UniFi Network – Configuring Site-to-Site VPNs

Site-to-site VPNs are primarily used by businesses looking to connect numerous remote locations. If you are a home user, we strongly recommend Teleport VPN—our fast, secure, one-click remote access solution that requires no configuration. 

To learn more about Teleport and other UniFi VPN options, check out our Introduction to UniFi VPNs.

Setup

UniFi gateways support two site-to-site VPN protocols: IPsec and OpenVPN. Depending on the one you select, you will need to ensure that the following settings are the same for all gateways used to create site-to-site connections:

We recommend using UniFi gateways at all of your sites to maximize connection compatibility and performance. Additionally, some third-party gateways allow you to configure settings that are unavailable in the UniFi Network application. Troubleshooting these types of settings lies outside of Ubiquiti Support’s scope, but you can check out our Considerations for Third-Party Equipment: Site-to-Site VPNs for more information.

IPsec

  • Pre-Shared Key: This is used to authenticate VPN connections. 
  • UniFi Gateway IP: This is your UniFi gateway’s public IP address.
  • Shared Remote Subnets: This is the list of networks shared by the remote gateway. Please note that UniFi gateways share all local networks. You must ensure that there are no overlaps within your sites’ local subnets.
  • Remote IP: This is the remote gateway’s WAN IP address.

Additional Notes:

  • There are also Advanced settings that should match across all gateways. We recommend using the default settings unless you are proficient with VPN security.
  • Your UniFi gateway will automatically create the static routes required to direct traffic through the VPN. Do not try to create new ones for this purpose.

OpenVPN

The OpenVPN Site-to-site VPN uses a 512-character pre-shared key for authentication. The key should be the same for both gateways and shouldn’t contain line breaks. You can either create this key yourself or generate it on your UniFi gateway. To do this:

  1. SSH into your UniFi gateway.
  2. Generate your key by using the following command: openvpn –genkey secret /tmp/ovpn
  3. You can now view/copy the key by running the command: cat /tmp/ovpn
    Note: Be sure to remove any line breaks when copying the key.

Note: USGs must use generate vpn openvpn-key /tmp/ovpn to generate the key, then sudo cat /tmp/ovpn to view/copy the key.

Additionally, the following information is required:

  • Local Tunnel IP Address: This is the IP used for your local “tunnel”. Traffic sent to the remote gateway will be routed through this IP address. This address should be available on the local and remote site. We recommend selecting a private IP from a subnet that is unused on both gateways.
  • Local Port: By default, UDP Port 1194 is used for OvenVPN. This port must not be used by other services or other OpenVPN connections. If you’re using multiple OpenVPN tunnels, each one must be assigned to its own port. The local and remote ports do not need to be the same. 
  • Shared Remote Subnets: This is the list of networks shared by the remote gateway. Please note that UniFi gateways share all local networks. You must ensure that there are no overlaps within your sites’ local subnets.
  • Remote IP Address: This is the remote gateway’s WAN IP address.
  • Remote Tunnel IP Address: This is the IP address of the remote gateway’s tunnel. Do not enter the gateway’s WAN IP.
  • Remote Port: This is the remote gateway’s OpenVPN port. The local and remote ports do not need to be the same.

Note: Your UniFI gateway will automatically create the static routes required to direct traffic through the VPN. Do not try to create new ones for this purpose.

Troubleshooting

If you’re unable to establish a VPN tunnel between your sites, or your connection drops periodically, you likely have at least one site with an incorrect VPN or network configuration. Please refer to the common mistakes below.

