How To Configure Site to Site VPN On Unifi Controller 7.0.22

In this tutorial you will learn how to configure Unifi UDM PRO Site to Site VPN on Unifi Controller 7.0.22. 

A site-to-site virtual private network (VPN) is a connection between two or more networks, such as a corporate network and a branch office network. Many organizations use site-to-site VPNs to leverage an internet connection for private traffic as an alternative to using private MPLS circuits.

Site-to-site VPNs are frequently used by companies with multiple offices in different geographic locations that need to access and use the corporate network on an ongoing basis. With a site-to-site VPN, a company can securely connect its corporate network with its remote offices to communicate and share resources with them as a single network.

 

Let’s get started.

Make sure you are on Unifi Controller Version 7.0.22. I will be using a Unifi UDM Pro for this configuration.

Step 1: Log into your Main Office Unifi Controller.

Step 2: Click Settings

Step 3: Click VPN 

Step 4: Scroll down until you locate the Site-to-Site VPN Section. Afterwards click Create Site-to-Site VPN button.

Step 5:  Now Let’s configure the Site-to-Site VPN Network.

  • Network Name: Since we are logged into the Main Office Unifi Controller, we will set this network name to reflect the Branch Office we are connecting to.
  • VPN Protocol: Select, Manual IPsec.
  • Pre-shared Key: Use a strong key. This key will be needed when you setup the Branch Site-To-Site VPN settings.
  • Server Address: Here we will select from drop down or manually enter what WAN IP address you want your Site-To-Site VPN traffic to go through.

Step 6: Scroll down until you locate Remote Device Configurations.

Step 7: Under Remote Gateway/Subnets you will want to enter your Branch primary LAN subnet. In my case they are using 192.168.10.0/24, once your address is entered you will be prompted to create the policy. Click Create

Step 8: Under Remote IP Address enter the WAN IP address of the Branch Office.

Step 9: Since you are connecting to another UDM Pro with Site-to-Site VPN on the same controller version, Auto can be left as is. If your using other firewall/vpn type, you will have to select Manual and make sure your additional settings match up with your branch office or main office.

Step 10: Click the Add Network button. Your VPN connection should have been successfully created.

Step 11: Log into your Branch Office Unifi controller.

Step 12: Follow the steps starting from Step 2 and configure your Branch UDN PRO VPN to connect to Main Office.
Reminders:

  • Use the same pre-shared key.
  • Server Address is what you specified for the main office to connect to.
  • Remote Gateway/subnets is the Main Office primary LAN.
  • Remote IP Address is the Wan IP of the main office you specified for Site To Site VPN.

Step 13: Open Command Prompt and test some pings. 

I hope this article was helpful, if you have any questions, please feel free to contact me. If you would like to be notified of when I create a new post, you can subscribe to my blog alert.

3 Comments

  1. Hi,

    Thanks for your tutorial.

    I have set this up on Network 7.0.22 in exactly the same way as you describe.

    On my “Main office” UDM-Pro (my home) my primary network is 192.168.22.0/24
    On my “Branch office” UDM (my basement) my primary network is 192.168.17.0/24

    I have set the remote network on my “Main office” UDM-Pro to 192.168.17.0/24
    I have set the remote network on my “Branch office” UDM to 192.168.22.0/24

    When I connect, connection is instant.
    it seems to work great.

    But I just can’t make a connection from a device on “Main office” to a device on “Branch office”.
    Not even trying to ping the UDM or UDM Pro.

    Trying a trace route from “Main office” device to UDM in “Branch office”:

    % traceroute 192.168.17.1
    traceroute to 192.168.17.1 (192.168.17.1), 64 hops max, 52 byte packets
    1 unifi (192.168.22.1) 2.590 ms * 0.495 ms
    2 * unifi (192.168.22.1) 0.611 ms !H *
    3 * * *
    4 * * *
    5 * * *
    6 * * *
    7 * * *
    8 * * *
    9 * * unifi (192.168.22.1) 0.961 ms !H
    10 unifi (192.168.22.1) 0.904 ms !H * *
    11 * * *
    12 unifi (192.168.22.1) 0.673 ms !H * 0.522 ms !H
    %

    I have today upgraded to 7.0.25. Connection works great, but I still I can’t make a connection between sites.

    Any ideas on why it isn’t working?

    Thanks
    Tony

    1. Hello Tony,

      Thank you for the visit. Unifi allows all traffic to pass through lan to lan unless Unifi deems it a threat. Under Firewall & Security, scroll down until you find Threat Management Allow list and add the Lans you mentioned for both directions. See if that works. Also, if you are using Comcast as your ISP are you in advanced bridge mode?

  2. Hello Patrick,
    Thanks for your reply.
    I have Threat Management turned off completely on both UDM Pro and UDM.
    I am not using Comcast as ISP.
    When I connect through the standard VPN I can connect to devices on the remote network without any problem.
    Thanks
    Tony

Leave a Comment