Home A - Z
Page Index

An Otter Wiki

Fix for site-to-site OpenVPN on ubiquiti unifi routers

Background

I found that ubiquiti unifi routers break site-to-site by always using the nathack on the client side network. I got my hands on one and made a workaround which I am documenting here.

The problem

All traffic from the lan to a target over the VPN gets nat’ed to the IP of the vpn client on the router. Even after I fixed that it was also not forwarding traffic from the VPN to the LAN.

The fix

I was able to find the rule that causes the NAT and I was able to find where to insert a rule to allow forwarding from VPN to lan. The harder part was persistence. iptables rules do not persist a reboot, or even an openvpn reconnection. I found a directory named /data/ that can persist my scripts. I found that crontab works but does not persist reboots. I found that if I manually add a service it DOES persist reboots. By chaining this information together I was able to build a persistent fix for this router.

How to fix

On the router enable sshd and log in as root to the router over sshd.

run:

mkdir /data/openvpn`
vi /data/openvpn/undo_nathack.sh

type i to enter insert mode and paste this:

#!/bin/bash
if /usr/sbin/iptables-save | /bin/grep tunovpn | /bin/grep -q MASQUERADE ;then
 /usr/sbin/iptables-save | /bin/grep tunovpn | /bin/grep MASQUERADE | /bin/sed -e "s,-A,-D," | /usr/bin/awk '{system("/usr/sbin/iptables -t nat "$0)}'
fi
! /usr/sbin/iptables-save | /bin/grep -q 'FORWARD -i tunovpnc' && /usr/sbin/iptables -I FORWARD -i tunovpnc+ -j ACCEPT

hit ESCAPE then type :x to save and exit vi

run:

vi /data/openvpn/install_cron.sh

type i to enter insert mode and paste this:

#!/bin/sh
CRON_COMMAND="/bin/sh /data/openvpn/undo_nathack.sh"
(crontab -l 2>/dev/null | grep -v "$CRON_COMMAND"; echo "* * * * * $CRON_COMMAND > /dev/null 2>&1") | crontab -

hit ESCAPE then type :x to save and exit vi

run:

vi /etc/systemd/system/fix-vpn.service

type i to enter insert mode and paste this:

[Unit]
Description=Fix unifi site-to-site VPN
Wants=network-online.target
After=network-online.target

[Service]
Type=oneshot
User=root
ExecStart=/bin/sh /data/openvpn/install_cron.sh

[Install]
WantedBy=multi-user.target

hit ESCAPE then type :x to save and exit vi

run:

systemctl daemon-reload
chmod +x /data/openvpn/install_cron.sh
chmod +x /data/openvpn/undo_nathack.sh
systemctl enable fix-vpn.service
systemctl start custom-vpn-nat.service

Now you may turn off ssh in the router if you wish.

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9