Ubiquiti Networks is a popular vendor of networking equipment in the SMB/SME field. Their gear is also very popular among prosumers thanks to the combination of ease of use and features that can be customized to your specific requirements. , recently had the opportunity to create a new deployment in another country. We chose Ubiquiti for our new location for two main reasons. The ability to use a single management plane for both sites and the ease of creating site-to-site VPNs.
The new installation went very smoothly and the site-to-site VPN was working in a stable manner until the remote site’s ISP moved the gateway from the public WAN IP to the IP behind the carrier grade NAT (CGNAT). This kicked off an in-depth look at the different options available for Site-to-Site VPNs with gear from Ubiquiti for different scenarios. Along the way, I ran into a number of issues that deserved documentation in order to help people who might run into those issues with their own installations. It provides details on the journey down the rabbit hole, including a step-by-step guide detailing an attempt to
prologue
Ubiquiti Networks offers a variety of products targeting the networking market. Wireless ISPs are an important market segment for the company (served by the airFiber line), but today’s article focuses on his UniFi product line. It is a set of managed software-defined network appliances for small businesses, small businesses, and prosumers. There are several reasons why his UniFi products are so popular among tech-savvy consumers. The company gained a first-mover advantage by offering a cost-effective managed SDN solution. Separating functions into different devices (security gateways, routers, switches, and wireless access points) allowed users to choose different equipment based on their custom needs. A unified management plane for all his UniFi products makes maintenance easy while maintaining deployment flexibility. Easily scale your network as your requirements change. The company started with a local management controller, but is now augmented with a cloud-based service.
My first exposure to Ubiquiti was with their mFi line of products (which unfortunately went EOL). Our line of networked power outlets with energy and power monitoring and remote relay control was (and remains) more flexible than anything else on the market. I bought a few units for use in my home/AnandTech test lab and wrote a short review after using them for a few months (these units are still being rolled out).
After publishing our review of mFi, Ubiquiti’s PR department asked us to review their UniFi product line. Around 2017, I had the opportunity to put a wired Cat 6 backbone in every room of my house here in California. I received an offer to spec his UniFi system for testing. A USG Pro 4 gateway played the routing role and a UniFi Cloud Key (1st generation) played the controller role. Access points with different capabilities were installed throughout the house to avoid wireless dead spots. A large number of switches were placed in the media center and various lab locations. I ended up hardening the system myself with an additional his PoE switch and an in-wall AP.
This system serves the usual guest wireless network and a number of different VLANs (serving IoT devices in the house, home lab equipment, and other devices for typical family desktops, phones, etc.) It consisted of Overall, it was overkill for housing amenities. That said, this deployment has held its own over his five-plus years of stressful use (and still works strongly). The only problem I had was a few years ago when I lost access to his CloudKey controller over the network. It turned out that the database was corrupted due to a power outage – some SSH commands (thanks to the helpful community) could not be resolved. I have since invested in his UPS for racks that hold UniFi equipment to avoid a recurrence of such scenarios.
Issues like these are also reasons why Ubiquiti devices are only recommended for tech-savvy users. Most of the time, calling a company’s support line and creating a ticket is a waste of time. There are countless resources online (both of which are company-specific). User forumand countless prosumer bloggers such as Scott Hanselman When Troy HuntConsidering reviews from such sources, readers don’t have much to gain by posting another review of the Ubiquiti UniFi lineup. Instead, we want to take a specific use case and understand how Ubiquiti’s product line can address them in these series of articles.
Earlier this year, when my parents returned to India, they decided to downsize their home. I took this opportunity to revamp their home network from scratch. I intended to add functionality to my parents’ home network, but I never got the chance because I was visiting them less frequently. However, on our first visit after the pandemic, we wanted to set a few things up as part of the relocation.
- Makes remote management and troubleshooting of network issues easier without the need for port forwarding.
