This page includes AI-assisted insights. Want to be sure? Fact-check the details yourself using one of these tools:
ChatGPTClaudeGrokPerplexity
VPNs

Ubiquiti edgerouter site to site vpn

Leave a Comment on Ubiquiti edgerouter site to site vpn

VPN

Ubiquiti edgerouter site to site vpn setup guide: how to configure IPsec site-to-site VPN with EdgeRouter for remote networks, step-by-step

Yes, you can set up a Ubiquiti EdgeRouter site-to-site VPN. This guide walks you through a practical, no-fluff approach to linking two EdgeRouter devices over IPsec, so both sites can talk securely as if they were on the same network. You’ll get a clean, step-by-step plan, plus real-world tips, pitfalls to avoid, and firewall considerations. If you’re the kind of person who learns by doing, you’ll appreciate the CLI and GUI options, plus troubleshooting tricks you can pull up on the fly.

Pro tip: while you’re getting everything dialed in, consider NordVPN for extra privacy during testing and everyday browsing. NordVPN is currently offering a substantial deal 77% off + 3 months free. Check it out here: NordVPN 77% OFF + 3 Months Free

What you’ll learn in this guide Vpn gratis testen for safe online browsing: how to try free VPNs, free trials, and money-back guarantees in 2025

  • How IPsec site-to-site VPN works between two EdgeRouter devices
  • How to plan networks, addresses, and subnets for a clean tunnel and avoid IP conflicts
  • Step-by-step CLI configuration for both sites with ready-to-copy commands
  • Step-by-step GUI configuration for those who prefer a visual approach
  • How to test the tunnel, verify traffic, and fix common issues
  • Best practices for security, performance, and maintainability
  • Quick references for dynamic IPs, NAT, and firewall rules

Introduction: Ubiquiti EdgeRouter site-to-site VPN in plain terms

  • What it is: a secure tunnel between two EdgeRouter devices that lets devices on one network reach devices on the other network as if they were local peers.
  • Why you’d want it: secure, private inter-office links, remote worker access to internal services, or linking a home lab to a remote site without exposing everything to the internet.
  • What you’ll need: two EdgeRouter devices with public IPs or at least reachable IPs, shared PSK or certificates, subnet planning, and basic firewall rules.

Before we dive into the steps, a quick note on scope and planning

  • Identify networks: Example Site A uses 10.1.0.0/24, Site B uses 10.2.0.0/24. The tunnel will carry traffic between these two subnets.
  • Public addresses: Each site needs a public IP or a resolvable endpoint that the other site can reach. If you’re behind CGNAT or a dynamic IP, plan for dynamic DNS and update scripts.
  • Security choice: PSK pre-shared key is simplest. for larger deployments with stronger security, you can transition to certificate-based authentication via a CA.
  • Traffic scope: Decide if you want full-tunnel all traffic between sites or only specific subnets to traverse the VPN. Full-tunnel is simpler but uses more bandwidth on the VPN.

Useful resources unlinked text

  • Ubiquiti EdgeRouter documentation
  • EdgeOS CLI reference
  • IPSec VPN basics
  • Community forums and troubleshooting guides

Now, let’s get hands-on with two common scenarios: CLI-first hands-on networking folks and GUI-first more visual.

Section 1: CLI step-by-step configuration for two EdgeRouters Site A and Site B
Overview Pia vpn configuration guide for Private Internet Access (PIA) on all devices and platforms

  • You’ll configure: IPsec IKE group, ESP group, the site-to-site peer, tunnel endpoints, and local/remote prefixes for your networks.
  • Assumptions: Site A public IP is 203.0.113.1, Site B public IP is 203.0.113.2. Site A LAN is 10.1.0.0/24, Site B LAN is 10.2.0.0/24. PSK is “yoursecretpsk”.

