×

UniFi - USG/UDM VPN: How to Configure Site-to-Site VPNs

Overview

Readers will learn how to configure IPsec and OpenVPN Site-to-Site VPNs on the UDM and USG models.

NOTES & REQUIREMENTS:

Table of Contents

  1. Frequently Asked Questions (FAQ)
  2. Configuring Manual IPsec Site-to-Site VPNs
  3. Configuring Auto IPsec VTI VPNs
  4. Configuring OpenVPN Site-to-Site VPN
  5. Related Articles

Frequently Asked Questions (FAQ)

Do I need to manually create firewall rules for the IPsec and OpenVPN Site-to-Site VPN?

Firewall rules are automatically created to allow the defined subnets to communicate over the VPN. It is not necessary to manually add firewall rules.

What is the difference between Route-Based using Dynamic Routing and Policy-Based VPNs?

Route-Based VPNs (Dynamic Routing option checked) utilize VTI tunnel interfaces and static routes to send traffic over the VPN. Each VPN peer can choose which traffic to send over the VPN, for example a route to the 172.16.1.0/24 network with the next-hop set to the VTI tunnel interface.

Policy-Based VPNs (Dynamic Routing option unchecked) do not utilize any interfaces and match on specific policies to determine which traffic is sent over the VPN. A policy could be for example, a tunnel between 192.168.1.0/24 (local) and 172.16.1.0/24 (remote). Each VPN peer needs to make sure that the policies and tunnels match exactly (mirrored), otherwise the VPN will not be established or only partly connected. For example, if the UDM/USG uses the following two tunnels:

  • Tunnel #1 192.168.1.0/24 - 172.16.1.0/24
  • Tunnel #2 192.168.1.0/24 - 10.0.0.0/24


Then the remote peer needs to use:

  • Tunnel #1 172.16.1.0/24 - 192.168.1.0/24
  • Tunnel #2 10.0.0.0/24 - 192.168.1.0/24


If the remote peer uses the tunnel #2 subnets under tunnel #1 for example, then the policy does not match. Likewise, if the remote peer uses 192.168.0.0/16 instead of 192.168.1.0/24, then the policy also does not match and the VPN will not be established. Note that it is not possible to add static routes to send additional subnets over a Policy-Based VPN. Use a Route-Based VPN instead if this functionality is needed. The VPN type (Policy-Based or Route-Based) also needs to match between the peers. It is not possible to use Route-Based on one side and Policy-Based on the other.

What are the different VPN types supported by the UDM/USG?

The following VPN types are available in the UniFi Controller:

  • Manual IPsec Create an IPsec Site-to-Site VPN between two locations with or without Dynamic Routing. 
  • OpenVPN Create an OpenVPN Site-to-Site VPN between two locations utilizing static routing.
  • Auto IPsec VTI Create an IPsec Site-to-Site VPN between two sites that are managed by the same UniFi Controller.

ATTENTION: The Auto IPsec VTI option is only supported when using the USG models.

Configuring Manual IPsec Site-to-Site VPNs

The UniFi Manual IPsec VPN allows you to connect two locations so that the hosts on the different networks are able to communicate securely. The VPN supports many different encryption/hashing methods and can be configured to utilize Dynamic Routing, see the FAQ section above.

GUI: Access the UniFi Controller Web UI.

Follow the steps below to create a Manual IPsec VPN using either the New or Classic Web UI:

New Web UI Manual IPsec VPN
Classic Web UI Manual IPsec VPN

1. Navigate to the  settings.png  Settings > VPN > VPN Connections > UniFi to UniFi VPN section of the UniFi Controller.

2. Select Create UniFi to UniFi VPN.

new-vpn-connection-udm.png

3. Fill in the fields below and modify where necessary:

Enter VPN Name: <name>
VPN Type:
Manual IPsec
Enabled: Checked
Remote Subnets: <network used at remote location>
Route Distance: 30
interface: WAN
Peer IP: <IP address of remote router>
Local WAN IP: <IP address of WAN interface>
Pre-Shared Key: <secret>
IPsec Profile: Customized
Key Exchange Version: IKEv1
Encryption: AES-128
Hash: SHA1
IKE DH Group: 14
PFS: Enabled
ESP DH Group: 14
Dynamic Routing: Checked for Route-Based, unchecked for Policy-Based

unifi-to-unifi-vpn-udm.png

4. Apply the changes.

1. Navigate to the  settings.png  Settings > Networks section.

2. Select Create New Network > Site-to-Site VPN and select Manual IPsec as the VPN type.

3. Fill in the fields below and modify where necessary:

Name: <name>
Purpose:
Site-to-Site VPN
VPN Type:
Manual IPsec
Enabled: Checked
Remote Subnets: <network used at remote location>
Route Distance: 30
interface: WAN
Peer IP: <IP address of remote router>
Local WAN IP: <IP address of WAN interface>
Pre-Shared Key: <secret>
IPsec Profile: Customized

Advanced Options

Key Exchange Version: IKEv1
Encryption: AES-128
Hash: SHA1
DH Group: 14
PFS: Enabled
ESP DH Group: 14
Dynamic Routing: Checked for Route-Based, unchecked for Policy-Based

4. Apply the changes.

Configuring Auto IPsec VTI VPNs

The UniFi Manual Auto IPsec VTI VPN allows you to connect two different sites (or multiple sites using a hub-and-spoke topology) and automatically configures and updates the VPN settings. 

