UniFi OS Consoles Wi-Fi Switching Camera Security Phone System Door Access Accessories UISP
Support Resources
Store
Support Resources
UniFi OS Consoles Wi-Fi Switching Camera Security Phone System Door Access Accessories UISP Store

UniFi Video is a legacy product line.

This application and its related devices will no longer receive any manner of technical support, including functional and security updates. Additionally, there will be no further updates to Help Center content pertaining to UniFi Video.

UniFi Network - VPN Server (L2TP)

We strongly recommend Teleport VPN for most users seeking to remotely access their UniFi OS Console’s network. It’s faster, more secure, and requires zero configuration. 

For more information about Teleport and other VPN options, see Introduction to VPNs.

Setup

VPN server configuration requires a UniFi gateway and a public IP address. We recommend obtaining a static public IP address from your ISP to avoid having to reconfigure all of your clients every time your IP changes. Your UniFi gateway will automatically update server-side settings.

If the UniFi gateway is behind NAT and the upstream modem/router cannot be placed in bridged mode, then we recommend to use a different VPN server technology such as Teleport or Wireguard.

Note: Dynamic DNS can be used to avoid reconfiguring your clients’ VPN when IP changes occur, but this process is not outlined here.

To set up a VPN server, you must create a Pre-shared Key (UniFi generates a secure one automatically) and user credentials (Username and Password) that are entered on clients to authenticate their remote network access. 

Note: Users are linked to the UniFi gateway’s internal RADIUS server. Although UniFi supports third-party RADIUS server integration, we recommend contacting the third-party server provider if you have troubleshooting questions.

Configuring Clients

You can connect any L2TP VPN client, including those provided by Microsoft Windows or macOS. We recommend using your operating system’s native VPN client.

Although we outline OS-specific client configuration processes below, we still recommend consulting your device’s manufacturer on how to use their platform’s VPN client.

Microsoft Windows 11

  1. Go to Settings > Network & internet > VPN > VPN connections > Add VPN and select L2TP/IPsec with pre-shared key as your VPN type.

    Note: Your username, password, and pre-shared key are the same as those in your UniFi Network settings.
  2. Go to Settings > Network & internet > Advanced network settings > More network adapter options > L2TP Adapter properties
  3. Click the Security tab, then set your authentication method to MS-CHAP v2.

macOS

  1. Go to System Preferences > Network > +
  2. Select VPN in the Interface field.
  3. Select L2TP over IPsec in the VPN Type field.
  4. Enter l2tp as the Service Name.

    Note: Your username, password, and pre-shared key are the same as those in your UniFi Network settings.
  5. Route all traffic through the VPN by going to Options > Session Options and selecting Send all traffic over VPN connection.

Traffic over the VPN

When a VPN client connects to the UniFi gateway, it will automatically have access to the local networks. It is not necessary to create firewall rules to allow this traffic.

VPN clients can be prevented from accessing certain networks. This is done by creating a LAN Out firewall rule with the L2TP Gateway/Subnet set as the Source and the local network set as the Destination. Further customization such as limiting the traffic to a certain port or protocol is possible as well.

Troubleshooting

If your client cannot connect to the VPN server, or is unable to route traffic through the VPN, you may receive error messages stating that the server is not responding, the client disconnected, or that a processing error occurred. Your VPN connection may also fail. These events are likely related to one of the following:

Your UniFi Gateway Does Not Have a Public IP Address (Double NAT)

This typically occurs if your UniFi gateway is located behind another router/modem that uses Network Address Translation (NAT). You are likely affected if your UniFi gateway has a WAN IP address in one of the following ranges:

  • 10.0.0.0/8 (10.0.0.0 - 10.255.255.255)
  • 172.16.0.0/12 (172.16.0.0 - 172.31.255.255)
  • 192.168.0.0/16 (192.168.0.0 - 192.168.255.255)
  • 100.64.0.0/10 (100.64.0.0 - 100.127.255.255)

To resolve this, set your upstream router to Bridge Mode or use a different VPN server technology such as Teleport or Wireguard.

Alternatively, try forwarding UDP Ports 500 and 4500 from the upstream router/modem to your UniFi gateway. Please note that this will not work if your upstream router doesn’t have a public IP address and that this method is not recommended as it has conditions depending on the client operating system. 

