Skip to main content Configuring VPN on UniFi switch - do I need any additional hardware/software? : r/Ubiquiti
r/Ubiquiti icon
Go to Ubiquiti
•

Configuring VPN on UniFi switch - do I need any additional hardware/software?

Question

Hello guys,

I have an UniFi switch. The internet is connected via some router provided by internet provider (LTE):

Router LTE -- Ubiquiti switch -- rest of devices

I need external access to my network, so I started configuring a VPN. I found some instruction (on some blog and YouTube video) but in my control panel there are no options shown in instruction.

So, I think I should buy an UniFi USG, but I'm not sure. Maybe I should buy more devices, or I am completely wrong, and it is possible to configure VPN only on switch?

Also, I have dynamic IP, so I need to configure some dyndns service. I have some domains in OVH, I believe there is an option to configure VPN with my own domain, but I haven't seen any detailed instruction. Do you have any guys?

Last question - should I reconfigure my LTE router to bridge mode or some like this? Currently, there are default configs and switch works with DHCP on the router (I think so).

Can you help me with my network and VPN? I have some basic knowledge, but in practice I'm completely noob.

Archived post. New comments cannot be posted and votes cannot be cast.
Turn your dream of writing a best-selling book into a reality. On your own terms.
Learn More
shopify.com
Thumbnail image: Turn your dream of writing a best-selling book into a reality. On your own terms.
Sort by:
Best
Open comment sort options
AutoModerator
•
Moderator Announcement Read More »
•

So first thing, yes you will need some sort of gateway. A USG will work or you can add another firewall.

Second, you can us a Dynamic DNS service to get around this. Noip is one I can think of.

Third, your LTE router will need to be in a bridge or passthrough mode for this to work. Check with the manufacturer on the best way to set this up. For example, Comcast no longer recommends bridge mode but instead an advanced mode that basically just shuts off the firewall.

Finally, depending on your provider, you may be behind a CGNAT which will hose you from the start and there is no real way around it. I would check with them before even getting started.

•

You need a Unifi gateway to use the controller to manage a VPN I would assume. A switch has no ability to host a VPN. If you buy a gateway then you should use your LTE router as a bridge and use the USG as your router. I use my domain for my VPN and I have ddclient on a VM that updates the DNS every 5 min. I think a USG has ddns update capability (YM UDMP does but I don't use it, I assume the USG would too) so you might not need anything else.

• • Edited

First, if you're behind LTE, chances are that you're behind a CGNAT, which is basically Double-NAT, but using 100.64.0.0/10 as the network in front, instead of 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. What this means is that you can't port forward or host services due to how the network is architected. You can push outbound traffic from your network (Access the internet normally), but you can't get any traffic that didn't originate from your network (VPN, any type of server hosting) if that makes sense.

Like u/zerphtech said, you can get around the dynamic IP problem by using dynamic DNS, but this only works if you have a public IP address.

On the hardware assuming you're able to get a public IP, a USG would work, but keep in mind that that hardware is really old, equivalent to an *EdgeRouter Lite*. USG Pro 4 is equivalent to an EdgeRouter 8 Pro without a couple of ethernet ports (Still really old). I really have no idea why they're still selling them; they're delisted, but if you search for them in the UI store, you'll find them.

If you can, get an EdgeRouter 4. You won't have the single pane of glass, but it's beefier for VPN with hardware acceleration, at least for IPsec.