How To Configure Unifi UDM Pro Controller 7.0.22 VPN Access

In this tutorial you will learn how to configure a Unifi UDM Pro Controller 7.0.22 VPN access. I will take you through the process of configuring a VPN Connection and a VPN user on Unifi Controller version 7.0.22 on your UDM Pro and then we will finish with configuring the Windows 11 VPN client.

 

 

Let’s start by logged into your UDM PRO Controller 7.0.22.

  1. Click on Settings
  2. Now click on VPN

     

  3. For VPN Server mark sure its enabled.
  4. For Pre-shared Key, you can use the default or type your own.
  5. For Server Address, choose ether wan port or set a static IP Address manually. I will be using (WAN1).
  6. Now under User Authentication, click on Create a new user.
  7.  You should now see a popup to enter a username and password, afterwards click on the Create User button. Create additional user accounts that you wish to provide permissions for VPN Access.
  8.  Lets control our own VPN Access destiny and click on Manual under Advanced Configuration.
  9.  Give your VPN Network Name an identifiable name.
  10. Change up your VPN Subnet to something more random. This way you will avoid subnet conflicts with other networks.
  11.  For Name Server check Enable. If you have a Windows Server AD/DNS enter its IP address, your VPN users will properly discover network resources by hostname. You can also use your UDM PRO as a DNS server option. In my case I have changed the primary Subnet to 192.168.2.0/24 you can see my UDM Pro is 192.168.2.1 on Name Server 2 and my Windows AD/DNS Server 192.168.2.210 is set on Name Server 1. I mention this because it may differ in your environment.
  12.  Make sure to Enable both Require Strong Authentication and Allow weak ciphers. Afterwards click the Apply Changes button.

    You have successfully created a VPN Access Tunnel for your Unifi UDM PRO Controller 7.0.22

 

How To Configure Windows 11 VPN Client

  1. Click on your Search Bar, start typing VPN and you should see and click on VPN settings.
  2. A VPN Settings window should have opened. Find and click on the Add VPN button.
  3.  For VPN provider click the dropdown and select Windows (built-in).
  4. For Connection Name, give it something that is identifiable to you.
  5. For Server name or address, use your UDM Pro’s WAN IP Address you selected for VPN.
  6.  For VPN type click the dropdown and have L2TP/IPsec with pre-shared key selected.
  7. Enter the Pre-shared key that you entered on your UDM Pro when configuring VPN Access.
  8. For type of sign-in info select User name and password from the dropdown.
  9. Enter your VPN User Name and your Password.
  10. Click the Save button.
  11.  Success, you have created VPN Access for your Windows 11 computer.
  12. Click Connect and you should have a successful connection. Remember you will not be able to connect while inside the same network. To test use a hot spot.

I hope this article was helpful, if you have any questions, please feel free to contact me. If you would like to be notified of when I create a new post, you can subscribe to my blog alert.

11 Comments

  1. Patrick, have you tested if multiple users can connect to the vpn? VPN multiple clients from same remote IP with l2tp Didn’t work in the earlier versions. This is an ubiquiti issue for 4 years now…

    1. Yes, VPN works great even within the last 4 years. You may need to check your settings with your modem and may need to be put in bridge mode or if your getting a DHCP address from the ISP modem as a lan address and not the proper wan IP to your udm pro you will need to place your UDM pro in a DMZ on the ISP modem. There is a windows update that is also causing an issue to L2TP vpn access which may address recent issues with windows 10. https://patrickdomingues.com/2022/01/19/unifi-vpn-l2tp-connection-attempt-failed-after-installing-kb5009543/

      If anything else follow up with me and we can connect to go over your config.

  2. I’ve Tested it by myself today and the problem is like this: When i connect my iMac, iPhone and main Windows PC it’s all fine. Everybody can connect. But when i want to ad another Windows PC to connect with the VPN it will block. (I’m aware of the Windows update issue but that’s not the problem) I can say that the problem is the second Windows PC i want to connect with the VPN and because i’m connecting all of the devices through 1 WAN IP (from home) this will not work. When i disable the VPN connection on my main windows pc and connect the second Windows PC the second Windows PC connects also just fine. But those 2 together will not work. And this is a known issue of Ubiquiti but they wouldn’t patch it. Because of the Windows Port protocols etc. So that is my problem. Now I have to check if there is another option like Open VPN or otherwise I have to gete some other equipment because Ubiquiti is currently not supporting 2 or more clients over Windows.

  3. Hey thanks for the article.
    Have you had any luck getting the remote L2TP Clients to connect to the site-to-site remote subnets?

    1. Hello Jordan, Thank you for the visit. L2TP vpn client subnets can access resources over a site-to-site vpn. By default, there is no network blocks however you may need to create a rule that traffic from l2tp vpn subnet can access the subnet over site-to-site vpn. You may also need to go into Firewall & Security > Threat Management and add your l2tp vpn subnet.

  4. Yeah that makes sense, but its not clear which interface that rule would sit on. There isn’t an option for L2TP in the firewall rules tabs.

    1. Let me get this clear: Client VPN > UDM1 > Site to site > UDM2 > Corporate Lan?
      In firewall and security create new rule
      Type: Lan In
      Rule Applied: Before Predefined Rules
      Action: accept
      IPv4: all
      Source Type: Port/IPgroup
      IPV4 Address Group: create new group add the client vpn address pool. (ex: 192.168.50.0/24)
      port group: any
      Destination type: network
      Network: select udm2 corporate network or whatever network you want it to have access to
      Network Type: ipv4 subnet
      Apply Changes

      Also for testing when you try to RDP to a computer from VPN Client to a computer in UDM2 over site to site. If you check Notifications do you see any network intrusion attempts that are blocked?

      1. It was not a Firewall rule limiting the traffic, turned out to be the Dynamic routing checkbox for the Site-to-site VPN config. Without that checked it limits them to just the local LAN segment. Rather and leaving it open and allowing your firewall rules to limit it.

  5. Hi Patrick, I have followed this guide and others but I can’t seem to be able to connect windows clients to the VPN, I also tried submitting a support ticket but I have not received a reply yet, I get the following error:

    “A connection to the remote computer could not be established, You might need to change the network settings for this connection.”

    any help is much appreciated, thank you

Leave a Comment