Cloud Gateways Switching WiFi Physical Security Integrations
What's New Support
User
Sign Up UniFi Site Manager
Help Center Help Articles Professional Support Professional Integrators Community RMA & Warranty Downloads Tech Specs
User
Sign Up UniFi Site Manager
Help Center Help Articles Professional Phone Support Professional Integrators Community RMA & Warranty Downloads Tech Specs
Cloud Gateways Switching WiFi Physical Security Integrations

Social

Facebook Twitter Youtube Instagram

Company

Careers Contact Us Investors

Training

Courses Calendar Trainers Become a Trainer

Tools

WiFiman UISP Design Center
  1. Ubiquiti Help Center
  2. UniFi
  3. Identity
  4. Admin Guide

Troubleshooting Identity One-Click VPN Issues

This guide helps administrators troubleshoot common One-Click VPN server issues, and helps end users troubleshoot common One-Click VPN connection issues.

Troubleshooting VPN Server Issues for Administrators

Important: A VPN should always use a private LAN address to avoid routing conflicts, NAT issues, and security risks. Private IP range includes:

    • 10.0.0.0/8
    • 172.16.0.0/12
    • 192.168.0.0/16

Issue 1: VPN connection established, but no internet access

Step 1: Verify the console's WAN IP is a public IP

  • Ensure the WAN IP of your UniFi Console is not within the CGNAT IP range (100.64.0.0 to 100.127.255.255).
  • To check the WAN IP, go to Site Manager > UniFi Console > Network > Settings > Control Plane > Console > Controls > About This Console.

Step 2: Configure port forwarding if the WAN IP is private

  • If the WAN IP is private, configure port forwarding in your upstream router. Go to Site Manager > UniFi Console > Network > Settings > Routing > Port Forwarding.
  • Multi-level port forwarding is required for consoles with a public IP address that has multi-level routes.

Step 3: Ensure correct IP binding for dual-WAN setup

  • TCP ensures reliable return paths in a dual-WAN environment. When a client connects via WAN2, the server replies through the same interface (WAN2), maintaining a consistent connection path.
  • Ensure port forwarding targets the default WAN interface in Site Manager > UniFi Console > Network > Settings > Policy Engine > Port Forwarding.

If your setup includes VPN access, please note that UniFi Identity Enterprise's WireGuard VPN does not support WAN failover. For scenarios where failover is required, consider using OpenVPN over TCP, which handles multi-WAN environments more reliably.

Issue 2: Local DNS is not resolved over One-Click VPN

If you're using your UniFi Console as the DNS server, make sure it is properly configured.

Step 1: Update to the latest UniFi OS version to resolve known DNS issues

  • Go to Site Manager > UniFi Console > Network > Settings > Control Plane > Updates > UniFi OS.

Step 2: Configure the UniFi Console LAN IP as a DNS server

  1. Go to Site Manager > UniFi Console > Network > Settings > VPN > VPN Server > Identity VPN > Advanced > Manual > DNS Server
  2. Uncheck the Auto option and manually enter your console's LAN IP as a DNS server.

Issue 3: Unable to load a system extension on the end-user's macOS device

Step 1: Check if the device is enrolled in Identity MDM

If the message Click System Preferences and allow Identity to load a new system extension appears on the end-user's Identity Endpoint for macOS, but no prompt appears after clicking System Preferences.

Step 2: Confirm MDM payload settings for System Extensions

If System Extensions MDM payload settings are deployed, end-users cannot approve system extensions unless explicitly allowed by the configuration profiles. For more details, see Apple's help article.

To resolve this, update your MDM provider's settings with the following configuration:

  • Team identifier: 4P645293E8
  • Bundle identifier: com.ui.uid.standard-desktop.network-extension

If the issues persist after trying the steps above, send the console's support file to uid.support@ui.com for further assistance.

  • To download the support file, go to Site Manager > UniFi Console > Network > Settings > Control Plane > Console > Support File > Full > Download.

Troubleshooting VPN Connection Issues for End-Users

Issue 1: Unable to establish VPN connection on your Identity Endpoint

Step 1: Verify internet connectivity

Ensure your device is online:

  • Open a webpage (e.g., https://www.ui.com).
  • Or, ping 8.8.8.8 to test connectivity.
    1. Do either of the following:
      • For Windows: Press Windows + R, type cmd, and hit Enter.
      • For macOS: Press Cmd + Space, type Terminal, and hit Enter.
    2. Run the following command: 
      ping 8.8.8.8

Step 2: Perform checks on your device

  1. Update Identity Endpoint to the latest version.

  2. Sign out, then sign back in to Identity Endpoint.

  3. Restart your device running Identity Endpoint.

  4. Try connecting to One-Click VPN again.

Step 3: Try a different network

Some networks may block VPN traffic. Switch to another network (e.g., from Wi-Fi to mobile hotspot) and try connecting to One-Click VPN again.

