Thanks a ton for all the information. I very carefully read through this posting and the previous posting that stemmed this one.
I am new to any kind of enterprise networking and definitely new to Ubiquiti so I had a pretty big learning curve here. Also, I am doing this on the USG and not the edgerouter. My understanding was that they are very similar so this postng was definitely very helpful. I was running into an issue that as soon as I would enable to VPN I would lose internet access completely. I ended up finding out for the USG I needed to manually go in the the Unifi Controller and manually specify DNS servers for the USG. After doing this I was able to get everything working correctly. I just used the Level 3 DNS servers.
I did my setup a bit differently. Instead of specifying IP adddresses I wanted to route through the VPN I just specified a seperate subnet. So I created a sepearte network in Unifi which I made 192.168.3.1/24 subnet and gave VLAN 13 to this network. I also have 192.168.1.1/24 setup as MGMT and 192.168.2.1/24 setup as just normal internet/network access with VLAN 12. I created two SSIDs, one that is Home, set to VLAN 12 and used for normal internet/network, and one that is Home - VPN, set to VLAN 13.
Then my configuration is as follows:
VPN Portion:
set firewall group address-group OPENVPN_COMPUTERS address 192.168.3.0/24
set firewall group address-group OPENVPN_COMPUTERS description 'openvpn hosts'
set firewall modify VPN_ROUTE rule 10 action modify
set firewall modify VPN_ROUTE rule 10 description 'traffic from Devices to vtun0'
set firewall modify VPN_ROUTE rule 10 modify table 1
set firewall modify VPN_ROUTE rule 10 source group address-group OPENVPN_COMPUTERS
set interfaces ethernet eth1 vif 13 firewall in modify VPN_ROUTE
set service nat rule 5000 description openvpn
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface vtun0
set service nat rule 5000 protocol all
set service nat rule 5000 source group address-group OPENVPN_COMPUTERS
set service nat rule 5000 type masquerade
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0
set interfaces openvpn vtun0 config-file /config/auth/pia-vpn-us.ovpn
set interfaces openvpn vtun0 description 'Private Internet Access VPN'
Normal network/internet traffic portion:
set firewall group address-group GLOBAL_INTERNET address 192.168.2.0/24
set firewall group address-group GLOBAL_INTERNET description 'Global Internet Access'
set firewall modify SOURCE_ROUTE rule 10 action modify
set firewall modify SOURCE_ROUTE rule 10 description 'traffic from primary subnet to eth0'
set firewall modify SOURCE_ROUTE rule 10 modify table 2
set firewall modify SOURCE_ROUTE rule 10 source group address-group GLOBAL_INTERNET
set interfaces ethernet eth1 vif 12 firewall in modify SOURCE_ROUTE
set service nat rule 5001 description global-nat
set service nat rule 5001 log disable
set service nat rule 5001 outbound-interface eth0
set service nat rule 5001 protocol all
set service nat rule 5001 source group address-group GLOBAL_INTERNET
set service nat rule 5001 type masquerade
set protocols static table 2 route 0.0.0.0/0 next-hop xxx.xxx.xxx.xxx
MGMT Portion:
set firewall group address-group MGMT address 192.168.1.0/24
set firewall group address-group MGMT description 'MGMT Subnet'
set firewall modify SOURCE_ROUTE rule 20 action modify
set firewall modify SOURCE_ROUTE rule 20 description 'traffic from MGMT to eth0'
set firewall modify SOURCE_ROUTE rule 20 modify table 3
set firewall modify SOURCE_ROUTE rule 20 source group address-group MGMT
set interfaces ethernet eth1 firewall in modify SOURCE_ROUTE
set service nat rule 5002 description MGMT
set service nat rule 5002 log disable
set service nat rule 5002 outbound-interface eth0
set service nat rule 5002 protocol all
set service nat rule 5002 source group address-group MGMT
set service nat rule 5002 type masquerade
set protocols static table 3 route 0.0.0.0/0 next-hop xxx.xxx.xxx.xxx
I do have a question though if anyone can help. I orginally was trying to use this as the set protocols line
"set protocols static table 2 interface-route 0.0.0.0/0 next-hop-interface eth0"
I was hoping that I could just set the hop the eth0 (the WAN interface on the USG) but it was not working when I did this. I wanted to do it right to eth0 because I do not have static IP address from my provider. So instead I did a Show IP Route and there was an address that was showing connecting to eth0 that I plugged in place of the xxx.xxx.xxx.xxx listed above and this worked. This isn't my actual IP from my provider, but must be a gateway address to them or something. I am not sure if this will change at some point though. Does anyone know of how I would go about setting it up to point to the interface instead of the specified IP address?
My coonfiguration seems to be working great, but I'm sure there are some things that are not done "correct" as I did just piece some knowledge together from a lot of searching. But if I connect to SSID Home - VPN I get my VPN connection and if I connect to just Home then I get my normal non VPN connection. Also, just for reference, when I connect to VPN, I am connecting to PIA US-East, I am getting about 6 mb down and maybe 8 to 10 mb up. off VPN I get anywhere from 80 to 120 mb down and 10 mb up. Does that seem about what others are getting? Is there a faster VPN server? Or even a faster VPN provider?
Let me know if there is anything I can do different with my config to make it better, or if anyone has any questions setting things up on the USG I can try to help to the best of my knowledge.