UniFi OS Consoles Wi-Fi Switching Camera Security Phone System Door Access Accessories UISP

UniFi Video is an obsolete product line.

This application and its related devices will no longer receive any manner of technical support, including functional and security updates. Additionally, there will be no further updates to Help Center content pertaining to UniFi Video.

UniFi Network - VPN Server Connection and Troubleshooting

We strongly recommend our Teleport VPN option for most users. Teleport is a one-click VPN that allows you to remotely connect to a UniFi OS Console’s network. It is faster, more secure, and requires much less configuration compared to traditional remote access VPNs.

Connecting Client Devices to your VPN Server

Prior to setting up your VPN, it is important to make sure that your UniFi Gateway has a static public IP address. Although possible, it becomes much more difficult to set up and manage if this is not met.

You can connect using any L2TP VPN client, such as those provided by Microsoft Windows or macOS. We recommend using an Operating System’s native VPN client.

Although we provide a brief overview for your reference, you should consult with the device manufacturer for the most detailed instruction on using their platform’s VPN client.

Microsoft Windows 11

  1. Navigate to Settings > Network & Internet > VPN > Add a VPN connection and choose L2TP/IPsec with pre-shared key as the VPN type. 
  2. Username, Password, and Pre-shared Key are the same as what is set on your UniFi Network settings. 
  3. Navigate to Settings > Network & Internet > Status > Change Adapter Options > L2TP Adapter properties, select the Security tab and set the authentication method to MS-CHAP v2.

macOS

  1. Navigate to System Preferences > Network > "+". Select the Interface as VPN, VPN Type as L2TP over IPsec, and Service Name as l2tp
  2. Username, Password, and Pre-shared Key are the same as what is set on your UniFi Network settings. 
  3. It is recommended that you route all traffic through the VPN by performing Options > Session Options and choosing “Send all traffic over VPN connection”.

Troubleshooting Connection to your VPN Server

If the client is not able to connect to the VPN Server or is unable to route traffic over the VPN. Common error messages that will be logged by the client are that the server is not responding, the connection failed, or that there is a 'processing error'.

Your UniFi Gateway does not have a public IP address (Double NAT)
This results if your UniFi Gateway is located behind another router/modem that uses NAT. You are likely affected by this if your UniFi Gateway has a WAN IP address in one of the following ranges:

  • 10.0.0.0/8 (10.0.0.0 - 10.255.255.255)
  • 172.16.0.0/12 (172.16.0.0 - 172.31.255.255)
  • 192.168.0.0/16 (192.168.0.0 - 192.168.255.255)
  • 100.64.0.0/10 (100.64.0.0 - 100.127.255.255)

To fix this issue, you must forward UDP port 500 and UDP port 4500 on the upstream router/modem to the WAN IP address of your UniFi Gateway. Note, the upstream router needs to have a public IP address for this port forwarding to work. 

If possible, another option is to set the upstream router to Bridge Mode.

By default, Windows computers will be unable to establish L2TP VPN connections to servers behind NAT. To get around this, you will need to manually change the AssumeUDPEncapsulationContextOnSendRule registry value from 0 to 2. Refer to Microsoft’s support page here for more details.

Your UniFi Gateway is forwarding UDP port 500 or UDP port 4500 to another device on your LAN
Check if any port forwarding rules exist in your UniFi Network Application’s Firewall & Security section, and then remove them.

Authentication Failure
This indicates your VPN Server and VPN Client may have a mismatch in their Pre-shared Key, their authentication method, or their credentials (username/password).

Check to confirm if the pre-shared key, username, password and authentication method (MS-CHAP v2) are matching what is configured in your UniFi Network Application. Also confirm that the VPN type is set correctly to L2TP, and that you are trying to authenticate with a pre-shared key and not a certificate

Retype the pre-shared key and username/password to rule out any typing errors. If the issue persists, try using a more simple pre-shared key and/or password without any characters to test the VPN.

There is another issue affecting the VPN client that is preventing the L2TP connection from establishing
Try using a different client or operating system. An issue isolated to a single device indicates a client-side error. In this case you should check for any updates and contact the device manufacturer for further assistance.

The VPN Client is routing over the VPN, but the traffic is not allowed
In this situation, the VPN client is able to connect to the VPN but is not able to reach any of the clients on the LAN network.

Verify if there are any Traffic Rules or Firewall Rules configured that might prevent the remote VPN clients from communicating with the LAN.

Another reason why the connection might fail is that the LAN clients are actively dropping the traffic at their local firewalls. The Windows Firewall for example, drops all ICMPv4 (ping) traffic by default. If you are testing with ping, then you will need to allow this traffic through the Windows firewall. See the Microsoft support page here for more information.

The VPN Client and VPN server are using the same LAN network range
In this situation, the VPN client is able to connect to the VPN but is not able to reach any of the clients on the LAN network. This is caused by the fact that the LAN network used by the client and the UniFi LAN are the same (192.168.1.0/24 for example). The VPN client will always prefer the locally connected network over the network that is accessible over the VPN. 

This can be resolved by changing the UniFi Network’s LAN IP range, or by changing the local network used by the client.

Was this article helpful?
408 out of 863 found this helpful