UniFi Identity Enterprise - One-Click VPN
Requirements
One-Click VPN is automatically enabled once the requirements are met.
- Your UniFi Consoles support One-Click VPN. Only one VPN can be enabled on one console.
- You have activated UniFi Identity Enterprise or have added your consoles to UniFi Identity Enterprise.
- You have deployed your network following the steps below:
- You have created port forwarding rules if your UniFi Console does not have a public IP, but its parent route does.
- You have configured port forwarding for each level, from top to bottom, if your UniFi Console has multi-level routes above it.
- You have configured your network deployment in the UniFi Network application by using either of the following:
- An uplink router that is directly connected to your network and already has port forwarding configured.
- A public network IP. We recommend using this when your console's public network doesn't match your WAN IP.
- Your applications have met the following requirements:
- Identity Enterprise Agent: v1.54.6 or later
- UniFi Identity Enterprise mobile app for Android: v0.55.2 or later
- UniFi Identity Enterprise mobile app for iOS: v0.55.4 or later
- UniFi Identity Enterprise desktop app for macOS: 0.55.1 or later
- UniFi Identity Enterprise desktop app for Windows: 0.55.1 or later
Configure One-Click VPN on CloudKeys
To configure One-Click VPN on your CloudKey, you must connect it to a PoE Switch and a Security Gateway (USG) or UXG series products.
- CloudKey:
- CloudKey Gen2 Plus (UCKP)
- CloudKey Enterprise (UCK-Enterprise)
- CloudKey Gen2 (UCK)
- UXG series products:
Note: CloudKey only supports WigreGuard VPN.
Installation Guide
If Your USG or UXG Is the Top-Level Router and Has a Public IP Address
Create a port forwarding rule in your USG or UXG to forward the port to your CloudKey’s UDP port (51820).
- Go to your Network application > Settings > Security > Port Forwarding.
- Configure the new port forwarding rule:
- Name: Enter the port forwarding rule name.
- Forward Rule: Tick the checkbox to enable the rule.
- Interface: Select your WAN type.
- Select the port forwarding source network in the From field.
- If you select Any, the Source field will not show up.
- If you select Limited, you need to select the source network's IP in the Source field.
- Port: Enter the port number.
- Forward IP: Enter the console's WAN IP.
- Forward Port: Set the forward port to 51820.
- Protocol: Select UDP.
- Logging: Tick the checkbox if you want to log the port forward traffic.
3. Click Apply Changes and see Manage VPN Settings below for the next step.
If Your USG or UXG Is Not the Top-Level Router or Does Not Have a Public IP Address
- Set up port forwarding for each level from the top-level parent router to the lower-level child routers.
- Create a port forwarding rule in your USG or UXG to forward the port to your CloudKey’s UDP port (51820). See details in If Your USG or UXG Is the Top-Level Router and Has a Public IP Address.
Manage VPN Settings
Manually Set Up One-Click VPN
If your One-Click VPN service is not automatically enabled or has been disabled, you can manually set it up.
- Go to Services > One-Click VPN and do any of the following:
- If the workspace has one site: Select the console where you want to set up One-Click VPN, and Click to Enable it.
- If the workspace has multiple sites: Go to Sites, select a site, select the console where you want to set up One-Click VPN, and Click to Enable it or click + New VPN.
- Specify the required information. See the Manage VPN Settings on a Console section below for details about each field.
Manually Disable One-Click VPN
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Services > One-Click VPN and do any of the following:
-
When the workspace has one site:
- Go to VPN, hover your mouse over the console, and click the Disable icon.
- Go to VPN, click the One-Click VPN, and click Disable VPN.
- Go to Console, hover your mouse over the console, and click the Disable icon.
-
When the workspace has multiple sites:
- Go to Sites, hover your mouse over the console, and click the Disable icon.
- Go to Sites, click a site, go to VPN, click a One-Click VPN, and click Disable VPN.
- Go to Sites, click a site, go to Console, hover your mouse over a console, and click the Disable icon.
