Ubiquiti USG VPN Setup for VMware Cloud on AWS

Ubiquiti USG VPN Setup for VMware Cloud on AWS

July 2, 2021 2 By Eric Shanks

My day job requires me to do a lot of work with VMware Cloud on AWS. If I plan on doing any real work with the virtual machines, kubernetes clusters, or applications I really need a VPN tunnel to securely access those resources. My problem has been setting up my aging Ubiquiti USG firewall with BGP. This post will show how I setup a route based VPN tunnel with my Ubiquiti USG. Big shoutout to Brian Beach for his work setting up the USG with an AWS Transit Gateway.

Overview

For this setup, I’ll be creating a route-based VPN in the VMware Cloud side. The default ASN for VMware Cloud is 65000 so I’ll use that and an ASN of 64512 for the home network side. I’e also selected the 169.254.254.0/30 range for my inside tunnel interface network.

NOTE: These ranges are reserved in VMware Cloud on AWS so avoid these ranges: 169.254.0.0-169.254.31.255, 169.254.101.0-169.254.101.3

VMware Cloud on AWS Setup

First we’ll setup the VPN on the VMware Cloud on AWS side. In the VPN settings select the Route Based tab and then click the “Add VPN” button. Give it a name and then change the Local IP Address field to use the Public address and not the private address. For the remote public IP address specify the public IP address for your USG firewall. (If you’re on your home network, go to myipaddress.com to get this info). For the BGP local IP/prefix pick a network to use for your internal network that doesn’t include the reserved ranges mentioned earlier. Be sure to add the prefix /30 to this field. Then specify the internal tunnel IP Address for the home network side and finally the BGP neighbor ASN which in our case is 64513.

I also needed to open up the advanced tunnel properties and changed both the IKE Digest Algorithm to IKE v1 and the Tunnel Digest Algorithm to use SHA-1 because the USG can’t do SHA-2.

Ubiquiti USG Setup

The USG setup is interesting. The USG web interface can’t do a BGP vpn tunnel so I had to restort to the advanced configuration described here. This means creating a config.gateway.json file with our configuration and putting it in our Ubiquiti controller. In my case thats a cloud key.

First start by creating the json file described above. If you’d like, you can use the template below to fill in your own values. The important components are listed below. My suggestion is to draw a diagram similar to the first one in this post and write down what your configurations will be. Then you can go and fill in the IP Addresses, ASNs, passphrase, etc.

{
        "interfaces": {
                "vti": {
                        "vti0": {
                                "address": [
                                        "169.254.254.2/30"
                                ],
                                "firewall": {
                                        "in": {
                                                "ipv6-name": "LANv6_IN",
                                                "name": "LAN_IN"
                                        },
                                        "local": {
                                                "ipv6-name": "LANv6_LOCAL",
                                                "name": "LAN_LOCAL"
                                        },
                                        "out": {
                                                "ipv6-name": "LANv6_OUT",
                                                "name": "LAN_OUT"
                                        }
                                },
                                "mtu": "1436"
                        }
                }
        },
        "protocols": {
                "bgp": {
                        "64513": {
                                "neighbor": {
                                        "169.254.254.1": {
                                                "remote-as": "65000",
                                                "soft-reconfiguration": {
                                                        "inbound": "''"
                                                },
                                                "timers": {
                                                        "holdtime": "30",
                                                        "keepalive": "10"
                                                }
                                                
                                        }
                                },
                                "parameters": {
                                        "router-id": "73.9.249.240"
                                },
                                "redistribute": {
                                        "connected": "''",
                                        "static": "''"
                                }
                        }
                }
        },
        "vpn": {
                "ipsec": {
                        "auto-firewall-nat-exclude": "enable",
                        "nat-traversal": "enable",
                        "ipsec-interfaces": {
                                "interface": [
                                        "eth0"
                                ]
                        },
                        "nat-networks": {
                                "allowed-network": {
                                        "0.0.0.0/0": "''"
                                }
                        },
                        "esp-group": {
                                "ESP_54.148.170.2": {
                                        "compression": "disable",
                                        "lifetime": "3600",
                                        "mode": "tunnel",
                                        "pfs": "enable",
                                        "proposal": {
                                                "1": {
                                                        "encryption": "aes256",
                                                        "hash": "sha1"
                                                }
                                        }
                                }
                        },
                        "ike-group": {
                                "IKE_54.148.170.2": {
                                        "key-exchange": "ikev1",
                                        "lifetime": "86400",
                                        "mode": "main",
                                        "proposal": {
                                                "1": {
                                                        "dh-group": 14,
                                                        "encryption": "aes256",
                                                        "hash": "sha1"
                                                }
                                        },
                                        "dead-peer-detection": {
                                                 "action": "restart",
                                                 "interval": "15",
                                                 "timeout": "60"
                                        }
                                }
                        },
                        "site-to-site": {
                                "peer": {
                                        "54.148.170.2": {
                                                "authentication": {
                                                        "mode": "pre-shared-secret",
                                                        "pre-shared-secret": "MYSUPERSECRETPASS"
                                                },
                                                "connection-type": "initiate",
                                                "ike-group": "IKE_54.148.170.2",
                                                "local-address": "73.9.249.240",
                                                "vti": {
                                                        "bind": "vti0",
                                                        "esp-group": "ESP_54.148.170.2"
                                                }
                                        }
                                }
                        }
                }
        }
}Code language: JSON / JSON with Comments (json)

When you have the config file created and updated to your own IP Addresses and ASNs, you’ll need to copy that file over to your Ubiquit cloud controller. For the cloud key, the path is: /srv/unifi/data/sites/default

Note: if you are not using a cloud key this path might be different. Also, if you’re using a site other than default, the directory will change to the name of your site. If not using sites, you’ll use default like I did.

Once the file has been copied over to the Ubiquiti controller, you’ll need to re-provision your USG. Go to the UI and force provision the USG.

After the USG is provisioned you can test your VPN tunnel. If the provisioning fails, you can see info in the server.log file on the controller. Worst case, you can remove the config.gateway.json file and re-provision.

I want to note that you will NOT see any of these configurations in the UI after deploying. These advanced settings are merged with the UI configs but they are not displayed in the UI anywhere.

Summary

If you’re running a Ubiqiti USG firewall and want to setup a VPN tunnel to VMware Cloud on AWS, these instructions should get you setup.