Unifi OS VPN Setup

on August 12, 2021

Something handy: the ability to access local network devices, files, and folders. From anywhere without using a cloud service like OneDrive or Google. That’s where a VPN (or Virtual Private Network) comes in. We’ll go through the Unifi OS VPN setup in this post. That being said, many middle to high end routers allow VPN setup, and most NAS boxes have it built in as well.

Benefits of a VPN

Before we start, let’s talk about why a VPN can be useful. I’ve already hit on one: local access to your home files, folders, and devices from anywhere. Additionally, VPNs offer a little more privacy when on public networks. Your connection is encrypted to your home router; while your home ISP can still see your traffic, the public wifi you’re using can’t see what you’re browsing. Since you’re attached via a tunnel to your home network, you also still get the benefits of any security services attached to your network (ad blockers, smart firewalls, etc.). Lastly, you don’t have to have a bunch of open ports to access network devices, and for the most part can disable remote admins of most devices. Both improve the security of your home network by reducing entry points for external agents.

Take this post for example, I’ve started this 400 miles from home sitting on the beach. Don’t judge my idea of relaxing. I’m also able to monitor everything going on at home; literally nothing goes on at home while away without us knowing about it.

Having a VPN has also saved my skin a few times when the better half calls to let me know something isn’t working with the Internet. As long as the connection is up and I have access to the VPN server, I can usually troubleshoot and fix the problem remotely. This is a good thing, since often waiting until my 11 hour shift is over isn’t usually a good option.

Drawbacks of using a VPN

While using your own VPN has some definite advantages, there are some drawbacks. First, should you choose not to host your own VPN server, your privacy is not your own. While your transactions may be hidden from the public wifi provider you’re using, the VPN provider still has 100% clarity on your data. Second, a VPN does not make up for good common sense. Don’t click on suspicious links. Duh. Third, a VPN will slow browsing speeds since your request is traveling all the way to your home network before accessing the web. Finally, should you not host your own server, many free VPN providers are more trouble than they are worth. You are the product; your information is captured and sold to third parties. Sorta defeats the purpose of privacy.

Importantly, although this should be obvious with using common sense, make sure the passwords you create for your VPN are strong. A system is only as strong as its weakest link, and a weak password just invites trouble.

Getting started: Unifi OS VPN setup

Enable the RADIUS Server

The first step in the Unifi OS is to enable the RADIUS server. This server handles all incoming remote connection requests and authenticates them.

Unifi likes to change the UI look frequently lately, but right now the RADIUS configuration can be found under Settings>Advanced>Features>RADIUS.

We’re going to use the default RADIUS profile, so either enable or add a RADIUS profile.

The default profile settings are relatively simple; of note the first thing to add here is a secret key. Make this complicated; this is one of the parts of the authentication process to make sure the client connecting to the network is actually authorized.

Once the key is created we need to create a user.

Expand the RADIUS Users menu and hit the link to create new user. Similar to the pre-shared key you created, create a strong password. Importantly, make sure it is different than the pre-shared key.

Likewise, if you know you are going to assign the VPN to a VLAN, give it the desired VLAN ID. This is useful if you want to limit VPN traffic to devices via firewall rules.

Next, specify the type of tunnel you will be using to access the server. There are several options available, but in this case we’re going to choose L2TP.

Lastly, specify IPv4 for the medium type.

Hit “Create User” to save a close.

Create the VPN

Next, create a new VPN network. To do this head over to the Networks page in the Unifi OS.

We’re going to start by adding a new network. Once in the network creation page, give the network a name and open the VPN settings menu.

Couple of items to pay attention to in this section. First, you want to select the “Remote Access” option for the VPN. You’ll notice the protocol has already been selected as L2TP. Second, fill in the pre-shared secret key you created during RADIUS setup. Next, fill in your public IP address. This is provided by your ISP; if you don’t know it, the best way to find it is to head to your dashboard. Check the top left section; next to WAN IP it will list the public IP address of the UDM. You can also go to an external site to grab this.

