UniFi - USG VPN: How to Configure Site-to-Site VPN


Overview


This article describes how to configure a site-to-site VPN on a UniFi Security Gateway (USG).


Table of Contents


  1. Introduction
  2. Auto IPsec VTI
  3. Manual IPsec
    1. Advanced Options
  4. Firewall Rules for Auto and Manual IPsec VPN
  5. OpenVPN
  6. Related Articles

Introduction


Back to Top

A site to site VPN establishes a secure connection between two firewalls where the internal networks behind them can be interconnected. Configuring a site to site VPN in the UniFi dashboard can be done in Settings > Networks > Create New Network > Site to Site VPN.

User Tips:
  • Auto IPsec VTI creates a site-to-site VPN with another USG that is managed on a different site within this same UniFi controller.
  • Manual IPsec creates a site-to-site VPN tunnel to an externally managed USG, EdgeRouter, or another vendor's offering which supports IPsec.
  • OpenVPN is similar to Manual IPsec, in that it creates a tunnel to an externally managed device, just using OpenVPN instead of IPsec.

IPsec is recommended for performance reasons. OpenVPN cannot be offloaded and can only be ran on a single CPU thread. 


Auto IPsec VTI


Back to Top

ATTENTION: This VPN type will not function if one or both USGs are behind a NAT router. This means that both USGs must have an internet routed address (non-RFC1918).

In UniFi the Auto IPsec VTI configuration allows an admin to create a VPN between two UniFi Security Gateways that are adopted into the same controller. Creating this VPN in the UniFi dashboard automatically configures the following:

  • Set the peer IP on each side of the tunnel to match the WAN interface address.
  • Adds the remote networks for each site.
  • Provisions a VTI interface on each USG to use for the VPN. Auto VPN VTI interfaces start with vti0 and increment as vti1, vti2, and so on, as more auto-VPNs are added.
  • Dynamically tracks IP changes on WAN.
  • Provisions a strong, randomly generated pre-shared key between the two USGs.
NOTE: As of UniFi Controller version 5.8 only hub-and-spoke topologies are supported. Mesh topology is not yet configurable. 

Manual IPsec


Back to Top

Enabled: Allows an admin to enable or disable the VPN tunnel without erasing parameters.

Remote Subnets: This section should be populated with the networks on the remote side of the VPN. /32 is not a valid subnet mask at the time of writing (UniFi Controller version 5.8.24). 

Peer IP: Public IP of the remote gateway. This can also be the public IP of a gateway in front of a downstream router if the upstream gateway is port forwarding UDP ports 500 and 4500.

Local WAN IP: Public IP of the USG adopted to the site in which this VPN is being configured. If this USG is behind NAT configure the address found on the WAN interface. To find the WAN interface IP navigate to Devices > USG Properties Panel > Details > WAN 1. 

Pre-shared Key: Create a strong shared key to input on each VPN endpoint. 

IPsec Profiles: 

  • Customized: Uses parameters defined by an admin. 
  • Azure Dynamic Routing: Uses parameters for connecting to a Microsoft Azure instance using VTI.
  • Azure Static Routing: Uses parameters for connecting to a Microsoft Azure instance using policy-based IPsec without VTI. 

Manual IPsec: Advanced Options


Back to Top

ADVANCED: These settings are meant to be configured by advanced users with networking knowledge. They apply to phase 1 and phase 2 of the IPsec process.

Key Exchange Version: Select either IKEv1 or IKEv2.

Encryption: Select AES-128, AES-256, or 3DES encryption.

Hash: Select either SHA1 or MD5

DH (Diffie-Hellman) Group: DH Groups 2, 5, 14, 15, 16, 19, 20, 21, 25, 26 are available. 

PFS (Perfect Forward Secrecy): Enable or disable. When PFS is enabled the phase 2 DH group is hardcoded to group 1 and must match when configuring the remote gateway. 

Dynamic Routing: Enable or disable the use of a virtual tunnel interface (VTI). This will specify that the VPN configuration is either policy based (off) or route based (on). (Note: manual VPN VTI interfaces start with vti64 and increment as vti65, vti66, etc. as more manual VPNs are added)

NOTE: The use of larger algorithms is more secure, but they come with the cost of a CPU overhead increase. For example, AES-256 will use more CPU resources than AES-128. AES-128 is the recommended encryption for most use-cases. 

Firewall Rules for Auto and Dynamic Routing Enabled IPsec VPN


Back to Top

Firewall rules are automatically configured after the VPN is created to allow all traffic across the VPN.

Firewall rules to block traffic traversing these types of VPNs should be created in Settings > Routing and Firewall > Firewall > LAN_IN. The source field should specify the remote network or address from the USG you're configuring, and destination field should specify the local network or address in which you want the traffic blocked.


OpenVPN


Back to Top

Enabled: Allows an admin to enable or disable the VPN tunnel without erasing parameters.

Remote Subnets: This section should be populated with the networks on the remote side of the VPN. /32 is not a valid subnet mask at the time of writing. 

Remote Host: Public IP of the remote gateway or public IP of an upstream router in front of a USG.

Remote Address/Port: Input an IP that does not overlap any of the previously defined networks. This address is only relevant to the OpenVPN tunnel endpoint on the remote gateway. The port input is used to define which UDP port the remote gateway is using to connect to the USG.

Local Address/Port: Input an IP that does not overlap any of the previously defined networks. This address is only relevant to the OpenVPN tunnel endpoint on the local gateway (USG). The port input is used to define which UDP port the USG will use to connect to the remote gateway. 

Shared Secret Key: This key is not a user randomly password. It must be a 2048 bit key that is generated. The USG can generate this from CLI with the instructions below. 

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Generate the 2048 bit shared secret on the USG.

generate vpn openvpn-key /config/auth/secret

2. Display the shared secret and copy the output to a text file.

sudo cat /config/auth/secret
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
48fc8ac5b96655a08e041de6263a4e7b
<output shortened>
-----END OpenVPN Static key V1-----

3. Only include text in Pre-Shared Secret field after the BEGIN line and before the END line.

NOTE: This type of VPN will need a WAN_LOCAL firewall rule on each side of the tunnel allowing the remote port to communicate. 

Related Articles


Back to Top

UniFi - Verifying and Troubleshooting IPsec VPN on USG


We're sorry to hear that!