Note: By default, Windows computers cannot establish L2TP VPN connections with servers behind NAT. To get around this restriction, you will need to manually change the AssumeUDPEncapsulationContextOnSendRule registry value from 0 to 2. For more details, please refer to Microsoft's support page.

For help configuring your device to bridge mode or port forwarding, we recommend contacting your ISP for further assistance. Please note that IP addresses in the 100.64.0.0/10 subnet range always require ISP assistance in order to establish a VPN connection.

Required Ports Are Blocked by an Upstream Device or Forwarded by Your UniFi Gateway to Another Device on Your Local Network

Make sure that no third-party routers, firewalls, or ISP modems are blocking UDP Ports 500 or 4500 from reaching your UniFi gateway. You may need to contact your ISP to verify that your network traffic is being routed correctly.

Once you confirm that your traffic is not being blocked, please ensure that your UniFi gateway is not forwarding these ports to another device on your local network. You can remove existing port forwarding rules in the Firewall & Security section of your UniFi Network application.

Authentication Failures Due to Incorrect Configuration

This occurs when the VPN server and client have mismatching pre-shared keys, authentication methods, or login credentials. Please ensure that all of these match what is configured in your UniFi Network application. Also, ensure that client devices are using the MS-CHAP v2 authentication method, and that the VPN type is set to L2TP. Lastly, verify that you are authenticating with a pre-shared key and not a certificate. 

Re-enter the pre-shared key, username, and password and check for typos.

Your Client Cannot Establish an L2TP Connection

Try using a different client or operating system to verify if this is a client-specific issue. If so, check for any device updates or contact the manufacturer for further assistance.

Note: Most Android clients require you to enable Weak Ciphers in your UniFi Network’s VPN server configuration.

Your Client Is Routing Over the VPN, but Its Traffic is Prohibited

In this scenario, the client can connect to the VPN but cannot communicate with any other devices on the local network.

To resolve this, please ensure that there are no traffic or firewall rules preventing VPN clients from communicating with your local network. Alternatively, individual clients on the local network could be dropping incoming traffic at their local firewalls. The Windows firewall, for example, drops all ICMPv4 (ping) traffic by default. 

If you are testing with ping, then you will need to allow this traffic through the Windows firewall. For more details, please refer to the Microsoft support page.

The Client and VPN Server Use the Same Local IP Range

In this scenario, the client can connect to the VPN but cannot communicate with any devices on the local network. This could be because the client has an IP address that overlaps with the subnet of the network it is attempting to connect to. 

For example, if your client has a 192.168.3.21 address on its local network, and it is trying to connect to the UniFi VPN server configured on the 192.168.3.0/24 subnet, the client will always utilize its local network connection instead of the VPN. To resolve this, either change the client’s local IP or adjust your UniFi Network subnet range.

Your Client Has Split Tunneling

This will prevent clients from communicating with certain VPN-connected devices despite being connected to the network itself. To resolve this, we recommend routing all traffic through your VPN:

  • For Windows clients, enable Use default gateway on remote network in the Advanced TCP/IP Settings.
  • For Mac clients, enable Send all traffic over VPN connection in your VPN network preferences.

For more OS-specific guidance, please contact your device’s manufacturer.

Expedite Your Support Request

If you’re submitting a support request, please include answers to the following to ensure that our Support Engineers are fully apprised of your unique situation and can deliver the best, most personalized support experience possible.

  • What is the model and operating system of each affected client?
  • What error message(s) are you receiving?
  • How are your client(s) configured? (Please provide screenshot(s), if possible.)
  • Have you tested this on a different client?
  • How is each client attempting to connect to the VPN? Is it using LTE data, or is it connected to a different WiFi network?
  • What is the IP address of each affected client, and what is your UniFi gateway’s VPN server subnet range?

Also, please provide a copy of your support file, along with a timestamp of when you last attempted to connect to the VPN server. More detailed instructions can be found here.

  • UniFi OS Console users can obtain their support file from their UniFi OS Settings (*.tgz extension).
  • Self-hosted Network users can obtain their support file from their Network application settings (*.supp extension).
Was this article helpful?
492 out of 1098 found this helpful