Ok, the first thing I need to tell is that there’s no good reason to use OpenVPN as a VPN solution for inbound connections to the LAN behind a UDM Pro anymore. The latest software update to the UDM Pro network firewall/router, Network 7.2.97, includes a VPN solution called “Teleport” that is based on Wireguard technology. This is a great VPN solution. It’s simple and fast. Use it. Don’t do what I’m about to describe here. Unless you’re really committed to OpenVPN for some specific reason, like privacy issues.
OpenVPN is installed on the UDM Pro. However, the UDM’s configuration GUI only supports configuring it as a point-to-point, LAN-to-LAN VPN. There’s no provision to support remote OpenVPN clients connecting and accessing the LAN that the UDM protects. This can be done manually however if we:
- Create an OpenVPN server configuration file manually,
- Manually generate the PKI certificates needed by the server and the clients,
- Manually generate the OpenPVN profile files (*.ovpn) that contain the client certificates and which enable the OpenVPN clients on remote devices to connect to the UDM and the LAN.
- Deploy all of this on the UDM in a manner that enables the OpenVPN service to start automatically after system reboots and updates.
My solution was to create a Debian package in my PPA repository that contains everything needed to support all of the above.
- The package deploys an OpenVPN server configuration file.
- The OpenVPN EasyRSA tool is installed to manage the PKI infrastructure for the service. It is used to generate the server certificates needed. A script that generates the client certificates and the OpenVPN profile files needed by each client device that will access the LAN is provided.
- Systemd is used to start the server on boot.
You can read more about the Debian package I created on this web page.
){kind=link}