- Ability to seamlessly use your Indian home network while traveling/visiting here in California
- Ability to perform secure remote offsite backups of data without relying on external cloud storage providers
- Ability to seamlessly consume Indian OTT service subscriptions regardless of user location in California or India
When I first set up Cloud Key in 2017, I didn’t need to use a cloud account. Unfortunately, the UniFi Network mobile application user experience became very frustrating without a ui.com ID a few years ago. I gave in and ended up associating my installation with a cloud identity just for this purpose. I was already using this identity to manage the network, so it was an easy decision for him to use Ubiquiti for deployment back to India.
The key to meeting the above requirements was a secure VPN tunnel between my home network here in California and my parents’ network in India. Before the trip, I arranged to have the Ubiquity Dream Machine delivered to my new home. Ubiquiti UniFi Dream Machine is an all-in-one solution/UniFi starter kit. Integrates 4-port switches, 4×4 802.11ac access points, security gateways, and integrated controllers. Annapurna Labs’ AL314-based solution comes with one he WAN port and is a suitable solution for most home networks ranging from 1000 square feet to 1200 square feet.
From my use case perspective, I wanted a solution that supports simple VPN tunnel configuration and easy app-based access to both US and Indian networks through a single interface.
UniFi Evolution – A Short Recap
Ubiquiti’s UniFi lineup comes after its line of edge-focused products for WISPs started gaining traction in other markets. These EdgeRouters and EdgeSwitches are based on Vyatta OS and UniFi products were originally launched on the same EdgeOS firmware base. My primary deployment UniFi Security Gateway Pro 4 is running EdgeOS to date.
The USG Pro 4 is based on Cavium’s OCTEON II network SoC with a MIPS64 application processor. However, Ubiquiti’s latest gateway/router/switch in the UniFi lineup currently runs a custom Debian-based Linux distribution. UniFi Dream Machine uses Annapurna Labs AL314 and runs a distribution for the AArch64 platform. UniFi OS itself runs as a container using podman.
The end result is quite a few disconnects between features available in EdgeOS and UbiOS/UniFi OS. Migrating from the EdgeOS line to UniFi OS is not trivial for heavily customized installations. With the shift of focus to UbiOS / UniFi OS, updates to older devices are almost non-existent. While this may not be a problem for stable networks, it unfortunately fails to keep up with evolving network security practices. For example, recent releases of Android dropped L2TP VPN support entirely, while EdgeOS still uses his L2TP as the recommended VPN server type. This brings us to the topic of VPNs.
Ubiquiti stack VPN server options
Ubiquiti offers different VPN options depending on the gateway used. I’ve been running his L2TP VPN server for several years now with his USG Pro 4 here at home in California (so I can connect from public coffee shops and airports for safe browsing ).i had minimal trouble Configure it to be accessible from your Windows notebook. However, as mentioned in the previous subsection, this VPN server is useless for my phone running Android 12. USG Pro 4 also supports his PPTP VPN, but even Ubiquiti himself doesn’t recommend it.
The main options for UniFi Dream Machine VPN servers running UbiOS / UniFi OS are quite different.
Teleport (Ubiquiti’s customized Wireguard implementation) is preferred here. This is a one-click VPN better suited for today’s mobile-first ecosystem. Clients are authenticated via an invitation that can be generated either from the configuration page (on the unifi.ui.com cloud or via the machine’s local IP) or from the UniFi Network mobile app. Invitations can be opened on the client device using the Wifiman mobile application. The bad news here is that Windows users are out of luck. MacOS, Android, and iOS are covered, but Windows users are frantically left behind. This is a very unfortunate situation considering EdgeOS’ L2TP option works on Windows clients but not Android, and UbiOS / UniFi OS Teleport options work on Android clients but not Windows. Note that UDM still supports his L2TP for Windows clients.
Under the Teleport and VPN section, Ubiquiti also gives you the option to create a site-to-site VPN. Our story begins here.
