This article explains how to set up and manage UID VPN.
Note: If you haven't completed the initial setup of your UID workspace and the UID Agent application, complete it first by following the steps on UID - Getting started.
- Configure your deployment on the UniFi Network application
- Set up UID VPN
- Assign or unassign VPN to a user
- Manage the VPN settings
- Troubleshooting UID VPN issues
Configure your deployment on the UniFi Network application
Before setting up the UID VPN, you need to configure your deployment on the Network application by using either:
- Port forwarding that is configured on the uplink router that's directly connected to your internet source, or
- Public network IP, recommended when the public IP of the UniFi OS Console is different from the WAN IP.
If the UniFi OS Console itself has a public IP address, you do not need to set up port forwarding per the instructions below. If the UniFi OS Console does not have a public IP but its parent route has a public IP, you need to configure port forwarding. If the UniFi OS Console has multiple levels of routes above it, you need to configure port forwarding from the top level route one by one.
To configure the required port forwarding rule in UniFi Network:
- Connect the WAN port of your UniFi OS Console to the top-level router.
- Launch the UniFi Network application and go to Settings > Advanced Gateway Settings > Create New Port Forwarding.
- Enter the required information:
- A name and port number of your choice.
- WAN IP address of the UniFi OS Console in the Forward IP field.
- Forward Port is 10118 and we recommend selecting UDP as protocol.
To configure the public IP in UniFi Network:
- Launch UniFi Network from your UniFi OS Console and go to Settings > Internet.
- Select the WAN port and click Edit to access the WAN details page.
- Within the Advanced section fill in:
- DNS Server: provided by your ISP.
- IPv4 Connection Type: Static IP.
- The IP Address, Subnet Mask, and Router for the public network information.
- Click Apply Changes to finish.
Set up UID VPN
To set up the UID VPN:
- Choose the site from the drop-down field in the upper-left corner to access the site's dashboard and select One-Click VPN in the Services section.
- Configure the VPN name and the rest of the required fields:
- Authorize all users of the current site.
- VPN Server: The IP Address of the selected UniFi OS Console is displayed by default.
- Top-level Routing Port: The port number is 10118 by default. When the public IP of the selected UniFi OS Console is the same as WAN IP, the port number cannot be modified. If they are different, please follow the “To configure the public IP in UniFi Network” section above before continuing.
- Advanced Settings.
- IP/Subnet (Optional).
- DNS (Optional).
Once the VPN has been configured, you can assign users or groups to it in the VPN Dashboard section.
Note: IPv6 is not supported for VPN Server.
Assign or unassign VPN to a user
To assign VPN to a user while on the VPN dashboard:
- Select Assign User, or go to the Users section and then click Assign User at the top-right corner.
- Select the users and/or groups that you will assign the VPN to, and click OK to complete the assignment.
To un-assign user(s) from VPN while on the VPN dashboard:
- Go to the Users section and select one or multiple groups and/or users that need to be un-assigned.
- Click Remove and confirm the pop-up message to complete the un-assignment. Alternatively, you can simply hover over a user or a group, click Remove, and confirm the pop-up message to complete the un-assignment.
Manage the VPN settings
To edit the VPN settings while on the VPN dashboard, go to the VPN section and click on a VPN network to open its properties panel. Here you can edit the necessary settings and click Save to confirm.
Troubleshooting UID VPN issues
Issues with UID VPN connection may include:
- UID VPN disconnecting frequently
- The UID VPN status shows as Connected but you're unable to access the internet
If you're having any of the issues above, make sure that:
- The UID VPN was set up correctly.
- The firewall port 10118 is enabled.
- The UID VPN status is Active in UniFi Network application > Settings > Network.
If you are unable to connect to VPN, please submit your feedback on the UI app and contact your UID administrator.
Note: If you need to modify the UID VPN configuration, please go to UID > One-click VPN > VPN to select the VPN to modify. Please do not modify it in the Network application.
First, confirm that:
- Firewall port 10118 is enabled
- VPN status is Active
- The setup is correct on the VPN configuration (link to document)
If the above configuration status is normal, then follow the below steps to check the port forwarding.
1. Determine if port forwarding is required.
The main thing is to determine whether the UDM has a Public IP. If not, it needs to do port forwarding. Also, if there is a multi-level route between the UDM and the top-level route with public IP, then it needs to do multi-level port forwarding.
There are two methods to check whether the UDM has a public IP.
Method 1: Login to UniFi OS (input UDM_IP on your web browser) > Settings > General to check whether the WAN IP is a Public IP.
Method 2: Use the traceroute command to trace a route as follows:
Then, check if the first router address is a public IP.
2. Use commands to check the operating environment of UID VPN.
uid health vpn
As shown below, the RESULT shows "Congratulations, everything is ok" which means that the operating environment is normal.
3. Check UID VPN Configuration.
Login to UID Manager Portal > One-Click VPN > VPN > click on a VPN network to open its properties panel and check if the VPN configuration is filled in correctly, especially the port and IP.
4. Use the telnet command as follows to check port connectivity (only available when VPN uses TCP protocol).
telnet IP Port
Tip: IP and port are filled in when using VPN configuration
The presence of the word “Connected to” as shown below indicates that the port is available for connection.
If it shows “Unable to connect” as shown below, it means that the port is not connected properly.
5. SSH inLogin to UDM via ssh, and use the following command to capture the packet. Make sure to keep the window open.
tcpdump -i eth8 dst port 10118
Tip: “eth8” is the WAN port of the connected cable port in the UDM, such as eth4 for the UDM Base and eth9 for the UDM Pro. *eth(n-1), “n” indicates the port number of your UDM connected to the WAN port.
Then, connect to the UID VPN from the UI mobile or desktop app and see if there are packets sent and received in the window. If not, there is still a connectivity problem and you need to check the port forwarding and firewall rules.
- If the UID VPN is using TCP protocol, all IPs of the UDM are available to connect.
- If the UID VPN is using UDP protocol, only the primary IP is available to connect.
The reason why other IPs cannot be used is because of the connectionless UDP protocol. When the package that the server replies to the client reaches the network layer, it has forgotten the destination IP address that the client requested. It will always choose the primary IP as the source address of the package to send to the client. Then, the client receives the package and finds that the package source is no longer the address used to send the request.