Overview
Readers will learn how to configure IPsec and OpenVPN Site-to-Site VPNs on the UDM and USG models.
- Applicable to the latest firmware on all UDM and USG models.
- The Auto IPsec VPN is feature not supported on the UDM models.
- More information on troubleshooting IPsec Site-to-Site VPNs can be found in the UniFi - UDM/USG: Verifying and Troubleshooting IPsec VPNs article.
Table of Contents
- Frequently Asked Questions (FAQ)
- Configuring Manual IPsec Site-to-Site VPNs
- Configuring Auto IPsec VTI VPNs
- Configuring OpenVPN Site-to-Site VPN
- Related Articles
Frequently Asked Questions (FAQ)
Do I need to manually create firewall rules for the IPsec and OpenVPN Site-to-Site VPN?
Firewall rules are automatically created to allow the defined subnets to communicate over the VPN. It is not necessary to manually add firewall rules. |
What is the difference between Route-Based using Dynamic Routing and Policy-Based VPNs?
Route-Based VPNs (Dynamic Routing option checked) utilize VTI tunnel interfaces and static routes to send traffic over the VPN. Each VPN peer can choose which traffic to send over the VPN, for example a route to the 172.16.1.0/24 network with the next-hop set to the VTI tunnel interface.
|
What are the different VPN types supported by the UDM/USG?
The following VPN types are available in the UniFi Controller:
ATTENTION: The Auto IPsec VTI option is only supported when using the USG models.
|
Configuring Manual IPsec Site-to-Site VPNs
The UniFi Manual IPsec VPN allows you to connect two locations so that the hosts on the different networks are able to communicate securely. The VPN supports many different encryption/hashing methods and can be configured to utilize Dynamic Routing, see the FAQ section above.
Follow the steps below to create a Manual IPsec VPN using either the New or Classic Web UI:
1. Navigate to the Settings > VPN > VPN Connections > UniFi to UniFi VPN section of the UniFi Controller.
2. Select Create UniFi to UniFi VPN.
3. Fill in the fields below and modify where necessary:
Enter VPN Name: <name>
VPN Type: Manual IPsec
Enabled: Checked
Remote Subnets: <network used at remote location>
Route Distance: 30
interface: WAN
Peer IP: <IP address of remote router>
Local WAN IP: <IP address of WAN interface>
Pre-Shared Key: <secret>
IPsec Profile: Customized
Key Exchange Version: IKEv1
Encryption: AES-128
Hash: SHA1
IKE DH Group: 14
PFS: Enabled
ESP DH Group: 14
Dynamic Routing: Checked for Route-Based, unchecked for Policy-Based
4. Apply the changes.
1. Navigate to the Settings > Networks section.
2. Select Create New Network > Site-to-Site VPN and select Manual IPsec as the VPN type.
3. Fill in the fields below and modify where necessary:
Name: <name>
Purpose: Site-to-Site VPN
VPN Type: Manual IPsec
Enabled: Checked
Remote Subnets: <network used at remote location>
Route Distance: 30
interface: WAN
Peer IP: <IP address of remote router>
Local WAN IP: <IP address of WAN interface>
Pre-Shared Key: <secret>
IPsec Profile: Customized
Advanced Options
Key Exchange Version: IKEv1
Encryption: AES-128
Hash: SHA1
DH Group: 14
PFS: Enabled
ESP DH Group: 14
Dynamic Routing: Checked for Route-Based, unchecked for Policy-Based
4. Apply the changes.
Configuring Auto IPsec VTI VPNs
The UniFi Manual Auto IPsec VTI VPN allows you to connect two different sites (or multiple sites using a hub-and-spoke topology) and automatically configures and updates the VPN settings.
The Auto IPsec VTI VPN automatically configures and updates the local and remote VPN IP addresses. When using DHCP for example, the VPN settings on both devices will be updated if the dynamically assigned IP addresses changes. The following options are automatically configured:
- Remote and local peer IP addresses used by the VPN connection.
- Remote and local subnets that should pass over the VPN.
- VTI interfaces used by the VPN connection.
- Strong, randomly generated pre-shared key.
Follow the steps below to create a Auto IPsec VTI VPN using either the New or Classic Web UI:
1. Navigate to the Settings > VPN > VPN Connections > UniFi to UniFi VPN section of the UniFi Controller.
2. Select Create UniFi to UniFi VPN.
3. Set the VPN Type to Auto IPsec VTI and specify the name of the remote site.
Enter VPN Name: <name>
VPN Type: Auto IPsec VTI
Remote Site: <name>
4. Apply the changes.
1. Navigate to the Settings > Networks section.
2. Select Create New Network > Site-to-Site VPN and select Auto IPsec VTI as the VPN type.
4. Enter a name for the VPN connection and select the remote site.
Name: <name>
Purpose: Site-to-Site VPN
VPN Type: Auto IPsec VTI
Remote Site: <name>
5. Apply the changes.
Configuring OpenVPN Site-to-Site VPNs
The UniFi OpenVPN Site-to-Site VPN allows you to connect two locations so that the hosts on the different networks are able to communicate securely. The OpenVPN Site-to-Site VPN uses a 512 character key for authentication. You can either create this key yourself or let the UDM/USG generate it. The key must match on both sites and should be a continuous string without line breaks.
UDM
Access the UDM using SSH and run the below commands to generate and display the key. Afterwards, copy the section between BEGIN and END to a separate text file and remove the line breaks.
openvpn --genkey --secret /tmp/ovpn
cat /tmp/ovpn
USG
Access the USG using SSH and run the below commands to generate and display the key. Afterwards, copy the section between BEGIN and END to a separate text file and remove the line breaks.
generate vpn openvpn-key /tmp/ovpn
sudo cat /tmp/ovpn
Follow the steps below to create an OpenVPN Site-to-Site VPN using either the New or Classic Web UI:
1. Navigate to the Settings > VPN > VPN Connections > UniFi to UniFi VPN section of the UniFi Controller.
2. Select Create UniFi to UniFi VPN.
3. Fill in the fields below and modify where necessary:
Enter VPN Name: <name>
VPN Type: OpenVPN
Enabled: Checked
Remote Subnets: <network used at remote location>
Route Distance: 30
Remote Host: <IP address of remote router>
Remote Address: <IP address of remote tunnel interface>
Remote Port: <port used by remote OpenVPN process, 1194 by default>
Local Address: <IP address of local tunnel interface, must be unique>
Local Port: <port used by local OpenVPN process, 1194 by default>
Shared Secret Key: <512 character key>
4. Apply the changes.
1. Navigate to the Settings > Networks section.
2. Select Create New Network > Site-to-Site VPN and select Manual IPsec as the VPN type.
3. Fill in the fields below and modify where necessary:
Name: <name>
Purpose: Site-to-Site VPN
VPN Type: OpenVPN
Enabled: Checked
Remote Subnets: <network used at remote location>
Route Distance: 30
Remote Host: <IP address of remote router>
Remote Address: <IP address of remote tunnel interface>
Remote Port: <port used by remote OpenVPN process, 1194 by default>
Local Address: <IP address of local tunnel interface, must be unique>
Local Port: <port used by local OpenVPN process, 1194 by default>
Shared Secret Key: <512 character key>
4. Apply the changes.