Your UniFi Gateway Does Not Have a Public IP address (Double NAT)

This typically occurs if your UniFi Gateway is located behind another router/modem that uses Network Address Translation (NAT). You are likely affected if your UniFi Gateway has a WAN IP address in one of the following ranges:

  • 10.0.0.0/8 (10.0.0.0 – 10.255.255.255)
  • 172.16.0.0/12 (172.16.0.0 – 172.31.255.255)
  • 192.168.0.0/16 (192.168.0.0 – 192.168.255.255)
  • 100.64.0.0/10 (100.64.0.0 – 100.127.255.255)

To resolve this, set your upstream router to Bridge Mode. If this is not possible, try forwarding the necessary ports from the upstream router/modem to your UniFi gateway. IPsec uses UDP Port 500 and 4500. By default, OpenVPN uses UDP Port 1194, but this can be changed. Please note that this will not work if your upstream router doesn’t have a public IP address. 

If this doesn’t work, we recommend contacting your ISP. Please note that IP addresses in the 100.64.0.0/10 subnet range always require ISP assistance in order to establish a VPN connection.

Required Ports are Blocked by an Upstream Device or Forwarded by Your UniFi Gateway to Another Device on Your Local Network

Make sure that no third-party routers, firewalls, or ISP modems are blocking the required ports from reaching any of the gateways supporting your site-to-site VPN. IPsec uses UDP Port 500 and 4500. By default, OpenVPN uses UDP Port 1194, but this can be changed. Please note that if you reconfigure a port for one gateway, you must also reconfigure the same port for all other site-to-site VPN gateways.

Once you confirm that your traffic is not being blocked, please ensure that your UniFi gateway is not forwarding these ports to another device on your local network. You can remove existing port forwarding rules in the Firewall & Security section of your UniFi Network application.

Authentication Failures Due to Mismatched Gateway Configurations

Every gateway supporting your site-to-site VPN must have the same configuration, including Advanced settings. Failure to do so will prevent you from establishing a VPN connection or sustaining one for a long period of time.

We recommend using UniFi gateways at all of your sites to maximize connection compatibility and performance. This is because some third-party gateways allow you to configure settings that are not available in the UniFi Network application, but rather automatically set in the background. A mismatch in these configurations can still result in a connection failure. Troubleshooting these types of settings lies outside of Ubiquiti Support’s scope, but you can check out our Considerations for Third-Party Equipment: Site-to-Site VPNs for more information.

Also, please note that UniFi gateways are configured to share all local networks. Ensure these are configured in the paired gateway’s Shared Remote Subnets list.

Your Client Is Routing Over the VPN, but Its Traffic is Prohibited

In this scenario, the client can connect to the VPN but cannot communicate with any other devices on the local network.

To resolve this, please ensure that there are no traffic or firewall rules preventing VPN clients from communicating with your local network. Alternatively, individual clients on the local network could be dropping incoming traffic at their local firewalls. The Windows firewall, for example, drops all ICMPv4 (ping) traffic by default. 

If you are testing with ping, then you will need to allow the traffic through the Windows firewall. For more details, please refer to Microsoft’s support page.

Your Sites Have Overlapping IP Ranges

Overlapping IPs can prevent a VPN from establishing. Even if the VPN tunnel is established, it may prevent proper communication across the VPN. This is because a client will always prioritize IP addresses on a local network connection rather than those on the opposite end of a VPN. The only way to prevent overlapping is to review each gateway’s local networks and, if necessary, adjust their IP address ranges. For example, if one gateway has a local network configured to 192.168.0.0/24, its IP addresses range from 192.168.0.1 – 192.168.0.255. Your remote gateway should not use any addresses within that range.

Overlapping IPs ranges may prevent proper communication across your VPN, or it can prevent the connection from establishing altogether. Assuming the VPN establishes,

Your Client Has Split Tunneling

This will prevent clients from communicating with certain VPN-connected devices despite being connected to the network itself. To resolve this, we recommend routing all traffic through your VPN:

  • For Windows clients, enable Use default gateway on remote network in the Advanced TCP/IP Settings.
  • For Mac clients, enable Send all traffic over VPN connection in your VPN network preferences.

For more OS-specific guidance, please contact your device’s manufacturer.

Source :
https://help.ui.com/hc/en-us/articles/360002426234-UniFi-Network-Configuring-Site-to-Site-VPNs