One key item to note: unless you have a static IP address from your ISP (and you most likely don’t), the public IP may change occasionally. One way around this is to use dynamic DNS (or DDNS), but that’s a topic for a different post. The takeaway is that you will need to remember to change the public IP if your address changes. Of note, my ISP typically doesn’t change my public IP very often (I’ve had the same one for years). Typically, it has only changed when I update my modem.

The last few items you’ll notice are the RADIUS profiles. These are imported automatically. The last item is under the advanced menu. Open it up and enable the option for MSCHAPv2. This is important for Windows PC VPNs.

Hit “Create Network” when done. Optionally, you can specify the subnet you want the VPN to use, as well as the number of allowed clients. I bumped mine down to 12 clients, since I should never have that many users connected.

Unifi OS VPN Setup: Client Access

Android Setup

For setup on Android mobile devices, start by going to connection settings. Under Settings>Connections>More Connection Settings>VPN open the options and “Add a VPN Profile”.

Once in the VPN settings, give the network a name. Next select the type of VPN network. For our case, select “L2TP/IPSec PSK”. Importantly, the type of VPN selected here has to match the type of VPN set up on the Unifi server.

Next, type in the server address. This is the public IP address you entered into the server. Again, if this is changed by your ISP, you have to change it here.

Keep scrolling and enter the IPSec Pre-shared Key. Again, this was created during RADIUS setup.

Finally, enter your username and password for your RADIUS account. Once complete, hit save. Optionally, you can make this an always-on VPN. Note that this does reduce battery life and increase mobile data usage.

To connect, simply tap on the VPN network and hit connect. After a few moments of negotiating with the server you’ll be in business.

Windows 10 Setup

Continuing the Unifi OS VPN setup with a Windows 10 tablet or laptop, start by going to computer settings. Select “Network and Internet” and then “VPN”.

At this point these settings should be familiar. We’ll be using the built-in Windows VPN provider. On this dialogue screen name the VPN. Next, fill in the public IP address of the server and select the VPN type. Again, this is L2TP/IPsec with a pre-shared key. Fill in the remaining info and hit Save when done.

To connect, visit the VPN page when connected to the Internet and hit connect. Of note, if you get a message that the security settings do not match those on the server you forgot to enable MSCHAPv2 on the VPN server. Go back to the Unifi OS UI and edit the VPN network. Under advanced options, make sure MSCHAPv2 is enabled.

Unifi OS VPN Setup: Wrapping it up

At this point you should have successfully been able to setup and connect to your home LAN via VPN. You can visit the Unifi setup page for more advanced options, although they haven’t updated it for the new UI yet. Head to this post if you want to learn how to create friendly address names for devices (so you don’t have to remember specific IP addresses).

Author: Zack

Pharmacist, tech guy, pianist, lover of beer, gamer, beach bum. Probably missed something. Just assume I'm into a little bit of everything.

Categories:

Networking

Tags:

Network Security Synology Ubiquiti Unifi VPN

Cookie	Duration	Description
__stripe_mid	1 year	Stripe sets this cookie cookie to process payments.
__stripe_sid	30 minutes	Stripe sets this cookie cookie to process payments.
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
enforce_policy	1 year	PayPal sets this cookie for secure transactions.
ts	3 years	PayPal sets this cookie to enable secure transactions through PayPal.
ts_c	3 years	PayPal sets this cookie to make safe payments through PayPal.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
nsid	session	This cookie is set by the provider PayPal to enable the PayPal payment service in the website.
tsrce	3 days	PayPal sets this cookie to enable the PayPal payment service in the website.
x-pp-s	session	PayPal sets this cookie to process payments on the site.

Cookie	Duration	Description
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
__wpdm_client	session	No description
akamai_visit_id	2 years	No description
Akamai-Request-ID	session	No description
ASPSESSIONIDQWTQBRCS	session	No description
LANG	9 hours	No description
m	2 years	No description available.
s_vi_ebeaip	2 years	No description available.
TS016300fb	session	No description
TS0196e5be	session	No description
wpinv_session_7d6108ef3fd1b22097ccb955d0f85b0b	2 days	No description

Unifi OS VPN Setup

Benefits of a VPN

Drawbacks of using a VPN