UniFi Identity Enterprise - Set Up One-Click VPN in the Legacy User Interface

This section includes a series of articles that explain how to set up and manage your One-Click VPN.

Note: You must activate a UniFi Identity Enterprise workspace and install the Identity Enterprise Agent application before setting up a One-Click VPN. 

You need to configure port forwarding when your UniFi Console does not have a public IP, but its parent route does.

Note: If your console has multi-level routes above it, you will need to configure the port forwarding for each level from top to bottom.

Before setting up your One-Click VPN, you need to configure your deployment in the UniFi Network application by using either:

  • An uplink router directly connected to your network that has port forwarding already configured.
  • A public network IP. We recommend using this when your console's public network doesn't match your WAN IP.

Note: If your console has a public IP address, you can skip the port forwarding instructions.

Create Port Forwarding Rules in UniFi Network 

  1. Connect the UniFi Console's WAN port to the top-level router.
  2. Sign in to your UniFi OS Portal.
  3. Go to Applications > Network.
  4. Go to Settings > Firewall & Security > Port Forwarding.
  5. Click Create New Port Forwarding.
  6. Configure the new rule:
    1. Enter the port's name.
    2. Enable "Forward Rule" to implement the configured port forwarding rule.
    3. Select your WAN Interface type.
    4. Select the port forwarding source network in the From field. If you select Any, you can skip the Source configurations.
      1. Select the source network's IP in the Source field, if you select Limited in the From field.
    5. Enter the Port number.
    6. Enter the console's WAN IP in the Forward IP field.
    7. Set the Forward Port to 10118.
    8. Select the network's Protocol (UDP is recommended).
    9. Enable or disable Logging depending on your preference.

  7. Click Apply Changes.

Configure Public IP Settings in UniFi Network

  1. Sign in to your UniFi OS Portal.
  2. Go to Applications > UniFi Network.
  3. Go to Settings > Internet.
  4. Select the WAN port.
  5. Click Edit.
  6. Go to the Advanced section.
  7. Enable Manual.
  8. Configure the IPv4 network advanced settings:
    1. Go to IPv4 Connection.
    2. Select Static IP.
    3. Configure the following settings:
      • DNS Server: Disable Auto to configure the primary and secondary DNS servers. These are provided by your ISP.
      • IPv4 Connection: Set a static IP.
      • IPv4 Address: This is your specified IP address.
      • Subnet Mask
      • Router

  9. Click Apply Changes.

Set Up One-Click VPN


Note: If you have already set up UniFi Identity Enterprise OpenVPN, it must be deleted before WireGuard VPN can be set up.

VPN Type Device Requirements Application Requirements
  • Dream Machine (UDM)
  • Dream Machine Pro (UDM Pro)
  • Dream Machine Special Edition (UDM SE)
WireGuard VPN
  • Dream Machine (UDM)
  • Dream Machine Pro (UDM Pro)
  • Dream Machine Special Edition (UDM SE)
  • Cloud Key Gen2 Plus (CKP)
  • UniFi Dream Wall (UDW) (EA)
  • Identity Enterprise Agent: v1.51.1 or later
  • Identity Enterprise mobile app for Android: v0.55.2 or later
  • Identity Enterprise mobile app for iOS: v0.55.4 or later
  • Identity Enterprise desktop app for macOS: 0.55.1 or later
  • Identity Enterprise desktop app for Windows: 0.55.1 or later

Set Up One-Click VPN

  1. Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
  2. Select a site from the drop-down menu in the top left corner.
  3. Go to the dashboard.
  4. Click One-Click VPN.
  5. Click Set Up on the following page.
  6. Configure the VPN settings as needed (see the table below for more information).
Setting Action
Name Enter the network name.
Assign to all users of the current site Enable to automatically assign this VPN to all users of the selected site.
Deploy on Select the UniFi Console that will host the VPN.
Type UniFi Identity currently supports OpenVPN and WireGuard VPN.
VPN Server Sync with the Public IP of UniFi Console: When enabled, the VPN server will auto-sync with the public IP address of UniFi Console. It's suggested to enable this option if you are using dynamic IPs.
  • Option 1: Enable Sync with the Public IP of UniFi Console.
  • Option 2: Disable Sync with the Public IP of UniFi Console, and enter the public IP address of UniFi Console.
Protocol Select the network's protocol.


  • You cannot modify an outer VPN port if your UniFi Console's public IP is the same as the WAN IP.
  • If your public IP and the WAN IP are different, you will need to create a port forwarding rule. For more details, see Network Deployment above.
  1. Show Advanced Settings to configure the following settings (Optional).
Setting Action
Gateway IP/Subnet Enter an IP address.
DNS Server 1 Enter an IP address for the primary DNS server.
DNS Server 2 Enter an IP address for the secondary DNS server.
Default DNS Suffix Enter the DNS Suffix.
Default DNS Suffix allows administrators to set a DNS suffix that is automatically filled following the hostname element. This means that Windows clients only need to enter the hostname element to access resources through their FQDNs.
Custom Routing Specify which IP address or subnet will be routed through the One-Click VPN tunnel when VPN Proxy is set to the Intranet mode.
Custom routing allows the configured IP addresses or subnets to still go through the One-Click VPN tunnel when the client is set to the Intranet mode. Without the need to route all traffic through the One-Click VPN tunnel, employees working remotely can use One-Click VPN to simply access the resources that are accessible only from the company network. The Intranet mode can significantly reduce the bandwidth usage coming from the One-Click VPN-connected clients, and in turn increase the internet speed of One-Click VPN.
Note: This function only applies to clients using the Intranet VPN Proxy mode, the Global mode will still route all traffic through the VPN tunnel.
Maximum Connection Time Specify the VPN session duration.
  1. Click Continue. A setup confirmation message will appear.
  2. Click OK.



Was this article helpful?
5 out of 12 found this helpful