Wednesday, March 29, 2017

PrivateInternetAccess VPN on a Ubiquiti USG (Unifi Security Gateway)


Big news this week, as the Republicans in Congress decided to scrap an FCC rule known as the Broadband Consumer Privacy Proposal which required broadband providers to get permission from subscribers before collecting and selling data collected about their users.

Since I am very interested in my online privacy, or at least, I like to have the option to choose when to share my information for myself, and since I recently upgraded my home router to a Unifi Security Gateway from Ubiquiti Networks, I wanted to know if the VPN client would be compatible with the Private Internet Access VPN that I use to protect my privacy, thereby putting my entire house behind the VPN all the time.

Posts in the UBNT Community Forums seem to have a lot of confusion, or are just outdated.

It turns out the setup for a PIA VPN configuration is very easy.

The only thing that posed any challenge was calculating all the routes for all the subnets outside my house, to route that traffic over the VPN. In my case, since I use RFC1918 space, here is the list of routes I needed to add to the USG, via the "subnets" menu item in the USG settings app:

  • 0.0.0.0/1
  • 192.169.0.0/16
  • 192.170.0.0/15
  • 192.172.0.0/14
  • 192.176.0.0/12
  • 193.0.0.0/8
  • 194.0.0.0/7
  • 196.0.0.0/6
  • 200.0.0.0/5
  • 208.0.0.0/4
  • 224.0.0.0/3

Since hosts have a default route to the USG (192.168.1.1), all traffic will make it to the USG just fine. Now... the USG has a default route to the internet via my ISP. The default route is 0.0.0.0/0, which is the least specific route possible to have in a routing table... a route to every IP possible. In routing, more specific routes always win. So the USG also has a local route to 192.168.0.0/22, which prevents my internal traffic from following the default route. And the USG has a more specific route to it's gateway than default as well, due to it being a connected network so it won't get lost in the routes above.

The list of subnets above provides a more specific route than the default route for every possible IP that is not in my house, which forces everything to be sent across the VPN, but they are still the least specific possible routes to everything, which means they're pretty easy to override if I don't want something going over the VPN. After all, the VPN is pretty limited on bandwidth compared to going directly out FiOS.

This list is everything that I don't use in my house, and ensures that any traffic to anywhere outside my house will be routed over the VPN. And, Yes, I am aware that there are other blocks of RFC1918 and RFC5737 space, but since ISPs don't route those networks, I'm not worried about them, because the VPN essentially acts as a sink for any traffic to those destinations.

Here is how the settings go into the USG configuration in the Unifi controller application:

Specifically:

  • Purpose: VPN Client
  • VPN Client: PPTP
  • Enabled: check this when you want the VPN to go live
  • Remote Subnets: one entry for each of the subnets in the list above (modified for your own use, if you don't use 192.168.x.x in your house/business)
  • Server IP: get this from PIA, I used `nslookup us-east.privateinternetaccess.com`
  • Username: your PIA username
  • Password: your PIA password
  • MPPE: Yes. You definitely want to have your VPN connection encrypted.


Enjoy your ISP not selling your internet activities to advertisers.

17 comments:

  1. Thanks Tim! What about your routing table - did you have to make changes there?

    ReplyDelete
    Replies
    1. Hi David, the subnets above are actually used to modify the routing table by providing more specific routes to everything on the internet than the ISP's default route.

      Delete
  2. Assuming I use the full RFC1918 Space (10/8, 172.16/12, and 192.168/16) in my private network, will I need to add the follow to the "Remote Subnet" list:

    0.0.0.0/5
    8.0.0.0/7
    11.0.0.0/8
    12.0.0.0/6
    16.0.0.0/4
    32.0.0.0/3
    64.0.0.0/2
    128.0.0.0/3
    160.0.0.0/5
    168.0.0.0/6
    172.0.0.0/12
    172.32.0.0/11
    172.64.0.0/10
    172.128.0.0/9
    173.0.0.0/8
    174.0.0.0/7
    176.0.0.0/4
    192.0.0.0/9
    192.128.0.0/11
    192.160.0.0/13
    192.169.0.0/16
    192.170.0.0/15
    192.172.0.0/14
    192.176.0.0/12
    193.0.0.0/8
    194.0.0.0/7
    196.0.0.0/6
    200.0.0.0/5
    208.0.0.0/4
    224.0.0.0/3

    With the above in my "Remote Subnet" list, all traffic outside of the RFC1918 Space will go through the VPN correct?

    Also, can I use the "Remote Subnet" list to route Country specific sites through a VPN?

    ReplyDelete
    Replies
    1. It looks like you are missing '192.192.0.0/10', but yes, that should push everything that's not RFC1918 over your VPN. You should be able to route any remote subnet you want over your VPN, even other countries (since they would be included in your subnet list there). If you mean pushing specific countries over different VPN connections, that should definitely be possible, but I haven't tested it.

      Delete
  3. Replies
    1. Nope. Netflix definitely blocks PIA.

      Delete
    2. How would you allow specific internal network IP's the ability to route traffic without going through the VPN? Specifically I would want to setup the Ipad's and FireTv devices that use Netflix and other streaming apps to not go through PIA.

      Delete
    3. For that, I would probably move the VPN tunnel off the USG, and onto a computer behind it. Then set that computer to be the default gw for any device I want to use the VPN, which would give direct internet access to devices like the tablets.

      Delete
  4. If that doesn't work power cycle your Cable/DSL modem and routers and reboot your PC again after the network devices are up and stable.https://novavpn.com/blog/popcorn-time/ Be sure all of your network cables are plugged in tight.

    ReplyDelete
  5. Excellent Blog! I have been impressed by your thoughts and the way you Move Lite Folding Power Folding Chair

    ReplyDelete
  6. The better list could be found here bеstvpnrаting.соm. The site contains a good collection of guides on VPN.

    ReplyDelete
  7. I have spent a lot of the time in different blogs but this is really a unique blog for me.Proxy Sites

    ReplyDelete
  8. Each time I used to always check blog posts within the first hours in the break of day, because I like to get information increasingly more.https://forbrukeretaten.no/mobilabonnement/beste-mobilabonnement/

    ReplyDelete
  9. My internet services providers are best they care about their users privacy and security and they are offering these services from quite a long time. If you are so much care about this then you should try spectrum charter internet internet services.

    ReplyDelete
  10. I agree. You have made the nice blogs with the great info in the contents. here

    ReplyDelete
  11. I have learnt various good stuff right here, and I’m sure everyone will get advantage of it.Andrew

    ReplyDelete
  12. Router Configuration may be delivered by the different technologies depending on the situation. For example, Router Configuration can be addressed using configuration, wireless setup, hardware installation. This customer services for the worldwide user delivered by www.bestbuysystems.us/routers.

    ReplyDelete