Site-to-Site VPN From Linux to UDM Pro (work in progress)

Finding good documents on how to set up a site-to-site VPN with a Ubiquiti UDM to a non-Ubiquiti node (i.e. linux) has been a challenge. The documents on Ubiquiti’s site are laughably incomplete (and generally way out of date). So I am working through each of the steps and trying to shoe horn in a working config with the UDM’s severely limited interface.

On the UDM Pro

On the Linux (client) Side

Make sure you have IP forwarding enabled on your host. Add the following lines to /etc/sysctl.d/20-forwarding.conf (create if not there):

net.ipv4.ip_forward=1

When adjusting settings for a site-to-site VPN, don’t forget to update the firewall rules. You could choose to route your subnet directly, or you can set it up to masquerade as the client host. In my use case, I use masquerading so that anything on the client side will only see connections coming from the linux host. Make sure the appropriate subnets for your networks are covered.

In /etc/ufw/before.rules:

# OpenVPN Rules
 *nat
 :POSTROUTING ACCEPT [0:0]
 # Allow traffic from OpenVPN client to ens32
 -A POSTROUTING -s 192.168.52.0/24 -o ens32 -j MASQUERADE
 -A POSTROUTING -s 172.22.1.0/24 -o ens32 -j MASQUERADE
 COMMIT
 # End OpenVPN Rules

Generate a pre-shared key:

openvpn --genkey --secret client.key

Edit the file client.key, and delete everything except what is between the BEGIN and END. Then you need to remote the end-of-line characters from the data that is left. A simple way to do this is:

cat client.key | tr -d '\n'

Leave a Comment