ATTENTION: The Auto IPsec VTI option is only supported when using the USG models.

The Auto IPsec VTI VPN automatically configures and updates the local and remote VPN IP addresses. When using DHCP for example, the VPN settings on both devices will be updated if the dynamically assigned IP addresses changes. The following options are automatically configured:

  • Remote and local peer IP addresses used by the VPN connection.
  • Remote and local subnets that should pass over the VPN.
  • VTI interfaces used by the VPN connection.
  • Strong, randomly generated pre-shared key.
GUI: Access the UniFi Controller Web UI.

Follow the steps below to create a Auto IPsec VTI VPN using either the New or Classic Web UI:

New Web UI Auto IPsec VTI VPN
Classic Web UI Auto IPsec VTI VPN

1. Navigate to the  settings.png  Settings > VPN > VPN Connections > UniFi to UniFi VPN section of the UniFi Controller.

2. Select Create UniFi to UniFi VPN.

new-vpn-connection-udm.png

3. Set the VPN Type to Auto IPsec VTI and specify the name of the remote site.

Enter VPN Name: <name>
VPN Type:
Auto IPsec VTI
Remote Site: <name>

auto-ipsec-vti.png

4. Apply the changes.

1. Navigate to the  settings.png  Settings > Networks section.

2. Select Create New Network > Site-to-Site VPN and select Auto IPsec VTI as the VPN type.

4. Enter a name for the VPN connection and select the remote site.

Name: <name>
Purpose:
Site-to-Site VPN
VPN Type:
Auto IPsec VTI
Remote Site: <name>

5. Apply the changes.

Configuring OpenVPN Site-to-Site VPNs

The UniFi OpenVPN Site-to-Site VPN allows you to connect two locations so that the hosts on the different networks are able to communicate securely. The OpenVPN Site-to-Site VPN uses a 512 character key for authentication. You can either create this key yourself or let the UDM/USG generate it. The key must match on both sites and should be a continuous string without line breaks.

UDM

Access the UDM using SSH and run the below commands to generate and display the key. Afterwards, copy the section between BEGIN and END to a separate text file and remove the line breaks.

 openvpn --genkey --secret /tmp/ovpn
 cat /tmp/ovpn

USG

Access the USG using SSH and run the below commands to generate and display the key. Afterwards, copy the section between BEGIN and END to a separate text file and remove the line breaks.

generate vpn openvpn-key /tmp/ovpn
sudo cat /tmp/ovpn
GUI: Access the UniFi Controller Web UI.

Follow the steps below to create an OpenVPN Site-to-Site VPN using either the New or Classic Web UI:

New Web UI OpenVPN Site-to-Site VPN
Classic Web UI OpenVPN Site-to-Site VPN

1. Navigate to the  settings.png  Settings > VPN > VPN Connections > UniFi to UniFi VPN section of the UniFi Controller.

2. Select Create UniFi to UniFi VPN.

new-vpn-connection-udm.png

3. Fill in the fields below and modify where necessary:

Enter VPN Name: <name>
VPN Type:
OpenVPN
Enabled: Checked
Remote Subnets: <network used at remote location>
Route Distance: 30
Remote Host: <IP address of remote router>
Remote Address: <IP address of remote tunnel interface>
Remote Port: <port used by remote OpenVPN process, 1194 by default>
Local Address: <IP address of local tunnel interface, must be unique>
Local Port: <port used by local OpenVPN process, 1194 by default>
Shared Secret Key: <512 character key>

openvpn.png

4. Apply the changes.

1. Navigate to the  settings.png  Settings > Networks section.

2. Select Create New Network > Site-to-Site VPN and select Manual IPsec as the VPN type.

3. Fill in the fields below and modify where necessary:

Name: <name>
Purpose:
Site-to-Site VPN
VPN Type:
OpenVPN
Enabled: Checked
Remote Subnets: <network used at remote location>
Route Distance: 30
Remote Host: <IP address of remote router>
Remote Address: <IP address of remote tunnel interface>
Remote Port: <port used by remote OpenVPN process, 1194 by default>
Local Address: <IP address of local tunnel interface, must be unique>
Local Port: <port used by local OpenVPN process, 1194 by default>
Shared Secret Key: <512 character key>

4. Apply the changes.

Related Articles

UniFi - UDM/USG: Verifying and Troubleshooting IPsec VPNs

Was this article helpful?
43 out of 113 found this helpful
Can't find what you're looking for?
Visit our worldwide community of Ubiquiti experts for more answers
Visit the Ubiquiti Community