{"id":310,"date":"2023-04-20T09:51:33","date_gmt":"2023-04-20T13:51:33","guid":{"rendered":"https:\/\/daveking.com\/blog\/?p=310"},"modified":"2023-04-20T09:52:00","modified_gmt":"2023-04-20T13:52:00","slug":"openvpn-client-access-to-a-lan-through-a-unifi-dream-machine-pro-udm-pro","status":"publish","type":"post","link":"https:\/\/daveking.com\/blog\/index.php\/2023\/04\/20\/openvpn-client-access-to-a-lan-through-a-unifi-dream-machine-pro-udm-pro\/","title":{"rendered":"OpenVPN Client Access to a LAN Through a Unifi Dream Machine Pro (UDM Pro)"},"content":{"rendered":"\n<p>Ok, the first thing I need to tell is that there&#8217;s no good reason to use OpenVPN as a VPN solution for inbound connections to the LAN behind a UDM Pro anymore.  The latest software update to the UDM Pro network firewall\/router, Network 7.2.97, includes a VPN solution called &#8220;Teleport&#8221; that is based on Wireguard technology.   This is a great VPN solution.  It&#8217;s simple and fast.  Use it.  Don&#8217;t do what I&#8217;m about to describe here.  Unless you&#8217;re really committed to OpenVPN for some specific reason, <a rel=\"noreferrer noopener\" href=\"https:\/\/restoreprivacy.com\/vpn\/wireguard-vs-openvpn\/\" target=\"_blank\">like privacy issues<\/a>.<\/p>\n\n\n\n<p>OpenVPN is installed on the UDM Pro.  However, the UDM&#8217;s configuration GUI only supports configuring it as a point-to-point, LAN-to-LAN VPN.  There&#8217;s no provision to support remote OpenVPN clients connecting and accessing the LAN that the UDM protects.  This can be done manually however if we:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create an OpenVPN server configuration file manually,<\/li>\n\n\n\n<li>Manually generate the PKI certificates needed by the server and the clients,<\/li>\n\n\n\n<li>Manually generate the OpenPVN profile files (*.ovpn) that contain the client certificates and which enable the OpenVPN clients on remote devices to connect to the UDM and the LAN.<\/li>\n\n\n\n<li>Deploy all of this on the UDM in a manner that enables the OpenVPN service to start automatically after system reboots and updates.<\/li>\n<\/ul>\n\n\n\n<p>My solution was to create a Debian package in my PPA repository that contains everything needed to support all of the above.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The package deploys an OpenVPN server configuration file.<\/li>\n\n\n\n<li>The OpenVPN EasyRSA tool is installed to manage the PKI infrastructure for the service.  It is used to generate the server certificates needed.  A script that generates the client certificates and the OpenVPN profile files needed by each client device that will access the LAN is provided.<\/li>\n\n\n\n<li>Systemd is used to start the server on boot.<\/li>\n<\/ul>\n\n\n\n<p>You can read more about the Debian package I created <a href=\"https:\/\/daveking.com\/udm-hacks\/openvpn-udm.html\">on this web page<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;ve created a Debian APT package that configures an OpenVPN remote access server on the UDM Pro, making it trivial to deploy this hack.<\/p>\n","protected":false},"author":1,"featured_media":313,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_editorskit_title_hidden":false,"_editorskit_reading_time":0,"_editorskit_is_block_options_detached":false,"_editorskit_block_options_position":"{}","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[22,7,30],"tags":[32,31],"class_list":["post-310","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howto","category-linux-administration","category-security","tag-openvpn","tag-udm","eq-blocks"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/daveking.com\/blog\/wp-content\/uploads\/2023\/03\/openvpn-on-the-udm.png?fit=800%2C429&ssl=1","jetpack-related-posts":[],"jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/daveking.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/310","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daveking.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daveking.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daveking.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/daveking.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=310"}],"version-history":[{"count":3,"href":"https:\/\/daveking.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/310\/revisions"}],"predecessor-version":[{"id":320,"href":"https:\/\/daveking.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/310\/revisions\/320"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daveking.com\/blog\/index.php\/wp-json\/wp\/v2\/media\/313"}],"wp:attachment":[{"href":"https:\/\/daveking.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=310"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daveking.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=310"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daveking.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=310"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}