Finding good documents on how to set up a site-to-site VPN with a Ubiquiti UDM to a non-Ubiquiti node (i.e. linux) has been a challenge. The documents on Ubiquiti’s site are laughably incomplete (and generally way out of date). So I am working through each of the steps and trying to shoe horn in a working config with the UDM’s severely limited interface.
On the UDM Pro
On the Linux (client) Side
Make sure you have IP forwarding enabled on your host. Add the following lines to /etc/sysctl.d/20-forwarding.conf
(create if not there):
net.ipv4.ip_forward=1
When adjusting settings for a site-to-site VPN, don’t forget to update the firewall rules. You could choose to route your subnet directly, or you can set it up to masquerade as the client host. In my use case, I use masquerading so that anything on the client side will only see connections coming from the linux host. Make sure the appropriate subnets for your networks are covered.
In /etc/ufw/before.rules
:
# OpenVPN Rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to ens32
-A POSTROUTING -s 192.168.52.0/24 -o ens32 -j MASQUERADE
-A POSTROUTING -s 172.22.1.0/24 -o ens32 -j MASQUERADE
COMMIT
# End OpenVPN Rules
Generate a pre-shared key:
openvpn --genkey --secret client.key
Edit the file client.key, and delete everything except what is between the BEGIN and END. Then you need to remote the end-of-line characters from the data that is left. A simple way to do this is:
cat client.key | tr -d '\n'