Ubiquiti Security Gateway USG Controller Override

I have a few Ubiquiti Security Gateways (USG) deployed at remote sites, and I have some basic UniFi controller configs I can push centrally to these devices.

Ubiquiti allows central override of the JSON configuration from the controller1 by editing the config.gateway.json on the controller:

  1. Set up the USGs, and connect them to the controller. Ensure the necessary ports are open on the controller, and that basic config changes are pushed correctly to the USGs.
  2. Create the OpenVPN configs, and put the DDNS update script in place on the devices.
  3. Create /usr/lib/unifi/data/sites/(sitename)/config.gateway.json as follows:
         "interfaces": {
                 "openvpn": {
                         "vtun0": {
                                 "description": "OpenVPN server",
                                 "encryption": "aes256",
                                 "hash": "sha256",
                                 "mode": "server",
                                 "openvpn-option": [
                                         "--port 1194",
                                         "--comp-lzo yes",
                                         "--keepalive 10 120",
                                         "--user nobody",
                                         "--group nogroup"
                                 "server": {
                                         "name-server": [
                                         "push-route": [
                                         "subnet": ""
                                 "tls": {
                                         "ca-cert-file": "/config/openvpn/demoCA/cacert.pem",
                                         "cert-file": "/config/openvpn/server.pem",
                                         "dh-file": "/config/openvpn/dh2048.pem",
                                         "key-file": "/config/openvpn/server-decrypted.key"
         "system": {
                 "task-scheduler": {
                         "task": {
                                 "ddns": {
                                         "executable": {
                                                 "path": "/config/dnsmadeeasy.sh"
                                         "interval": "10m"
  4. Confirm the json file parses on the controller.
    python -m json.tool config.gateway.json