UniFi Identity Enterprise - Set Up One-Click VPN in the Legacy User Interface
This section includes a series of articles that explain how to set up and manage your One-Click VPN.
Note: You must activate a UniFi Identity Enterprise workspace and install the Identity Enterprise Agent application before setting up a One-Click VPN.
You need to configure port forwarding when your UniFi Console does not have a public IP, but its parent route does.
Note: If your console has multi-level routes above it, you will need to configure the port forwarding for each level from top to bottom.
Before setting up your One-Click VPN, you need to configure your deployment in the UniFi Network application by using either:
- An uplink router directly connected to your network that has port forwarding already configured.
- A public network IP. We recommend using this when your console's public network doesn't match your WAN IP.
Note: If your console has a public IP address, you can skip the port forwarding instructions.
Create Port Forwarding Rules in UniFi Network
- Connect the UniFi Console's WAN port to the top-level router.
- Sign in to your UniFi OS Portal.
- Go to Applications > Network.
- Go to Settings > Firewall & Security > Port Forwarding.
- Click Create New Port Forwarding.
- Configure the new rule:
- Enter the port's name.
- Enable "Forward Rule" to implement the configured port forwarding rule.
- Select your WAN Interface type.
- Select the port forwarding source network in the From field. If you select Any, you can skip the Source configurations.
- Select the source network's IP in the Source field, if you select Limited in the From field.
- Enter the Port number.
- Enter the console's WAN IP in the Forward IP field.
- Set the Forward Port to 10118.
- Select the network's Protocol (UDP is recommended).
- Enable or disable Logging depending on your preference.
- Click Apply Changes.
Configure Public IP Settings in UniFi Network
- Sign in to your UniFi OS Portal.
- Go to Applications > UniFi Network.
- Go to Settings > Internet.
- Select the WAN port.
- Click Edit.
- Go to the Advanced section.
- Enable Manual.
-
Configure the IPv4 network advanced settings:
- Go to IPv4 Connection.
- Select Static IP.
- Configure the following settings:
- DNS Server: Disable Auto to configure the primary and secondary DNS servers. These are provided by your ISP.
- IPv4 Connection: Set a static IP.
- IPv4 Address: This is your specified IP address.
- Subnet Mask
-
Router
- Click Apply Changes.
Set Up One-Click VPN
Requirements
Note: If you have already set up UniFi Identity Enterprise OpenVPN, it must be deleted before WireGuard VPN can be set up.
VPN Type | Device Requirements | Application Requirements |
OpenVPN |
|
N/A |
WireGuard VPN |
|
|
Set Up One-Click VPN
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Select a site from the drop-down menu in the top left corner.
- Go to the dashboard.
- Click One-Click VPN.
- Click Set Up on the following page.
- Configure the VPN settings as needed (see the table below for more information).
Setting | Action |
Name | Enter the network name. |
Assign to all users of the current site | Enable to automatically assign this VPN to all users of the selected site. |
Deploy on | Select the UniFi Console that will host the VPN. |
Type | UniFi Identity currently supports OpenVPN and WireGuard VPN. |
VPN Server |
Sync with the Public IP of UniFi Console: When enabled, the VPN server will auto-sync with the public IP address of UniFi Console. It's suggested to enable this option if you are using dynamic IPs.
|
Protocol | Select the network's protocol. |
Notes:
- You cannot modify an outer VPN port if your UniFi Console's public IP is the same as the WAN IP.
- If your public IP and the WAN IP are different, you will need to create a port forwarding rule. For more details, see Network Deployment above.
- Show Advanced Settings to configure the following settings (Optional).
Setting | Action |
Gateway IP/Subnet | Enter an IP address. |
DNS Server 1 | Enter an IP address for the primary DNS server. |
DNS Server 2 | Enter an IP address for the secondary DNS server. |
Default DNS Suffix | Enter the DNS Suffix. Default DNS Suffix allows administrators to set a DNS suffix that is automatically filled following the hostname element. This means that Windows clients only need to enter the hostname element to access resources through their FQDNs. |
Custom Routing | Specify which IP address or subnet will be routed through the One-Click VPN tunnel when VPN Proxy is set to the Intranet mode. Custom routing allows the configured IP addresses or subnets to still go through the One-Click VPN tunnel when the client is set to the Intranet mode. Without the need to route all traffic through the One-Click VPN tunnel, employees working remotely can use One-Click VPN to simply access the resources that are accessible only from the company network. The Intranet mode can significantly reduce the bandwidth usage coming from the One-Click VPN-connected clients, and in turn increase the internet speed of One-Click VPN. Note: This function only applies to clients using the Intranet VPN Proxy mode, the Global mode will still route all traffic through the VPN tunnel. |
Maximum Connection Time | Specify the VPN session duration. |
- Click Continue. A setup confirmation message will appear.
- Click OK.