Something handy: the ability to access local network devices, files, and folders. From anywhere without using a cloud service like OneDrive or Google. That’s where a VPN (or Virtual Private Network) comes in. We’ll go through the Unifi OS VPN setup in this post. That being said, many middle to high end routers allow VPN setup, and most NAS boxes have it built in as well.
Benefits of a VPN
Before we start, let’s talk about why a VPN can be useful. I’ve already hit on one: local access to your home files, folders, and devices from anywhere. Additionally, VPNs offer a little more privacy when on public networks. Your connection is encrypted to your home router; while your home ISP can still see your traffic, the public wifi you’re using can’t see what you’re browsing. Since you’re attached via a tunnel to your home network, you also still get the benefits of any security services attached to your network (ad blockers, smart firewalls, etc.). Lastly, you don’t have to have a bunch of open ports to access network devices, and for the most part can disable remote admins of most devices. Both improve the security of your home network by reducing entry points for external agents.
Take this post for example, I’ve started this 400 miles from home sitting on the beach. Don’t judge my idea of relaxing. I’m also able to monitor everything going on at home; literally nothing goes on at home while away without us knowing about it.
Having a VPN has also saved my skin a few times when the better half calls to let me know something isn’t working with the Internet. As long as the connection is up and I have access to the VPN server, I can usually troubleshoot and fix the problem remotely. This is a good thing, since often waiting until my 11 hour shift is over isn’t usually a good option.
Drawbacks of using a VPN
While using your own VPN has some definite advantages, there are some drawbacks. First, should you choose not to host your own VPN server, your privacy is not your own. While your transactions may be hidden from the public wifi provider you’re using, the VPN provider still has 100% clarity on your data. Second, a VPN does not make up for good common sense. Don’t click on suspicious links. Duh. Third, a VPN will slow browsing speeds since your request is traveling all the way to your home network before accessing the web. Finally, should you not host your own server, many free VPN providers are more trouble than they are worth. You are the product; your information is captured and sold to third parties. Sorta defeats the purpose of privacy.
Importantly, although this should be obvious with using common sense, make sure the passwords you create for your VPN are strong. A system is only as strong as its weakest link, and a weak password just invites trouble.
Getting started: Unifi OS VPN setup
Enable the RADIUS Server
The first step in the Unifi OS is to enable the RADIUS server. This server handles all incoming remote connection requests and authenticates them.
Unifi likes to change the UI look frequently lately, but right now the RADIUS configuration can be found under Settings>Advanced>Features>RADIUS.
We’re going to use the default RADIUS profile, so either enable or add a RADIUS profile.
The default profile settings are relatively simple; of note the first thing to add here is a secret key. Make this complicated; this is one of the parts of the authentication process to make sure the client connecting to the network is actually authorized.
Once the key is created we need to create a user.
Expand the RADIUS Users menu and hit the link to create new user. Similar to the pre-shared key you created, create a strong password. Importantly, make sure it is different than the pre-shared key.
Likewise, if you know you are going to assign the VPN to a VLAN, give it the desired VLAN ID. This is useful if you want to limit VPN traffic to devices via firewall rules.
Next, specify the type of tunnel you will be using to access the server. There are several options available, but in this case we’re going to choose L2TP.
Lastly, specify IPv4 for the medium type.
Hit “Create User” to save a close.
Create the VPN
Next, create a new VPN network. To do this head over to the Networks page in the Unifi OS.
We’re going to start by adding a new network. Once in the network creation page, give the network a name and open the VPN settings menu.
Couple of items to pay attention to in this section. First, you want to select the “Remote Access” option for the VPN. You’ll notice the protocol has already been selected as L2TP. Second, fill in the pre-shared secret key you created during RADIUS setup. Next, fill in your public IP address. This is provided by your ISP; if you don’t know it, the best way to find it is to head to your dashboard. Check the top left section; next to WAN IP it will list the public IP address of the UDM. You can also go to an external site to grab this.
One key item to note: unless you have a static IP address from your ISP (and you most likely don’t), the public IP may change occasionally. One way around this is to use dynamic DNS (or DDNS), but that’s a topic for a different post. The takeaway is that you will need to remember to change the public IP if your address changes. Of note, my ISP typically doesn’t change my public IP very often (I’ve had the same one for years). Typically, it has only changed when I update my modem.
The last few items you’ll notice are the RADIUS profiles. These are imported automatically. The last item is under the advanced menu. Open it up and enable the option for MSCHAPv2. This is important for Windows PC VPNs.
Hit “Create Network” when done. Optionally, you can specify the subnet you want the VPN to use, as well as the number of allowed clients. I bumped mine down to 12 clients, since I should never have that many users connected.
Unifi OS VPN Setup: Client Access
For setup on Android mobile devices, start by going to connection settings. Under Settings>Connections>More Connection Settings>VPN open the options and “Add a VPN Profile”.
Once in the VPN settings, give the network a name. Next select the type of VPN network. For our case, select “L2TP/IPSec PSK”. Importantly, the type of VPN selected here has to match the type of VPN set up on the Unifi server.
Next, type in the server address. This is the public IP address you entered into the server. Again, if this is changed by your ISP, you have to change it here.
Keep scrolling and enter the IPSec Pre-shared Key. Again, this was created during RADIUS setup.
Finally, enter your username and password for your RADIUS account. Once complete, hit save. Optionally, you can make this an always-on VPN. Note that this does reduce battery life and increase mobile data usage.
To connect, simply tap on the VPN network and hit connect. After a few moments of negotiating with the server you’ll be in business.
Windows 10 Setup
Continuing the Unifi OS VPN setup with a Windows 10 tablet or laptop, start by going to computer settings. Select “Network and Internet” and then “VPN”.
At this point these settings should be familiar. We’ll be using the built-in Windows VPN provider. On this dialogue screen name the VPN. Next, fill in the public IP address of the server and select the VPN type. Again, this is L2TP/IPsec with a pre-shared key. Fill in the remaining info and hit Save when done.
To connect, visit the VPN page when connected to the Internet and hit connect. Of note, if you get a message that the security settings do not match those on the server you forgot to enable MSCHAPv2 on the VPN server. Go back to the Unifi OS UI and edit the VPN network. Under advanced options, make sure MSCHAPv2 is enabled.
Unifi OS VPN Setup: Wrapping it up
At this point you should have successfully been able to setup and connect to your home LAN via VPN. You can visit the Unifi setup page for more advanced options, although they haven’t updated it for the new UI yet. Head to this post if you want to learn how to create friendly address names for devices (so you don’t have to remember specific IP addresses).