The Ubiquiti Diaries: A Web site-to-Web site VPN Story

Ubiquiti Networks is a well-liked vendor of networking-related gear within the SMB / SME area. Their gear is immensely in style amongst prosumers too, due to the mixture of ease of use and the flexibility to customise for particular necessities. I’ve been working an Ubiquiti UniFi set up at house for the final 5 years or so, and lately had the chance to create a brand new deployment abroad. There have been two predominant causes to go together with Ubiquiti for the brand new location – a single administration aircraft for each websites, and the flexibility to simply create a site-to-site VPN.

The brand new set up was pretty easy and the site-to-site VPN was up and working in a steady method till the ISP on the distant web site moved the gateway from a public-facing WAN IP to 1 behind a carrier-grade NAT (CGNAT). That began a deeper investigation into varied choices accessible for site-to-site VPNs with Ubiquiti’s gear for various eventualities. On this course of, I ended up encountering a bunch of points worthy of documentation to assist people who would possibly encounter them in their very own installations. This text supplies a recount of my journey down the rabbit gap – together with a step-by-step information detailing my makes an attempt to work across the varied pitfalls.

Introduction

Ubiquiti Networks affords a variety of merchandise focusing on the networking market. Whereas wi-fi ISPs are a key market phase for the corporate (serviced by the airFiber line), at present’s piece is concentrated on their UniFi product line – a variety of managed software-defined networking gear for SMBs, SMEs, and prosumers. There are a variety of causes for UniFi’s reputation merchandise amongst tech-savvy shoppers. The corporate had a first-mover benefit in providing an economical managed SDN answer. Isolating performance into completely different gadgets (safety gateways, routers, switches, and wi-fi entry factors) allowed customers to choose and select completely different gear based mostly on their customized wants. The unified administration aircraft for all of the UniFi merchandise permits simple upkeep whereas retaining deployment flexibility. Community scaling in response to requirement adjustments can be easy. The corporate began out with a neighborhood administration controller, which has now been augmented with a cloud-based providing.

My first brush with Ubiquiti was their mFi product line (which has since been sadly EOL-ed). Their lineup of network-connected energy retailers with vitality and energy monitoring, in addition to distant relay management was (and continues to be) extra versatile than anything available in the market – and this was with out even taking the low pricing under consideration. I had bought a number of of their models for my house / AnandTech testing lab use, and written a brief evaluate after a few months of use (these models are nonetheless in deployment).

After I revealed the mFi evaluate, Ubiquiti’s PR division approached me with a proposal to evaluate their UniFi product line. Round that point again in 2017, I had the chance to put out a wired Cat 6 spine for all of the rooms in my home right here in California. I took up the provide to spec out a UniFi system for testing out. The USG Professional 4 gateway took up the routing duties with a UniFi Cloud Key (first era) performing controller duties. Entry factors with various capabilities have been mounted round the home to keep away from wi-fi dead-spots. Numerous switches have been positioned within the media middle and completely different lab areas. I ended up augmenting the system with extra PoE switches and in-wall APs alone.

The system was configured with the same old visitor wi-fi community, and a bunch of various VLANs (serving the IoT gadgets in the home, the house lab gear, and one other for gadgets such because the frequent household desktop, telephones, and many others.). On the entire, it was an overkill for a residential set up. That stated, the deployment has held its personal over 5 years of hectic utilization (and nonetheless going robust). The one hiccup I had was when the CloudKey controller grew to become inaccessible on the community a few years again. It turned out {that a} energy interruption had ended up corrupting the database – nothing that a number of SSH instructions (due to the useful group) could not resolve. Since then, I ended up investing in a UPS for the rack holding the UniFi gear to keep away from the recurrence of such eventualities.

Such points are additionally the rationale why I like to recommend Ubiquiti gear solely to tech-savvy customers. In nearly all circumstances, calling up the corporate’s help line and making a ticket finally ends up being a waste of time. There are innumerable assets on-line (each the corporate’s personal customers discussion board, in addition to numerous prosumer bloggers resembling Scott Hanselman and Troy Hunt. In gentle of evaluations from such sources, there may be not a lot for readers to achieve from posting one more evaluate of the Ubiquiti UniFi lineup. As a substitute, I’m hoping to take up particular use-cases and determine how Ubiquiti’s product lineup can tackle these in these sequence of articles.

