Ubiquiti (Ubnt) devices, such as UniFi Security Gateways (USG), UniFi Dream Machines (UDM), and EdgeRouters, support VPN configurations for secure remote access or site-to-site connections. Here's an overview of setting up a VPN on Ubiquiti hardware:
- OpenVPN (Remote Access or Site-to-Site)
- IPSec/L2TP (Site-to-Site or Remote Access)
- WireGuard (via third-party scripts or newer UniFi OS versions)
- PPTP (legacy, not recommended due to security flaws)
OpenVPN Setup (Remote Access)
On UniFi OS (UDM/USG)
-
Enable OpenVPN Server:
- Go to UniFi Network Settings → Teleport & VPN → OpenVPN.
- Enable the OpenVPN server and configure:
- Port (default:
1194) - Subnet for clients (e.g.,
8.0.0/24) - DNS settings (e.g., your LAN DNS or
1.1.1).
- Port (default:
- Download the
.ovpnclient config file.
-
Configure Firewall Rules (if needed):
- Allow traffic from VPN clients to your LAN under Firewall & Security.
-
Client Setup:
- Use the
.ovpnfile with OpenVPN client apps (e.g., OpenVPN Connect).
- Use the
IPSec VPN (Site-to-Site)
On EdgeRouter or UniFi
-
Phase 1 Settings (Authentication):
- Encryption:
AES-256 - Hash:
SHA256 - DH Group:
14(or higher) - Lifetime:
28800
- Encryption:
-
Phase 2 Settings (Data Transfer):
- Encryption:
AES-256 - PFS: Enable (DH Group
14)
- Encryption:
-
Peer Configuration:
- Enter the remote gateway IP and pre-shared key (PSK).
- Define local/remote subnets (e.g.,
168.1.0/24↔0.0.0/24).
WireGuard (Advanced Setup)
WireGuard is not natively supported in UniFi OS but can be installed manually:
On UDM Pro/SE (via SSH)
- SSH into the device and install WireGuard:
unifi-os shell apt update && apt install -y wireguard
- Generate keys and configure
wg0.conf:umask 077; wg genkey | tee privatekey | wg pubkey > publickey
- Start WireGuard:
wg-quick up wg0
- Configure clients (peer devices) with the public key and allowed IPs.
Troubleshooting
-
VPN Not Connecting?
- Check firewall rules (allow UDP ports for OpenVPN/IPSec).
- Verify subnet conflicts (VPN IP ranges shouldn’t overlap with LAN).
- Ensure NAT traversal is enabled (for IPSec behind NAT).
-
Slow Performance?
- Use AES hardware acceleration (supported on EdgeRouter/USG).
- Prefer WireGuard for better speed (if available).
Recommended VPN for UniFi
- Remote Access: OpenVPN (easy setup) or WireGuard (faster).
- Site-to-Site: IPSec (compatible with most enterprise routers).
For UniFi Dream Machine (UDM), the built-in Teleport VPN (based on WireGuard) offers a simple remote-access solution via the UniFi Network app.
Would you like a detailed guide for a specific VPN type or device?