Site A CLI configuration

  • Replace addresses, subnets, and PSK with your actual values.
configure
set vpn ipsec ike-group IKE-GROUP proposal 1 encryption aes256
set vpn ipsec ike-group IKE-GROUP proposal 1 hash sha256
set vpn ipsec ike-group IKE-GROUP lifetime 3600
set vpn ipsec esp-group ESP-GROUP proposal 1 encryption aes256
set vpn ipsec esp-group ESP-GROUP proposal 1 hash sha256
set vpn ipsec esp-group ESP-GROUP lifetime 3600
set vpn ipsec ipsec-interfaces interface eth0

set vpn ipsec site-to-site peer 1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 1 authentication pre-shared-secret 'yoursecretpsk'
set vpn ipsec site-to-site peer 1 ike-group IKE-GROUP
set vpn ipsec site-to-site peer 1 esp-group ESP-GROUP
set vpn ipsec site-to-site peer 1 local-address 203.0.113.1
set vpn ipsec site-to-site peer 1 remote-address 203.0.113.2
set vpn ipsec site-to-site peer 1 tunnel 1 local prefix 10.1.0.0/24
set vpn ipsec site-to-site peer 1 tunnel 1 remote prefix 10.2.0.0/24
commit
save

Notes for Site A CLI
- The “1” after peer refers to the first peer entry. you can number more if you have multiple peers.
- If you run into MTU issues, consider adjusting the MTU for the tunnel or enabling PMTUD.

Site B CLI configuration mirror, with Site B’s details

set vpn ipsec site-to-site peer 1 local-address 203.0.113.2
set vpn ipsec site-to-site peer 1 remote-address 203.0.113.1
set vpn ipsec site-to-site peer 1 tunnel 1 local prefix 10.2.0.0/24
set vpn ipsec site-to-site peer 1 tunnel 1 remote prefix 10.1.0.0/24

Verify and test from CLI Site A
- Check the status of IPsec:

show vpn ipsec sa

- Look for an established tunnel Security Association should show up with a connected remote address.
- Ping a host at Site B from Site A:

ping 10.2.0.10

- If you don’t get responses, inspect the tunnel logs and SA status again. You may need to check:
  - Is the PSK the same on both sides?
  - Are the local/remote addresses correct?
  - Are the local prefixes and remote prefixes accurate?
  - Is the traffic selector tunnel 1 correctly identifying the subnets?

Common CLI issues and quick fixes
- PSK mismatch: Re-enter the PSK on both sides.
- NAT traversal: If either site is behind NAT, enable NAT-Traversal support it’s usually on by default in most EdgeRouter builds.
- Firewall blocks: You’ll need to ensure UDP ports 500 and 4500, and ESP protocol 50 are allowed on the WAN interfaces.

Section 2: GUI step-by-step configuration EdgeOS UI
If you prefer the visual route, here’s how to set it up in the EdgeRouter GUI.

Site A EdgeRouter GUI
- Sign in to the EdgeRouter web UI.
- Go to VPN > IPsec > Add Peer.
  - Remote Address: Site B’s public IP e.g., 203.0.113.2
  - Authentication: Pre-Shared Secret
  - Shared Secret: yoursecretpsk
  - IKE Group: IKE-GROUP AES256, SHA256
  - ESP Group: ESP-GROUP AES256, SHA256
  - Local Address: Site A’s public IP e.g., 203.0.113.1
  - Remote Address: Site B’s public IP repeat
- Create Phase 1 IKE and Phase 2 ESP profiles if your UI asks for them.
- Under Tunnels, map:
  - Local Subnet: 10.1.0.0/24
  - Remote Subnet: 10.2.0.0/24
- Save and apply.

Site B EdgeRouter GUI
- Mirror the same settings with roles reversed:
  - Remote Address: Site A’s public IP 203.0.113.1
  - Local Subnet: 10.2.0.0/24
  - Remote Subnet: 10.1.0.0/24
- Go to the VPN IPsec status page to confirm the tunnel shows as connected.

Firewall and NAT considerations in GUI
- Ensure the VPN traffic is allowed on the WAN interfaces:
  - Permit UDP 500 ISAKMP, UDP 4500 NAT-T, and ESP protocol 50.
- If you run LAN-to-LAN traffic only, create a firewall rule to allow traffic from 10.1.0.0/24 to 10.2.0/24 and vice versa, and place it on the input chain or as appropriate for your topology.
- If you don’t want NAT between sites, add a NAT exemption rule so traffic between 10.1.0.0/24 and 10.2.0.0/24 doesn’t get translated by the routers.

