OpenVPN box between WAN and Router

Hey! We´re in the process of getting fiber installed at my house, so I have started thinking about how I´m going to set up my network, and could use a little help.
Right now I have an ADSL connection, with a modem in bridged mode connected to an Asus RT-AC68U with Asuswrt-Merlin firmware. I have a couple of Unifi products (3 AP´s, one switch, and one cloud key controller).
I´m thinking of replacing my router with the Unifi USG Pro to have everything controlled by the nice Unifi software, but the lack of OpenVPN support and (from what I´ve read) poor VPN throughput speeds have made me question getting one.

So, I´m thinking of buying/building a small VPN box with dual NIC´s, running pfsense or something, and using it just for the VPN connection and the router for everything else.
One problem I can think of right away is that I use the Asus router as both an OpenVPN client (to protect everything behind it) as well as an OpenVPN server (so I can access my home network from work and my phone, so I can show pictures from the NAS to friends, SSH into my servers, etc).

If I would build this VPN box, would there be any trouble connecting to the Unifi router if I set it up as an VPN server?
Right now I dont have a static ip, but my VPN service lets me open ports for services through the VPN tunnel, and then I use DynDNS to get the ip and use my port to connect to the Asus router. Works great!
But if I have an VPN box between the router and the internet, could I still connect to the router?
Im thinking ideally it should be “invisible”, I just get the IP from my VPN provider, and it lets everything through to be handled by the USG Pro routers firewall.
Would pfsense be a good software for this?

Basically, all I need is an capable CPU with AES-NI compatibility to get my VPN tunnel to gigabit speeds, and nothing more. The USG Pro will probably not do this, but I still want it due to the nice software, so I just want to move the VPN client to another computer.

Thoughts?

Hi, Welcome to the forum.

Why are you thinking of getting a UniFi router? The cloud key already does what it would be doing and you’re just adding another device (and possibly complicating the setup).

As for using PfSense, if you want to replace your existing router with it. Go for it.
PfSense could replace your existing router as it is a firewall/router software. It also has the capabilities of running as an OpenVPN server and client at the same time (And you can get it to do DynDNS no problem).

If you really do want just a VPN box to offload the task from the existing router, you would be better off setting it up behind the router. It would simplify this setup making it way less complicated (especially if you still wanted the router to have a public IP on the WAN side interface) and it would literally require no change to your setup other than opening a port to allow incoming VPN connections to initiate.

Hi, and thanks!

Well, the controller is missing quite a lot from the USG, for example I dont get the latency and throughput charts, Remote User VPN, DHCP server, static routes, Radius, DPI, and a few other things… Some are just for looks like the charts, while other things like the DHCP server is something thats pretty nice to have

I could replace the CK with the USG if they interfere with each other, so its not that big of a problem.
I know pfsense is a really good software, I´ve tinkered with it a little bit in the past, but I´m thinking of starting up an IT firm as a side project next to my regular work.
I´ve got some smaller business (friends and family) thats looking to reconfigure their networks, so I thought I would transfer as much as possible into Unifi, both for me and them, so I can use the cloud functions to manage every site I have up an running. Thats the main reason I want to go Unifi for my router as well

True, I hadnt thought of the option to put it behind the router, then I would connect it USG -> VPN box -> Switch, right?
How would that interfere with my ability to access the router from inside the network?
Would´nt it mean the VPN tunnel is from the VPN box, through the router and ISP to the VPN provider, meaning I wont see the router since that traffic is encrypted?
And how would it work with things like DHCP, VLAN´s etc?

Thanks for the reply! Much appreciated

It will probably be a lot easier to just use pfsense as your router rather than the USG. If you want to have the VPN client behind the router you’re going to have to mess around with static routes, if you have it after the router then it’s not really a router.

I really do not know much about the UniFi stuff as a whole as I use the AP’s and the cloud key (for the zero hand off crud) whilst everything else is done via my PfSense box.

The first paragraph of text literally describes just some of the features PfSense has. It maybe worth spinning up a VM and installing pfsense just to have a tinker through all of its options.

If you had the VPN box behind the router it would be Router->Switch->VPN Box (where the VPN box is just hooked into the switch).
If you want to use it for client access (for remote use) then it would be a port open and you would just push the routes for access to your network in either the client config or from the server. (Via the server is useful incase you need to modify it later). If you want to use it as the VPN gateway, you’d have DHCP define the VPN box as the gateway instead of the actual gateway, allowing it to route traffic down the tunnel (It’s not quite as simple as that, but it’s the basic ‘jist’ of it).

Correct, your router would just see encrypted traffic in this setup for either incoming or outgoing traffic.

DHCP? This would not cause issue, as anyone connecting to the VPN externally would have a tunnel IP assigned via the VPN Box and anyone internal would still have it assigned by the main router. If you need VLAN access, you can either do that on the VPN Box or through inter-VLAN routing on the router.

