Support Downloads Community

UniFi Video is an obsolete product line.

This application and its related devices will no longer receive any manner of technical support, including functional and security updates. Additionally, there will be no further updates to Help Center content pertaining to UniFi Video.

UniFi - USG/UDM VPN: How to Configure Site-to-Site VPNs

This article describes how to configure IPsec and OpenVPN Site-to-Site VPNs on the UDM and USG models.

NOTES & REQUIREMENTS:
  • Applicable to the latest firmware on all UDM and USG models.

Configuring Manual IPsec Site-to-Site VPNs

The UniFi Manual IPsec VPN allows you to connect two locations so that the hosts on the different networks are able to communicate securely. The VPN supports many different encryption/hashing methods and can be configured to utilize Dynamic Routing, see the Frequently asked questions section.

GUI: Access the UniFi Network web application.

Follow the steps below to create a Manual IPsec VPN using either the New or Classic Web UI:

New Web UI Manual IPsec VPN
Classic Web UI Manual IPsec VPN
  1. Open the UniFi Network application.
  2. Navigate to Settings > Networks and click Add Networks.
  3. Name the Network.
  4. Select the Site to Site VPN and use Manual IPsec for the protocol.
  5. Choose a secret key.
  6. Specify what WAN IP you will use. Note that Dynamic configurations can be broken when a new lease is obtained. 
  7. Choose the subnets you want to route across the VPN.
  8. Input the remote router's WAN IP address.
  9. Click Add Network.
  10. You can now configure the remote site accordingly.

 

1. Navigate to the  settings.png  Settings > Networks section.

2. Select Create New Network > Site-to-Site VPN and select Manual IPsec as the VPN type.

3. Fill in the fields below and modify where necessary:

Name: <name>
Purpose: Site-to-Site VPN
VPN Type: Manual IPsec
Enabled: Checked
Remote Subnets: <network used at remote location>
Route Distance: 30
interface: WAN
Peer IP: <IP address of remote router>
Local WAN IP: <IP address of WAN interface>
Pre-Shared Key: <secret>
IPsec Profile: Customized

Advanced Options

Key Exchange Version: IKEv1
Encryption: AES-128
Hash: SHA1
DH Group: 14
PFS: Enabled
ESP DH Group: 14
Dynamic Routing: Checked for Route-Based, unchecked for Policy-Based

4. Apply the changes.

Configuring OpenVPN Site-to-Site VPNs

The UniFi OpenVPN Site-to-Site VPN allows you to connect two locations so that the hosts on the different networks are able to communicate securely. The OpenVPN Site-to-Site VPN uses a 512 character key for authentication. You can either create this key yourself or let the UDM/USG generate it. The key must match on both sites and should be a continuous string without line breaks.

UDM

Access the UDM using SSH and run the below commands to generate and display the key. Afterward, copy the section between BEGIN and END to a separate text file and remove the line breaks.

 openvpn --genkey --secret /tmp/ovpn
 cat /tmp/ovpn

USG

Access the USG using SSH and run the below commands to generate and display the key. Afterward, copy the section between BEGIN and END to a separate text file and remove the line breaks.

generate vpn openvpn-key /tmp/ovpn
sudo cat /tmp/ovpn
GUI: Access the UniFi Network web application.

Follow the steps below to create an OpenVPN Site-to-Site VPN using either the New or Classic Web UI:

New Web UI OpenVPN Site-to-Site VPN
Classic Web UI OpenVPN Site-to-Site VPN
  1. Select the Settings > Networks and click Add Networks.
  2. Name the Network.
  3. Select the Site to Site VPN and choose OpenVPN for the protocol.
  4. Choose a secret key that is 512 alphanumeric characters. 
  5. Set a unique IP address for the tunnel. For example if my network subnet is 192.168.1.xxx., I could choose any available IP within this range, such as 192.168.1.18. Note  you will need to use this address at the remote site. 
  6. Select the all the desired subnets to be routed across the VPN.
  7. Input the IP or hostname of the remote router.
  8. Enter the IP and port used in step 6.
  9. Click Add Network

1. Navigate to the  settings.png  Settings > Networks section.

2. Select Create New Network > Site-to-Site VPN and select Manual IPsec as the VPN type.

3. Fill in the fields below and modify where necessary:

Name: <name>
Purpose: Site-to-Site VPN
VPN Type: OpenVPN
Enabled: Checked
Remote Subnets: <network used at remote location>
Route Distance: 30
Remote Host: <IP address of remote router>
Remote Address: <IP address of remote tunnel interface>
Remote Port: <port used by remote OpenVPN process, 1194 by default>
Local Address: <IP address of local tunnel interface, must be unique>
Local Port: <port used by local OpenVPN process, 1194 by default>
Shared Secret Key: <512 character key>

4. Apply the changes.

Frequently asked questions

Do I need to manually create firewall rules for the IPsec and OpenVPN Site-to-Site VPN?

Firewall rules are automatically created to allow the defined subnets to communicate over the VPN. It is not necessary to manually add firewall rules.

 

What is the difference between Route-Based VPN using Dynamic Routing and Policy-Based VPN?

Route-Based VPNs (Dynamic Routing option checked) utilize VTI tunnel interfaces and static routes to send traffic over the VPN. Each VPN peer can choose which traffic to send over the VPN, for example, a route to the 172.16.1.0/24 network with the next-hop set to the VTI tunnel interface.

Policy-Based VPNs (Dynamic Routing option unchecked) do not utilize any interfaces and match on specific policies to determine which traffic is sent over the VPN. A policy could be, for example, a tunnel between 192.168.1.0/24 (local) and 172.16.1.0/24 (remote). Each VPN peer needs to make sure that the policies and tunnels match exactly (mirrored), otherwise, the VPN will not be established or only partially connected. For example, if the UDM/USG uses the following two tunnels:

  • Tunnel #1 192.168.1.0/24 - 172.16.1.0/24
  • Tunnel #2 192.168.1.0/24 - 10.0.0.0/24

Then the remote peer needs to use:

  • Tunnel #1 172.16.1.0/24 - 192.168.1.0/24
  • Tunnel #2 10.0.0.0/24 - 192.168.1.0/24

If the remote peer uses the tunnel #2 subnets under tunnel #1 for example, then the policy does not match. Likewise, if the remote peer uses 192.168.0.0/16 instead of 192.168.1.0/24, then the policy also does not match and the VPN will not be established. Note that it is not possible to add static routes to send additional subnets over a Policy-Based VPN. Use a Route-Based VPN instead if this functionality is needed. The VPN type (Policy-Based or Route-Based) also needs to match between the peers. It is not possible to use Route-Based on one side and Policy-Based on the other.

 

What are the different VPN types supported by the UDM/USG?

The following VPN types are available in the UniFi Network application:

  • Manual IPsec Create an IPsec Site-to-Site VPN between two locations with or without Dynamic Routing. 
  • OpenVPN Create an OpenVPN Site-to-Site VPN between two locations utilizing static routing.
  • Auto IPsec VTI Create an IPsec Site-to-Site VPN between two sites that are managed by the same Network application.
ATTENTION: The Auto IPsec VTI option is only supported when using the USG models.
Was this article helpful?
141 out of 450 found this helpful

Submit an RMA request

Visit the Ubiquiti RMA portal to submit a warranty claim for your Ubiquiti device.

Visit the RMA portal >

Plan your UniFi Deployment

Use the Design Center to design your UniFi Network using the most suitable products.

Try the UniFi Design Center >

Talk to other Ubiquiti users

Visit our worldwide community of Ubiquiti experts for more answers and solutions.

Ask the Ubiquiti Community >