A site-to-site VPN helps to establish a secure connection between two separate locations. This configuration enables smooth communication among devices on the first or second network. Advanced settings can further refine the traffic limits, but the primary focus is to successfully set up the site-to-site VPN connection. There are two types of configurations – A site-to-site VPN in UniFi using IPsec and OpenVPN.
- Both IPSec and OpenVPN setups can be tricky, especially when dealing with double-NAT configurations.
- If you have a double-NAT (UniFi device behind a router), you want to set up port forwarding on the router to the UniFi device.
- When you are using dynamic external IP addresses, then OpenVPN setup with DDNS is recommended, as IPSec requires static external IP addresses.
- If you have two UniFi gateways directly connected to your modem the setup process is easy. It becomes difficult when you add in different variables.
Let us see the steps to set up a site-to-site VPN In UniFi using IPSec. Before starting, the remote server must be entered as an IPv4 address. If neither server has a static external IP address, you will encounter issues when the IP address changes. If you prefer to use DDNS, consider the OpenVPN setup instead.
Configure a Site-to-Site VPN in UniFI using IPSec
- Open the UniFi Controller in the First UniFi device and select Settings.
- Select Teleport & VPN from the Settings menu.
- In the Site-to-Site VPN, select create site-to-site VPN.
- You can now Name the VPN, select Manual IPsec in the VPN Protocol, and set the correct WAN address in the UniFi Gateway IP.
Note: If you don’t have a static external IP address then the WAN address will change periodically. When the WAN address changes, the site-to-site VPN will stop working.
- In the Remote Device Configurations, enter the subnets you want to route through this VPN tunnel and enter the other server’s external IP address into the Remote IP.
- Repeat the previous steps to create a new site-to-site VPN in the second UniFi device. The settings will be quite similar, however, these are the main differences: Pre-shared Key: The same key used by the other server, Subnet: The subnet you want to connect to on the other network and Remote IP: External IP address for the first UniFi device.
- Ensure that the settings are saved and that both UniFi devices are set up. If the pre-shared keys are the same and the entered IP addresses are correct you will be able to connect.
Configure a Site-to-Site VPN in UniFI using OpenVPN
- First, get your SSH Authentication username and password by logging into the UniFi Controller. Select the Setting > System >Network Device SSH Authentication. Ensure that Device SSH Authentication is enabled and then copy the password. Note: You may need to enable SSH in the Console Settings, which will prompt you to set an SSH password.
- Now open a terminal window or SSH application and connect to the UniFi device.
ssh username@UNIFI_IP_ADDRESS
- To generate a new OpenVPN key run the below command:
openvpn --genkey secret /tmp/ovpn
- Once the key is created, let’s check it to use in the OpenVPN setup. Run the command and copy it to Notepad, then delete the line breaks. Save the long OpenVPN key for later.
- Open the UniFi Controller in the First UniFi device and select Settings.
- Select Teleport & VPN from the Settings menu.
- In the Site-to-Site VPN, select create site-to-site VPN.
- You can now Name the VPN, select OpenVPN in the VPN Protocol, and set a unique local tunnel IP address. This will be used in both the UniFi devices.
Note: If you are already using OpenVPN on the source or destination server, then you can use a different port number.
- Now enter the shared remote subnets you want to use and the remote IP address. Enter the remote tunnel IP address and port – it must be unique and match what is configured on the remote server. Once after the setup, select Add New VPN Network.
- Create a new site-to-site VPN in the second UniFi device and add the first VPN server’s pre-shared key. Enter the same information as you did for the remote tunnel IP address and port in the previous step.
- Enter the shared remote subnets that you want to route over the VPN tunnel (The remote IP address, and the same remote tunnel IP address used in the previous step). After completing this, select Add New VPN Network.
- After finishing the setup, the shared remote subnets of each server should be available depending on which network you are connected to. This is because UniFi should handle all of the routing for you.
The process of Setting up a site-to-site VPN in UniFi using IPsec and OpenVPN is useful because UniFi manages all the routing, which is usually the toughest part. However, it’s important to note that if you don’t have two UniFi devices set up as routers (double-NAT), then the setup will become more complex.
Hope these steps helped you to set up a site-to-site VPN in UniFi. If you need any assistance feel free to Get Assistance.
To get more updates you can follow us on Facebook, Twitter, LinkedIn