Earlier this 12 months, my dad and mom again in India determined to downsize their house. I took the chance to revamp their house community from the ground-up. I had been intending so as to add options to the house community of my dad and mom, however had by no means had the chance as a result of my visits have been changing into rare. Nevertheless, with my first go to post-pandemic, I wished to get a number of issues arrange as a part of their transfer:

• Simpler distant administration and troubleshooting of community points with out the necessity for port forwarding.
• Capacity to seamlessly use their Indian house community throughout journey / visits over right here to California
• Capacity to carry out safe distant offsite backups for my knowledge with out counting on an exterior cloud storage supplier
• Capacity to seamlessly make the most of Indian OTT service subscriptions regardless of consumer location both in California or in India

After I initially arrange the Cloud Key again in 2017, there was no requirement to make use of a cloud account. Sadly, the UniFi Community cell utility consumer expertise grew to become fairly onerous with no ui.com ID a few years again. I caved in and ended up associating my set up with a cloud ID only for this goal. Since I used to be already managing my community by way of this ID, it grew to become an easy resolution to go together with Ubiquiti for the deployment again in India.

The important thing to fulfilling the above necessities was a safe VPN tunnel between my house community right here in California and my dad and mom’ community in India. Previous to touring, I organized for a Ubiquiti Dream Machine to be delivered to the brand new house. The Ubiquiti UniFi Dream Machine is an all-in-one answer / UniFi starter package. It integrates a 4-port swap, a 4×4 802.11ac entry level, a safety gateway, and an built-in controller. The Annapurna Labs AL314-based answer comes with a single WAN port, and is a suitable answer for many house networks within the the 1000 sq. ft – 1200 sq. ft vary.

From my use-case perspective, I wished an answer that will help easy VPN tunnel configuration and straightforward app-based entry for each the US and Indian networks by way of a single interface.

The Evolution of UniFi – A Quick Recap

Ubiquiti’s UniFi lineup was launched after their lineup of edge-focused merchandise for WISPs began gaining traction in different markets. These EdgeRouters and EdgeSwitches have been based mostly on Vyatta OS, and the UniFi merchandise initially began out with the identical EdgeOS firmware base. The UniFi Safety Gateway Professional 4 in my major deployment runs EdgeOS to this point.

The USG Professional 4 is predicated on Cavium’s OCTEON II networking SoC, with a MIPS64 utility processor. Nevertheless, Ubiquiti’s newest gateways / routers / switches within the UniFi lineup now run a customized Debian-based Linux distribution. The UniFi Dream Machine makes use of the Annapurna Labs AL314, and runs a distribution meant for the AArch64 platform. The UniFi OS itself runs as a container utilizing podman.

The top result’s that there are fairly a variety of disconnects between the options accessible on EdgeOS and UbiOS / UniFi OS. Migration from the EdgeOS line to UniFi OS isn’t easy sufficient for closely custom-made installs. With focus shifting to UbiOS / UniFi OS, the updates for the older gear have change into few and much aside. Whereas that may not be a priority for steady networks, it has sadly not saved updated with evolving community safety practices. For instance, Android’s latest releases have fully dropped help for L2TP VPNs, whereas EdgeOS has L2TP because the advisable VPN server kind. This brings us to the subject of VPNs.

VPN Server Choices in Ubiquiti’s Stack

Ubiquiti affords a variety of VPN choices relying on the gateway getting used. At house right here in California with the USG Professional 4, I’ve been working a L2TP VPN server (permitting me to connect with it from public espresso outlets and airports for safe searching functions) for a number of years now. I had minimal bother setting it up for entry from a Home windows pocket book. Nevertheless, as talked about within the earlier sub-section, this VPN server is of no use for my cell phone working Android 12. The USG Professional 4 additionally helps PPTP VPN, however it’s not advisable even by Ubiquiti themselves.

The first choice for a VPN server within the UniFi Dream Machine working UbiOS / UniFi OS is kind of completely different.

Right here, Teleport (Ubiquiti’s custom-made Wireguard implementation) takes priority. This can be a one-click VPN extra in tune with at present’s mobile-first ecosystem. Shoppers are approved by way of invitations that may be generated both from the configuration web page (on the unifi.ui.com cloud, or by way of the machine’s native IP) or the UniFi Community cell app. The invitations may be opened on the shopper gadget utilizing the Wifiman cell utility. The unlucky side right here is that Home windows customers are out of luck. Whereas MacOS, Android, and iOS are coated, Home windows customers are left within the lurch. This can be a massively disappointing scenario on condition that the L2TP choice in EdgeOS works with Home windows purchasers, however not Android and the Teleport choice in UbiOS / UniFi OS works with Android purchasers, however not Home windows. It should be famous that the UDM nonetheless helps L2TP for Home windows purchasers.

Beneath the Teleport & VPN part, Ubiquiti additionally supplies an choice to create site-to-site VPNs, which is the place our story begins.