-
Remove One-Click VPN
- Go to Services > One-Click VPN and do any of the following:
- When the workspace has one site: Go to VPN, click the One-Click VPN, and click Remove.
- When the workspace has multiple sites: Go to Sites, click a site, go to VPN, click a One-Click VPN, and click Remove.
View VPN Activities of All Sites
- Go to Services and click One-Click VPN.
- On the prompted panel, view the overall One-Click VPN information of all sites:
- Site Enabled: The number of sites with One-Click VPN enabled (VPN-enabled sites/total sites).
- Active Users (24h): The number of users connected to One-Click VPN in the past 24 hours.
- Activities (24h): The number of One-Click VPN connections in the past 24 hours.
- Success Rate: The success rate of One-Click VPN connections.
Manage VPN Settings for All Sites
- Go to Services and click One-Click VPN.
- Go to Advanced to set the Default VPN Proxy. Once set, users can still change it by going to their Identity Enterprise desktop app > Settings > VPN > Proxy.
- Global: Route all traffic on the client to the VPN server's network.
- Intranet: Route only the traffic destined for the VPN server's intranet. Internet traffic still uses the client's network.
- If OpenVPN is set up, you can also set the following:
- OpenVPN Password Lifetime: Set passwords to be valid for one day, one week, one month, three months, or six months.
- Open VPN Password Expire at: Specify the time at which a password will expire on the VPN password expiration date.
- OpenVPN Password Strength: Drag the bar to set the length and select whether passwords must contain symbols or numbers.
Manage VPN Settings on a Console
- Go to Services and click One-Click VPN.
- Do either of the following:
- If the workspace has one site: Go to VPN and click the One-Click VPN.
- If the workspace has multiple sites: Go to Sites, click a site, go to VPN, and click a One-Click VPN.
- Manage the VPN settings:
- VPN Name: Enter the VPN name.
-
Server Address: Enter the domain name of your VPN server or the IP of your UniFi Consoles or Linux host device.
-
Sync with the UniFi Console's public IP:
- When ticked, the VPN server will automatically sync with the console's public IP address. It's suggested to enable this option if you are using dynamic IPs.
- When unticked, manually enter the console's public IP address and port.
-
Sync with the UniFi Console's public IP:
- Assigned Users: The groups and users assigned to this One-Click VPN.
- Configure the Advanced settings and click Save:
- Protocol
- Gateway IP/Subnet: Enter an IP address.
- DNS Server 1: Enter an IP address for the primary DNS server.
- DNS Server 2: Enter an IP address for the secondary DNS server.
- Default DNS Suffix: The set DNS suffix will be automatically filled following the hostname element. This means that Windows clients only need to enter the hostname element to access resources through their FQDNs.
-
Custom Routing: Specify which IP address or subnet will be routed through the One-Click VPN tunnel when VPN Proxy is set to the Intranet mode. This function only applies to clients using the Intranet VPN Proxy mode, the Global mode will still route all traffic through the VPN tunnel.
- Custom routing allows the configured IP addresses or subnets to still go through the One-Click VPN tunnel when the client is set to the Intranet mode.
- Without the need to route all traffic through the One-Click VPN tunnel, employees working remotely can use One-Click VPN to simply access the resources that are accessible only from the company network.
- The Intranet mode can significantly reduce the bandwidth usage coming from the One-Click VPN-connected clients, and in turn increase the internet speed of One-Click VPN.
- Maximum Connection Time: Specify the maximum time for One-Click VPN connection. It will be automatically disconnected after the set time.
-
Adaptive VPN: Tick the checkbox and add a VPN policy and rule to determine whether users need to meet certain requirements to connect to VPN. Refer to Adaptive VPN for details.
- VPN Policy: Select the default or custom VPN policy.
- Edit VPN Policy: Click it to edit your VPN policy and rule in Security > Identity Firewall > Policy > VPN.
Notes
- You cannot modify an outer VPN port if your UniFi Consoles's public IP is the same as the WAN IP.
- If your public IP and the WAN IP are different, you will need to create a port forwarding rule.