Troubleshooting Identity One-Click VPN
This guide helps administrators troubleshoot common issues related to Identity One-Click VPN.
End users experiencing issues should ensure that Identity Endpoint is up-to-date, and then contact their network admin.
Issue 1: VPN connection established, but no internet access
Step 1: Verify the console's WAN IP is a public IP
- Ensure the WAN IP of your UniFi Console is not within the CGNAT IP range (100.64.0.0 to 100.127.255.255)
- To check the WAN IP, go to your UniFi OS > Settings > Control Plane > Console > Controls > About This Console.
Step 2: Configure port forwarding if the WAN IP is private
- If the WAN IP is private, configure port forwarding in your upstream router. In UniFi OS, go to Network > Settings > Routing > Port Forwarding.
- Multi-level port forwarding is required for consoles with a public IP address that has multi-level routes.
Step 3: Check for port 51820 availability
- Ensure that port 51820 is not occupied by other port forwarding rules.
- Go to UniFi Site Manager > Network > Settings > Routing > Port Forwarding to confirm.
Issue 2: Local DNS is not resolved over Identity One-Click VPN
If you're using your UniFi Console as the DNS server, make sure it is properly configured.
Step 1: Update the UniFi OS to the latest version
- If you are on UniFi OS 3.x, update to the latest version to resolve known DNS issues.
Step 2: Configure the UniFi Console LAN IP as DNS server
- In UniFi OS, go to Network > Settings > VPN > VPN Server > Identity VPN.
- Uncheck the "Auto" option under DNS Server, and manually enter your UniFi Console's LAN IP as one of the DNS servers.
Step 3: Contact Identity Support for Assistance
If the issue persists after trying the steps above, send the UniFi Console's support file to uid.support@ui.com for further assistance.
- To download the support file, go to unifi.ui.com > select your UniFi Console > Network > Settings > Control Plane > Console > Download the Support File.
Issue 3: "System Extension Blocked" prompted on end-user's macOS device
For macOS 15 Sequoia
When this prompt appears on the end-user's device:
- Click Open System Settings > General > Login Items & Extensions.
- Click the i icon beside Network Extensions.
- Toggle on Identity to enable the extension.
- Click Done.
For macOS 13 Ventura and macOS 14
When this prompt appears on the end-user's device:
- Click Open System Settings > Privacy & Security.
- Click Allow from System software from application "Identity" was blocked from loading.
- Verify your identity using Touch ID or password and click Unlock.
For macOS 12 Monterey and Below
When this prompt appears on the end-user's device:
- Click Open System Preferences > Privacy & Security.
- Click the bottom-left Lock icon.
- Verify your identity using Touch ID or password and click Unlock.
- Click Allow from System software from application "Identity" was blocked from loading.
Issue 4: "Identity Would Like to Add VPN Configurations" prompted on end-user's macOS device
When this prompt appears on the end-user's device:
- Click Allow to permit Identity to add VPN configurations.
- Once enabled, all network activities on the device will be filtered and monitored during VPN connections.
Issue 5: Unable to load a system extension on end-user's macOS device
Step 1: Check if the device is enrolled in Identity MDM
If the message Click System Preferences and allow Identity to load a new system extension appears on the end-user's Identity Endpoint for macOS, but no prompt appears after clicking System Preferences.
Step 2: Confirm MDM payload settings for System Extensions
If System Extensions MDM payload settings are deployed, users cannot approve system extensions unless explicitly allowed by the configuration profiles. For more details, see Apple's help article.
To resolve this, update your MDM provider's settings with the following configuration:
- Team identifier:
4P645293E8
- Bundle identifier:
com.ui.uid.standard-desktop.network-extension