Section 3: Key considerations and best practices
- Dynamic IPs: If your sites have dynamic public IPs, pair your VPN with a dynamic DNS service at both ends and use the DDNS hostname as the remote-address in the VPN config. Some EdgeOS builds support automatic re-connection when the IP changes. otherwise, you’ll need a DDNS client or a small script to update the VPN peer.
- Authentication: PSK is straightforward, but you may want to switch to certificate-based authentication for higher security in larger deployments. This involves setting up a CA and issuing certs to both EdgeRouters.
- Traffic scope: For a clean, scalable approach, start with a full tunnel between sites all traffic between subnets flows over the VPN. If you only need specific hosts or subnets to talk, you can adjust the traffic selectors to limit the tunnel to those networks.
- Redundancy and failover: If uptime matters, consider a second WAN link and a failover strategy. EdgeRouter devices can be configured with multiple WAN interfaces and route-based failover, ensuring the VPN stays up if one ISP goes down.
- Monitoring: Use the EdgeRouter’s built-in monitoring tools or syslog to keep an eye on VPN status, tunnel uptime, and performance. Regularly review the IPsec SA lifetimes to avoid unexpected tunnel drops.
- Performance notes: EdgeRouter devices have varying throughput depending on model and workload. IPSec encryption typically reduces tunnel throughput by a measurable amount. If you’re pushing gigabit-level traffic, pick a model that provides headroom for VPN workloads, or consider offloading encryption to a more capable device behind the EdgeRouter.

Section 4: Dynamic DNS and remote access tips
- If you’re behind CGNAT or your public IP changes often, set up Dynamic DNS DDNS at both sites. Then configure the VPN remote-address to the DDNS hostname on the peer side.
- For occasional remote access needs remote workers, you can place a separate VPN client-to-site on a per-user basis, but keep the site-to-site VPN dedicated to inter-site traffic for stability.
- If you’re testing with laptops or devices that roam between networks, keep a separate VPN client profile for those devices e.g., OpenVPN or WireGuard rather than repurposing the site-to-site tunnel.

Section 5: Real-world tips, common mistakes, and quick wins
- Start small: get two subnets communicating first, then expand to additional subnets or more complex routing.
- Use consistent subnet masks on both sides to avoid routing confusion 10.1.0.0/24 vs 10.2.0.0/24 is clear. mismatches create dead routes.
- Keep a note of all PSKs, IPs, and prefixes in a secure place. A quick reference sheet saves you from re-driving the tunnel when a change is needed.
- Regularly test after any change: a small change in the tunnel can cause unpredictable behavior if you don’t validate connectivity.
- Document your topology: a simple diagram or bullet list of which devices talk to which subnets helps future you and teammates troubleshoot quickly.

Section 6: Troubleshooting checklist
- Tunnel status: Is the IPsec SA established on both sides? If not, re-check the PSK, remote addresses, and IKE/ESP profile matches.
- Network reachability: Can you ping across subnets from both sides? If not, verify local routing tables and subnets.
- Firewall rules: Are required ports open on the WAN interfaces? Do you have a firewall rule allowing ESP protocol 50 and UDP 500/4500?
- NAT: If you’re not sure, temporarily disable NAT for VPN traffic or add a specific NAT exemption for traffic between 10.1.0.0/24 and 10.2.0.0/24 to see if that fixes issues.
- Logs: Check EdgeRouter logs for IPsec events. Look for negotiation failures, key mismatches, or rejected packets.
- MTU: If you see fragmented packets or VPN instability, gain stability by reducing MTU or enabling MSS clamping where possible.

Section 7: Advanced topics you might explore later
- Split tunneling vs full tunneling: Decide if all traffic should go through the VPN or just inter-site traffic. Split tunneling can reduce VPN load but may complicate security posture.
- Certificate-based authentication: For larger deployments, replace PSK with certificates and a dedicated CA to improve security and automate revocation.
- Site-to-site with dynamic DNS and VRRP/HA: For high availability, pair VPNs with multiple WANs and VRRP or similar redundancy protocols to maintain uptime during ISP failures.
- IPv6 considerations: If you’re running IPv6, make sure IPsec and the tunnels are configured to support IPv6 traffic across both sites.

