UniFi USG - Remote User VPN with Local Users

 Overview


Readers will learn how to configure a Remote User VPN on the USG to allow clients to access a corporate LAN.

info_i_25x25.png Note: As of Controller version 5.5.5, users will be able to use the RADIUS server, and configure RADIUS from the Controller itself. Follow our UniFi - L2TP Remote Access VPN with USG as RADIUS Server article on the subject. At the moment these are beta versions.

Table of Contents


  1. Notes & Requirements
  2. Implementation
  3. Related Articles
warning_25x25.png  Requirements

1. It is a requirement to create the Remote User VPN network in the controller under Settings>Networks. It will ask for RADIUS server info, but you may enter false information, like the dummy server information provided below. If you do not create this subnet then the USG will go into a provisioning loop.

2. The Remote User VPN with RADIUS will NOT work if local user authentication is substituted.

3. You can validate your json file contents with one of the various online tools. Google search "json validator".


Implementation


Back to Top

By design, this feature shall be accompanied with a preset RADIUS server for secure user authentication purposes. However, it is also possible to create local users on USG and bypass the RADIUS requirement. This is only provided for convenience or testing purpose and we do NOT suggest this to be used in real deployment. 

A special hook is needed to accomplish this goal. This is an advanced feature which works, but needs to be executed properly. The idea here is to manually generate corresponding local user VPN config and then feed it to the USG. To do this, you will need to manually create a file "config.gateway.json" and then put it under the directory "<unifi_base>/data/sites/$site_id/". 

info_i_25x25.png Note: The location <unifi_base> will vary depending on your operating system. See this article for more information.

For Remote User VPN with local users, you create a "config.gateway.json" with below contents:

{
    "vpn": {
        "pptp": {
            "remote-access": {
                "authentication": {
                    "local-users": {
                        "username": {
                            "user1": {
                                "password": "user1password"
                            },
                            "user2": {
                                "password": "user2password"
                            }
                        }
                    },
                    "mode": "local"
                }
            }
        }
    }
}

Above config will create two local users ('user1' and 'user2') for VPN connection. Feel free to change those and add more as required. If adding more users, use the following format, and place the user between user1 and user2.

                            "user3": {
                                "password": "user3password"
                            },

The next step is to manually trigger a PROVISION to the USG. Find an article on how in the Related Articles below. Now you can test VPN connections with these accounts.


Related Articles


Back to Top