UniFi OS Consoles Wi-Fi Switching Camera Security Phone System Door Access Accessories UISP
Support Resources
Store
Support Resources
UniFi OS Consoles Wi-Fi Switching Camera Security Phone System Door Access Accessories UISP Store

UID - Manage UID VPN

This article explains how to set up and manage UID VPN. 

Note: If you haven't completed the initial setup of your UID workspace and the UID Agent application, complete it first by following the steps on UID - Getting started.

Configure your deployment on the UniFi Network application

Before setting up the UID VPN, you need to configure your deployment on the Network application by using either:

  • Port forwarding that is configured on the uplink router that's directly connected to your internet source, or
  • Public network IP, recommended when the public IP of the UniFi OS Console is different from the WAN IP.

If the UniFi OS Console itself has a public IP address, you do not need to set up port forwarding per the instructions below. If the UniFi OS Console does not have a public IP but its parent route has a public IP, you need to configure port forwarding. If the UniFi OS Console has multiple levels of routes above it, you need to configure port forwarding from the top level route one by one.

To configure the required port forwarding rule in UniFi Network:

  1. Connect the WAN port of your UniFi OS Console to the top-level router.
  2. Launch the UniFi Network application and go to Settings > Advanced Gateway Settings > Create New Port Forwarding.
  3. Enter the required information:
    1. A name and port number of your choice.
    2. WAN IP address of the UniFi OS Console in the Forward IP field.
    3. Forward Port is 10118 and we recommend selecting UDP as protocol.

network-port-forwarding.png

 

To configure the public IP in UniFi Network:

  1. Launch UniFi Network from your UniFi OS Console and go to Settings > Internet.
  2. Select the WAN port and click Edit to access the WAN details page.
  3. Within the Advanced section fill in:
    1. DNS Server: provided by your ISP.
    2. IPv4 Connection Type: Static IP.
    3. The IP Address, Subnet Mask, and Router for the public network information. 
  4. Click Apply Changes to finish.

network-wan-configuration.png

Set up UID VPN

To set up the UID VPN:

  1. Choose the site from the drop-down field in the upper-left corner to access the site's dashboard and select One-Click VPN in the Services section.

    uid-set-up-vpn.png

  2. Configure the VPN name and the rest of the required fields:
    1. Authorize all users of the current site.
    2. VPN Server: The IP Address of the selected UniFi OS Console is displayed by default.
    3. Top-level Routing Port: The port number is 10118 by default. When the public IP of the selected UniFi OS Console is the same as WAN IP, the port number cannot be modified. If they are different, please follow the “To configure the public IP in UniFi Network” section above before continuing.
    4. Advanced Settings.
    5. IP/Subnet (Optional).
    6. DNS (Optional).

Once the VPN has been configured, you can assign users or groups to it in the VPN Dashboard section.

Note: IPv6 is not supported for VPN Server.

uid-set-up-one-click-vpn.png

Assign or unassign VPN to a user

To assign VPN to a user while on the VPN dashboard:

  1. Select Assign User, or go to the Users section and then click Assign User at the top-right corner.

    uid-vpn-dashboard.png

    uid-vpn-assign-users.png

  2. Select the users and/or groups that you will assign the VPN to, and click OK to complete the assignment.

    uid-vpn-assign-user-or-group.png

To un-assign user(s) from VPN while on the VPN dashboard:

  1. Go to the Users section and select one or multiple groups and/or users that need to be un-assigned.
  2. Click Remove and confirm the pop-up message to complete the un-assignment. Alternatively, you can simply hover over a user or a group, click Remove, and confirm the pop-up message to complete the un-assignment.

    uid-vpn-unassign-user.png

Manage the VPN settings

To edit the VPN settings while on the VPN dashboard, go to the VPN section and click on a VPN network to open its properties panel. Here you can edit the necessary settings and click Save to confirm.

Troubleshooting UID VPN issues

Issues with UID VPN connection may include:

  • UID VPN disconnecting frequently
  • The UID VPN status shows as Connected but you're unable to access the internet

If you're having any of the issues above, make sure that:

  1. The UID VPN was set up correctly.
  2. The firewall port 10118 is enabled.
  3. The UID VPN status is Active in UniFi Network application > Settings > Network.
Issue 1: Unable to connect to VPN or UID VPN connection timeout

For users:

If you are unable to connect to VPN, please submit your feedback on the UI app and contact your UID administrator.

For administrators:

Note: If you need to modify the UID VPN configuration, please go to UID > One-click VPN > VPN to select the VPN to modify. Please do not modify it in the Network application.

First, confirm that:

  • Firewall port 10118 is enabled
  • VPN status is Active
  • The setup is correct on the VPN configuration (link to document)

If the above configuration status is normal, then follow the below steps to check the port forwarding. 

1. Determine if port forwarding is required. 

The main thing is to determine whether the UDM has a Public IP. If not, it needs to do port forwarding. Also, if there is a multi-level route between the UDM and the top-level route with public IP, then it needs to do multi-level port forwarding.

There are two methods to check whether the UDM has a public IP. 

Method 1: Login to UniFi OS (input UDM_IP on your web browser) > Settings > General to check whether the WAN IP is a Public IP.

Method 2: Use the traceroute command to trace a route as follows:

ssh root@UDM_IP
traceroute google.com

Then, check if the first router address is a public IP. 

unnamed__2_.png

2. Use commands to check the operating environment of UID VPN. 

ssh root@UDM_IP
unifi-os shell
uid health vpn

As shown below, the RESULT shows "Congratulations, everything is ok" which means that the operating environment is normal.

unnamed__3_.png

3. Check UID VPN Configuration.

Login to UID Manager Portal > One-Click VPN > VPN >  click on a VPN network to open its properties panel and check if the VPN configuration is filled in correctly, especially the port and IP.

4. Use the telnet command as follows to check port connectivity (only available when VPN uses TCP protocol).

telnet IP Port  

Tip: IP and port are filled in when using VPN configuration

The presence of the word “Connected to” as shown below indicates that the port is available for connection.

unnamed__1_.png

If it shows “Unable to connect” as shown below, it means that the port is not connected properly.

unnamed.png

5. SSH inLogin to UDM via ssh, and  use the following command to capture the packet. Make sure to keep the window open.

ssh root@UDM_IP
tcpdump -i eth8 dst port 10118 

Tip: “eth8” is the WAN port of the connected cable port in the UDM, such as eth4 for the UDM Base and eth9 for the UDM Pro. *eth(n-1), “n” indicates the port number of your UDM connected to the WAN port. 

Then, connect to the UID VPN from the UI mobile or desktop app and see if there are packets sent and received in the window. If not, there is still a connectivity problem and you need to check the port forwarding and firewall rules.

Issue 2: Does UID VPN support a single WAN with multiple public IPs?
  1. If the UID VPN is using TCP protocol, all IPs of the UDM are available to connect.
  2. If the UID VPN is using UDP protocol, only the primary IP is available to connect. 

The reason why other IPs cannot be used is because of the connectionless UDP protocol. When the package that the server replies to the client reaches the network layer, it has forgotten the destination IP address that the client requested. It will always choose the primary IP as the source address of the package to send to the client. Then, the client receives the package and finds that the package source is no longer the address used to send the request.

Was this article helpful?
22 out of 85 found this helpful