Wednesday, March 29, 2017

PrivateInternetAccess VPN on a Ubiquiti USG (Unifi Security Gateway)


Big news this week, as the Republicans in Congress decided to scrap an FCC rule known as the Broadband Consumer Privacy Proposal which required broadband providers to get permission from subscribers before collecting and selling data collected about their users.

Since I am very interested in my online privacy, or at least, I like to have the option to choose when to share my information for myself, and since I recently upgraded my home router to a Unifi Security Gateway from Ubiquiti Networks, I wanted to know if the VPN client would be compatible with the Private Internet Access VPN that I use to protect my privacy, thereby putting my entire house behind the VPN all the time.

Posts in the UBNT Community Forums seem to have a lot of confusion, or are just outdated.

It turns out the setup for a PIA VPN configuration is very easy.

The only thing that posed any challenge was calculating all the routes for all the subnets outside my house, to route that traffic over the VPN. In my case, since I use RFC1918 space, here is the list of routes I needed to add to the USG, via the "subnets" menu item in the USG settings app:

  • 0.0.0.0/1
  • 192.169.0.0/16
  • 192.170.0.0/15
  • 192.172.0.0/14
  • 192.176.0.0/12
  • 193.0.0.0/8
  • 194.0.0.0/7
  • 196.0.0.0/6
  • 200.0.0.0/5
  • 208.0.0.0/4
  • 224.0.0.0/3

Since hosts have a default route to the USG (192.168.1.1), all traffic will make it to the USG just fine. Now... the USG has a default route to the internet via my ISP. The default route is 0.0.0.0/0, which is the least specific route possible to have in a routing table... a route to every IP possible. In routing, more specific routes always win. So the USG also has a local route to 192.168.0.0/22, which prevents my internal traffic from following the default route. And the USG has a more specific route to it's gateway than default as well, due to it being a connected network so it won't get lost in the routes above.

The list of subnets above provides a more specific route than the default route for every possible IP that is not in my house, which forces everything to be sent across the VPN, but they are still the least specific possible routes to everything, which means they're pretty easy to override if I don't want something going over the VPN. After all, the VPN is pretty limited on bandwidth compared to going directly out FiOS.

This list is everything that I don't use in my house, and ensures that any traffic to anywhere outside my house will be routed over the VPN. And, Yes, I am aware that there are other blocks of RFC1918 and RFC5737 space, but since ISPs don't route those networks, I'm not worried about them, because the VPN essentially acts as a sink for any traffic to those destinations.

Here is how the settings go into the USG configuration in the Unifi controller application:

Specifically:

  • Purpose: VPN Client
  • VPN Client: PPTP
  • Enabled: check this when you want the VPN to go live
  • Remote Subnets: one entry for each of the subnets in the list above (modified for your own use, if you don't use 192.168.x.x in your house/business)
  • Server IP: get this from PIA, I used `nslookup us-east.privateinternetaccess.com`
  • Username: your PIA username
  • Password: your PIA password
  • MPPE: Yes. You definitely want to have your VPN connection encrypted.


Enjoy your ISP not selling your internet activities to advertisers.

6 comments:

  1. Thanks Tim! What about your routing table - did you have to make changes there?

    ReplyDelete
    Replies
    1. Hi David, the subnets above are actually used to modify the routing table by providing more specific routes to everything on the internet than the ISP's default route.

      Delete
  2. Assuming I use the full RFC1918 Space (10/8, 172.16/12, and 192.168/16) in my private network, will I need to add the follow to the "Remote Subnet" list:

    0.0.0.0/5
    8.0.0.0/7
    11.0.0.0/8
    12.0.0.0/6
    16.0.0.0/4
    32.0.0.0/3
    64.0.0.0/2
    128.0.0.0/3
    160.0.0.0/5
    168.0.0.0/6
    172.0.0.0/12
    172.32.0.0/11
    172.64.0.0/10
    172.128.0.0/9
    173.0.0.0/8
    174.0.0.0/7
    176.0.0.0/4
    192.0.0.0/9
    192.128.0.0/11
    192.160.0.0/13
    192.169.0.0/16
    192.170.0.0/15
    192.172.0.0/14
    192.176.0.0/12
    193.0.0.0/8
    194.0.0.0/7
    196.0.0.0/6
    200.0.0.0/5
    208.0.0.0/4
    224.0.0.0/3

    With the above in my "Remote Subnet" list, all traffic outside of the RFC1918 Space will go through the VPN correct?

    Also, can I use the "Remote Subnet" list to route Country specific sites through a VPN?

    ReplyDelete
    Replies
    1. It looks like you are missing '192.192.0.0/10', but yes, that should push everything that's not RFC1918 over your VPN. You should be able to route any remote subnet you want over your VPN, even other countries (since they would be included in your subnet list there). If you mean pushing specific countries over different VPN connections, that should definitely be possible, but I haven't tested it.

      Delete
  3. Replies
    1. Nope. Netflix definitely blocks PIA.

      Delete