to organize the rules like the firewall rules? What is better, Firewall Rules or Traffic Management? What’s the difference if any.

@MactelecomNetworks Жыл бұрын

You can organize the traffic management rules it does it for you. It seems Ubiquiti is trying to push traffic management more than firewall it’s a little easier to understand. The traffic management rules really are just firewall rules so which ever you feel more comfortable creating

@JorgeHerrera0720 Жыл бұрын

@@MactelecomNetworks ahh okay that makes sense. They are easier. I just didn’t know if you can re-organize them. I saw some users couldn’t on the forums. I’ll try to make sure.

@andrewenglish3810 Жыл бұрын

Does this allow for 2FA? Most commerical VPN server/clients also support 2FA which adds an extra layer of security.

@MactelecomNetworks Жыл бұрын

That I will have to get back to you on. The only VPN within Unifi that I know 100% does support 2fa is UID VPN

@DJZF93 Жыл бұрын

Do we need any subscription to use that vpn ? It is free? Thank you for your videos

@MactelecomNetworks Жыл бұрын

It’s free :) I mean beside buying the Ubiquiti hardware but no subscription

@shaunlavoie6183 Жыл бұрын

What is the ping utility you are using?

@MactelecomNetworks Жыл бұрын

It’s just called ping on iOS

@dbcooper7326 Жыл бұрын

Wouldn't the Teleport 'Zero configuration remote access VPN' be an out of the box alternative ? I just want to give to my son so he can access our netflix 'from within the housegold'

@MactelecomNetworks Жыл бұрын

Sure but there is no windows client for teleport

@The_Tech_Ninja Жыл бұрын

Hope that unifi brings up a client version for windows too.

@antoniosa Жыл бұрын

Why not use teleport ?

@MactelecomNetworks Жыл бұрын

Teleport doesn't have a windows client

@Saadsug Жыл бұрын

Is WireGuard more secure than open VPN?

@The_Tech_Ninja Жыл бұрын

They are both open-source protocols but wireguard is faster and newer!

@vladjirasek Жыл бұрын

Wireguard is much simpler protocol and code. Simplicity if friend of Security. That said, OpenVPN can support MFA while Wireguard does not.

@ChrisHolzer Жыл бұрын

useless as doubleNAT is still not supported... for 5+ years the DynDNS implementation in EdgeOS has been able to figure out my WAN address even when I am forced to run behind the ISP router (inside its DMZ) - why wont UBNT add this to Unifi? We have been requestion this for so many years..... also why do we still have to manually edit the wireguard / ovpn config file to add the dyndns name?.... same goes for when you dont want inbound wireguard connections to route the devices internet traffic through the tunnel (like when you just need remote access to your site), you must to go into the config file and remove the DNS entries...... VPN is still such a half baked solution in unifi.

@MactelecomNetworks Жыл бұрын

Just port forward port 1194 from your isp gear towards the dream machine. Problem solved