Frequently Asked Questions
 What exactly is a site-to-site VPN on Ubiquiti EdgeRouter?
A site-to-site VPN connects two separate networks securely over the internet so devices on one side can reach devices on the other side as if they were on a single local network. EdgeRouter devices use IPsec to establish a trusted tunnel between the sites.

 Do I need public IP addresses on both sites?
Typically yes. Each EdgeRouter needs a reachable public IP address or a resolvable endpoint via DDNS so the tunnel can be established. If you’re behind NAT, NAT-T NAT Traversal helps, and you may use DDNS to handle dynamic addresses.

 Should I use PSK or certificates for authentication?
PSK is easy to set up and great for small deployments. For higher security and scale, certificates issued by a private CA are preferred. They reduce the risk of PSK leakage and make revocation simpler.

 How do I test if the tunnel is up?
Check the IPsec SA status on both EdgeRouters. you should see a tunnel listed as established. Then ping devices on the remote network e.g., from 10.1.0.x to 10.2.0.x. If pings fail, verify routing tables, firewall rules, and the tunnel’s local/remote prefixes.

 Can I run VPNs on a consumer-grade router?
EdgeRouter devices are designed for this kind of VPN work. Consumer-grade routers often struggle with reliable IPsec site-to-site VPNs or have limited configuration options.

 What if one site has a dynamic IP?
Use Dynamic DNS on that site and update the remote-address setting to the DDNS hostname. Some EdgeRouter setups can refresh this automatically. otherwise, you’ll need a script or a small client to update the config when IPs change.

 How do I limit traffic over the VPN?
You can set traffic selectors local and remote prefixes so only specific subnets traverse the tunnel. This is helpful if you don’t want all traffic to pass through the VPN.

 How should I handle firewall rules for the VPN?
Open the necessary ports UDP 500 for ISAKMP, UDP 4500 for NAT-T, ESP protocol 50. Then create firewall rules that allow traffic between the tunnel endpoints and the two subnets involved in the VPN.

 What are common mistakes beginners make?
Mismatching PSKs, wrong local/remote addresses, misconfigured prefixes, and firewall rules that block VPN traffic are the usual culprits. A small diagram of the two sites and their subnets helps prevent misconfigurations.

 Can I have more than one site-to-site VPN peer per EdgeRouter?
Yes. You can configure multiple IPsec peers, each with its own tunnel. This is useful when you’re linking more than two sites or if you need separate VPN policies for different partner networks.

Section 8: Quick-start recap for busy readers
- Pick a subnet plan for both sites e.g., Site A 10.1.0.0/24, Site B 10.2.0.0/24.
- Decide on authentication PSK is simplest. cert-based is more scalable.
- Choose either CLI or GUI for EdgeRouter configuration.
- Configure IPsec IKE and ESP groups with AES256/SHA256, 3600+ second lifetimes.
- Define local/remote addresses and tunnel prefixes for both sides.
- Open necessary firewall ports UDP 500, UDP 4500, ESP.
- Test cross-subnet connectivity, then adjust as needed.
- Consider dynamic DNS if you’re dealing with changing public IPs.

Final notes for your VPN journey
- Start with the simplest setup that works, then expand features as you need them.
- Keep security in mind: rotate PSKs, monitor logs, and consider certificate-based authentication for future upgrades.
- Document every change and keep backups of your EdgeRouter configurations so you can recover quickly if something goes sideways.

Useful URLs and Resources plain text
- Official EdgeRouter documentation - docs.ubiquiti.com
- EdgeOS CLI reference - help.ubnt.com
- IPsec VPN basics - en.wikipedia.org/wiki/IPsec
- Ubiquiti Community forums - community.ubiquiti.com
- Dynamic DNS services overview - en.wikipedia.org/wiki/Dynamic_DNS

Remember: the more you practice the configuration steps, the quicker you’ll respond to issues, and the more confident you’ll be when you scale to additional sites or more complex topologies. If you found this guide helpful, feel free to revisit any section as you set up your network, and don’t hesitate to add more sites once you’ve mastered the basics.


Vpn similar to ultrasurf: a comprehensive guide to proxies, obfuscated VPNs, and easy bypass tools

Recommended Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

×

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by