Ubiquiti is a popular vendor of networking equipment. Their gear is very popular among prosumers because of the ease of use and the ability to modify for specific requirements. I have been running an Ubiquiti UniFi installation at home for the last five years or so and recently had the chance to create a new deployment in another country. There were two main reasons to use Ubiquiti for the new location – a single management plane for both sites and the ability to easily create a site-to-site VPNs.
The new installation was smooth and the site-to-site VPN was up and running in a stable manner until the internet service provider at the remote site moved the gateway from a public-facing WAN to one behind a carrier-grade NAT. There are various options available for site-to-site VPNs with Ubiquiti’s gear. I encountered a number of issues worthy of documentation to help people who might encounter them in their installations. A step-by-step guide detailing my attempts to work around various pitfalls is included in this article.
The introduction
There is a range of products from Ubiquiti Networks. While wireless internet service providers are a key market segment for the company, today’s piece is focused on their Unifi product line, which is a range of managed software-defined networking equipment for small and medium-sized businesses. There are a number of reasons for Unifi’s popularity. The company was the first to offer a cost-effective managed solution. Users were able to pick and choose different equipment based on their needs, thanks to the integration of function into different devices. The UniFi products have a unified management plane that makes it easy to maintain them. Network scaling in response to requirements is easy. The company started out with a local management controller.
Ubiquiti’s mFi product line was my first brush with the company. Their lineup of network-connected power outlets with energy and power monitoring, as well as remote relay control was more flexible than anything else in the market, and this was without even taking the low pricing into account. I bought a few of their units for my home use, and wrote a short review after a couple of months.
How to choose a computer processor.
Your computer’s brain is composed of the central processing unit.
How do you choose the right amount of RAM?
03:23
Ubiquiti’s PR department contacted me to review their UniFi product line after I published the mFi review. I was able to lay out a wired Cat 6 backbone for all of the rooms in my house in California. I was offered to spec out a UniFi system. The Unifi Cloud Key performed controller duties for the USG Pro 4 gateway. To avoid wireless dead-spots, access points with different capabilities were mounted around the house. The media center had a number of switches placed in it. I added more PoE switches and in-wall APs to my own system.
The system was configured with a guest wireless network and a bunch of different VLANs for different devices in the house, home lab equipment, and the common family desktop. It was an over use for a residential installation. Over the last five years, the deployment has held its own. The only problem I had was when the CloudKey controller became unresponsive on the network. The database was corrupted by a power interruption, but nothing that a few commands couldn’t resolve, thanks to the helpful community. Since then, I have invested in aUPS for the rack that holds UniFi equipment to make sure there is no repeat of such scenarios.
I recommend Ubiquiti equipment only to tech savvy users because of the issues. Most of the time, calling up the company’s support line and creating a ticket is a waste of time. Both the company’s own users forum as well as many prosumer bloggers can be found online. There is not much for readers to gain from posting a review of the Ubiquiti UniFi lineup. I’m hoping to take up specific use-cases and figure out how Ubiquiti’s product lineup can address those in these articles.
My parents in India decided to downsize their home earlier this year. I took the opportunity to make their home network better. I had intended to add features to the home network of my parents, but had never had the chance because my visits were becoming more frequent. I wanted to get a few things set up as part of their move with my first visit.
Without the need for port forwarding, remote management can be easier.
They have the ability to use their Indian home network during their travels here in California.
It’s possible to perform secure offsite backups for my data without using an external cloud storage provider.
It’s possible to use Indian OTT service subscriptions regardless of user location in California or India.
There was no requirement to use a cloud account when I first set up the Cloud Key. Without a ui.com ID, the UniFi Network mobile application user experience became quite difficult. I decided to associate my installation with a cloud ID just for this purpose. Since I already managed my network through this ID, I decided to use Ubiquiti for the deployment.
A secure tunnel between my home network in California and my parents’ network in India was the key to fulfilling the requirements. I arranged for the Ubiquiti Dream Machine to be delivered to the new home before I traveled. The UniFi Dream Machine is an all-in-one solution. A 4-port switch, a 4×4 access point, a security gateway, and an integrated controller are included. It is an acceptable solution for most home networks in the 1000 sq. ft – 1200 sq. ft range with a single WAN port.
I wanted a solution that would support simple tunnel configuration and easy app-based access for both the US and Indian networks.
There is a short recap of the evolution of UniFi.
After their lineup of edge-focused products for WISPs started gaining traction in other markets, Ubiquiti’s UniFi lineup was launched. The EdgeRouters and EdgeSwitches were based on Vyatta OS, and the UniFi products started out with the same EdgeOS base. EdgeOS runs on the UniFi Security Gateway Pro 4.
The USG Pro 4 is based on an application processor from Cavium. Ubiquiti’s gateways, routers, and switches in the UniFi lineup now run a custom Linux distribution. A distribution for the AArch64 platform is run by the UniFi Dream Machine. The UniFi OS is a container.
There are a lot of differences between the features available on EdgeOS and the features available on UniFi OS. It’s not easy to migrate from the EdgeOS line to UniFi OS. The updates for the older equipment have become more and more apart with focus shifting to UniFi OS. Stable networks might not be concerned with that, but it has not kept up to date with the latest network security practices. EdgeOS has L2TP as the recommended VPN server type, but recent releases of Android have completely dropped L2TP. The topic of VPNs is brought to us by this.
There are options in Ubiquiti’s Stack.
Depending on the gateway being used, Ubiquiti has a range of options for PureVPN. For several years now, I have been running a L2TP VPN server that allows me to connect to it from public coffee shops and airports for secure browsing purposes. I was able to setup it for access from a notebook. I don’t use my mobile phone for anything other than surfing the web. Even though the USG Pro 4 supports PPTP, it is not recommended by Ubiquiti.
The primary option for a VPNs server in the UniFi Dream Machine is not the same as it was in the past.
Here, Ubiquiti’s Wireguard implementation takes the lead. Today’s mobile-first ecosystem has led to the development of a one-click VPNs. The configuration page of the unifi.ui.com cloud or the UniFi Network mobile app can be used to generate invites for clients. The invites can be opened using a mobile device. Windows users are out of luck here. Windows users are left out in the cold. The L2TP option in EdgeOS doesn’t work with Windows clients, and the Teleport option in Unifi OS doesn’t work with Windows clients. The UDM still supports L2TP for Windows.
Ubiquiti offers an option to create site-to-site VPNs, which is where our story begins.