Step 4: Disable proxies on your device

For Windows 10 and 11

  1. Go to Settings > Network & Internet > Proxy > Manual proxy setup and turn Use a proxy server to Off.
  2. Ensure Automatically detect settings is On.
  3. Try connecting to One-Click VPN again.

For macOS (Ventura/Sonoma)

  1. Go to System Settings > Network > Select your active network (e.g., Wi-Fi) > Details > Proxies and disable all proxy options.
  2. Click OK, then Apply.
  3. Try connecting to One-Click VPN again.

Step 5: Reset DNS to the default on your device

For Windows 10 and 11

  1. Go to Control Panel > Network and Sharing Center > Change adapter settings > right-click your active network > Properties.
  2. Select Internet Protocol Version 4 (TCP/IPv4) > Properties and choose:
    • Obtain an IP address automatically
    • Obtain DNS server address automatically
  3. Click OK.
  4. Try connecting to One-Click VPN again.

For macOS (Ventura/Sonoma)

  1. Go to System Settings > Network > Select your active network (e.g., Wi-Fi) > Details > DNS.
  2. Remove any custom DNS entries (e.g., 8.8.8.8 or 1.1.1.1) by clicking the minus (-) button.
  3. Click OK, then Apply.
  4. Try connecting to One-Click VPN again.

Step 6: Check for firewall conflicts

For Windows 10 and 11

  1. Go to Settings > Privacy & Security > Windows Security > Firewall & network protection and select your active network (e.g., Private network).
  2. Temporarily turn off Microsoft Defender Firewall to prevent firewall rules from blocking the VPN connection.
  3. Try connecting to One-Click VPN again.

Issue 2: "Identity Would Like to Add VPN Configurations" prompted on your macOS device

  1. Click Allow to permit Identity to add VPN configurations.
  2. Once enabled, all network activities on the device will be filtered and monitored during VPN connections.

Screenshot 2025-05-27 at 18.18.10.png

Issue 3: "System Extension Blocked" prompted on your macOS device

For macOS 15 Sequoia

  1. Click Open System Settings > General > Login Items & Extensions.
  2. Click the i icon beside Network Extensions.
  3. Toggle on Identity to enable the extension.
  4. Click Done.

For macOS 13 Ventura and macOS 14

  1. Click Open System Settings > Privacy & Security.
  2. Click Allow from System software from application "Identity" was blocked from loading.
  3. Verify your identity using Touch ID or password and click Unlock.

For macOS 12 Monterey and Below

  1. Click Open System Preferences > Privacy & Security.
  2. Click the bottom-left Lock icon.
  3. Verify your identity using Touch ID or password and click Unlock.
  4. Click Allow from System software from application "Identity" was blocked from loading.

Issue 3: "Click System Preferences and allow Identity Enterprise to load a new system extension" prompted on your macOS app

If the message "Click System Preferences and allow Identity Enterprise to load a new system extension" shows on your Identity Enterprise macOS app, but no window prompts after clicking System Preferences, please check if your device is enrolled in Mobile Device Management (MDM). Also, check if your admin has deployed System Extensions MDM payload settings that restrict users from approving additional system extensions not explicitly allowed by configuration profiles. Please see Apple’s help article for details.

If the System Extensions MDM payload settings have been deployed, your admin can add the following configuration to your MDM settings.

  • Team Identifier: 4P645293E8
  • Bundle identifier: com.ui.uid.standard-desktop.network-extension

If the issues persist after trying the steps above, contact your administrator or submit feedback via the Identity Endpoint.

  • Identity Endpoint desktop: Click the Gear icon > Give Feedback.
  • Identity Enterprise mobile: Tap your Gear icon > Support & Feedback > Feedback.

FAQs

Can I choose between WAN 1 and WAN 2 for One-Click VPN?

No. One-Click VPN only works with the primary WAN. If your primary WAN is set to WAN 1, One-Click VPN will still bind to WAN 1 even if you manually change the server address to WAN 2 in Site Manager > UniFi Console > Settings > VPN > VPN Server > One-Click VPN > Server Address.

Was this article helpful?