What I honestly recommend you do. Is that you use the cloud key in conjunction with a switch which i presume is Unifi and your AP’s… You should place them all BEHIND a pfSense firewall. The purpose of the firewall and/or the USG is to protect the internal network from outside attacks. You will not want to use the USG behind the pfsense firewall because you will have the issues of having to use static routes. You should just not use the USG to be quite frank. You will find PfSense to be very very nice software. It takes some getting used to but its really nice as a firewall or even a router. I am assumign you will be using it as a firewall as a router would require finding a NIC that does POE for your unifi AP’s which your switch already does…

@Dexter_Kane: Yeah, I dont see much love for the USG here, so I will probably think more of getting another server and just use pfsense instead

@zanginator: The “first paragraph of text” was just to highlight the difference between the Cloud Key and the USG, since you wrote that the CK already does what the USG would be doing, which it wont
It was not a comparison between pfsense and the USG.

I dont want to use the VPN box for remote use, I want to push everything in my network out through it so I get a secure line out to WAN. Basically, what I want:
VPN >Server< set up on the router that I can connect to, to gain access to my network from anywhere remotely. This will not be anything CPU heavy, just to be used to gain access to the NAS for showing pictures and movies, configuring server stuff through SSH, uploading stuff from work to my home network, etc.

And then a VPN >client< connected to my VPN Provider so I have an secure connection when I surf, stream etc.
The only reason for wanting to use an external box would be to be able to push gigabit speeds (which the USG cant).

So: LAN -> Switch -> Router -> VPN box --[encrypted]–> (ISP) --[encrypted]–> VPN Provider -> WAN.
The VPN box would accept ALL incoming connections, which would then be sorted by the Router.

I think you just misunderstood, the VPN box I´m talking about will not be used for connecting remotely, it will just be an “invisible” box between the router and the ISP, tasked with keeping a secure line up.

The only reason I´m even considering USG is because I´m thinking of deploying some Unifi products line to future customers, and I really like Unifi´s cloud management. So its just easier for me to get everything sorted on every site if I am using the same stuff at home, so every hiccup I have hopefully encountered at home first.
But, since the USG doesnt seem to be anything to strive for, I will just have to look for hardware for building a pfsense box that can handle gigabit VPN as well. Just thought it would be easier to have a small computer just handle the VPN connection, and then purchase an USG to deploy into my setup which already consists of several other Unifi products

@PhaseLockedLoop: Thanks, not using the USG seems to be the preferred method
I will probably just purchase some dual NIC server hardware to connect to my rack, use pfsense for everything “routery” and run an non-POE ethernet to the switch which will handle everything from AP´s to cameras and computers

I know what you want to do but this isn’t how it works. The VPN client has to be behind the gateway because it needs internet access, so it can’t be some transparent device between the router (gateway) and the internet. So the only ways to do it are to have it on some device behind the router and then configure static routes so that your devices use the VPN gateway to access the internet. You could use DHCP to set the VPN as the default gateway but then you would need to configure static routes so that you can still access the router.

The other way is to run the VPN on the gateway so that you don’t need to configure static routes on the client devices and you can just sort the routing out on the router. This way is much easier and flexible, so if you’re going to run pfsense, or hardware which you could run pfsense on for the VPN client then it just makes much more sense to use that as the router as well.

But I will get some kind of gateway in the mediaconverter that will be supplied in my house, that the VPNbox will be connected to?
The fiber cable goes in the house, to a media converter to be converted to an RJ45 ethernet, that will also provide tv and telephone, should I want it.
If I wanted too I could connect a computer straight to the media converter and it would have internet access, shouldnt that also be true then for a VPNbox connected after the mediaconverter, before a router?
Now I´m just trying to understand better, I will get an pfsense router and just skip the USG, but it just seems weird to me that a computer connected directly would have internet access but the VPNbox would not?

You can connect anything directly to the internet and it will work, but you need a router if you want to connect a network to the internet (or any other network).

If you have it setup like router - VPN client - internet then only the VPN client will have internet access and the router and nothing behind it will have. You would need to configure the VPN machine as a router in order for the router and the rest of the network to access the internet and at that point there’s no reason to have a second router.

paste this into http://viz-js.com/ (no idea how to embed dot diagrams on the forum)

graph G{
  node [shape=box]
  internet [shape=oval, label="internet\n from ISP"]
  internet -- isp_ONT [label="fiber"]
  pfSense [label="pfSense*\n routing\n and VPN\n and usage diagrams\n and Unifi controller"]
  isp_ONT -- pfSense [label="copper\n ethernet"]
  pfSense -- switch
  switch -- AP1
  switch -- AP2
  switch -- "CK\n (optional/sell) "
  switch -- workstation
  switch -- dotdotdot
  dotdotdot [label="..."]
}

you can run the unifi controller on pfSense and just tick the cloud option, you don’t need the cloud key anymore.

USG is just an edgerouter-lite in a white box (instead of black), without a webui, but with an API that can be driven from unifi controller. It’s still the same crappy/slow powerpc “can’t do anything quickly if not supported in asic” router as the edgerouter-lite – it’s way overpriced for what it is.

@Dexter_Kane: Alright, now I get what you are saying, just got a little thrown of because you said the VPNbox needed internet access

Thanks!

I think that additional purchase is unnecessary. I think you should just use it as a firewall not a router. Your switch will handle all the switching

This is also true