Ubiquiti Networks is a well-liked vendor of networking-related gear within the SMB / SME area. Their gear is immensely in style amongst prosumers too, due to the mixture of ease of use and the flexibility to customise for particular necessities. I’ve been operating an Ubiquiti UniFi set up at house for the final 5 years or so, and just lately had the chance to create a brand new deployment abroad. There have been two predominant causes to go together with Ubiquiti for the brand new location – a single administration airplane for each websites, and the flexibility to simply create a site-to-site VPN.
The brand new set up was pretty clean and the site-to-site VPN was up and operating in a steady method till the ISP on the distant website moved the gateway from a public-facing WAN IP to 1 behind a carrier-grade NAT (CGNAT). That began a deeper investigation into varied choices obtainable for site-to-site VPNs with Ubiquiti’s gear for various eventualities. On this course of, I ended up encountering a bunch of points worthy of documentation to assist people who may encounter them in their very own installations. This text gives a recount of my journey down the rabbit gap – together with a step-by-step information detailing my makes an attempt to work across the varied pitfalls.
Introduction
Ubiquiti Networks presents a spread of merchandise focusing on the networking market. Whereas wi-fi ISPs are a key market section for the corporate (serviced by the airFiber line), as we speak’s piece is concentrated on their UniFi product line – a spread of managed software-defined networking gear for SMBs, SMEs, and prosumers. There are a selection of causes for UniFi’s recognition merchandise amongst tech-savvy customers. The corporate had a first-mover benefit in providing an economical managed SDN answer. Isolating performance into completely different units (safety gateways, routers, switches, and wi-fi entry factors) allowed customers to select and select completely different gear primarily based on their customized wants. The unified administration airplane for all of the UniFi merchandise permits simple upkeep whereas retaining deployment flexibility. Community scaling in response to requirement adjustments can also be easy. The corporate began out with an area administration controller, which has now been augmented with a cloud-based providing.
My first brush with Ubiquiti was their mFi product line (which has since been sadly EOL-ed). Their lineup of network-connected energy shops with vitality and energy monitoring, in addition to distant relay management was (and continues to be) extra versatile than anything out there – and this was with out even taking the low pricing under consideration. I had bought a couple of of their models for my house / AnandTech testing lab use, and written a brief overview after a few months of use (these models are nonetheless in deployment).
After I revealed the mFi overview, Ubiquiti’s PR division approached me with a suggestion to overview their UniFi product line. Round that point again in 2017, I had the chance to put out a wired Cat 6 spine for all of the rooms in my home right here in California. I took up the provide to spec out a UniFi system for testing out. The USG Professional 4 gateway took up the routing duties with a UniFi Cloud Key (first technology) performing controller duties. Entry factors with various capabilities had been mounted round the home to keep away from wi-fi dead-spots. Quite a lot of switches had been positioned within the media middle and completely different lab places. I ended up augmenting the system with further PoE switches and in-wall APs alone.
The system was configured with the standard visitor wi-fi community, and a bunch of various VLANs (serving the IoT units in the home, the house lab gear, and one other for units such because the frequent household desktop, telephones, and so on.). On the entire, it was an overkill for a residential set up. That stated, the deployment has held its personal over 5 years of nerve-racking utilization (and nonetheless going robust). The one hiccup I had was when the CloudKey controller grew to become inaccessible on the community a few years again. It turned out {that a} energy interruption had ended up corrupting the database – nothing that a couple of SSH instructions (due to the useful neighborhood) could not resolve. Since then, I ended up investing in a UPS for the rack holding the UniFi gear to keep away from the recurrence of such eventualities.
Such points are additionally the explanation why I like to recommend Ubiquiti gear solely to tech-savvy customers. In nearly all instances, calling up the corporate’s assist line and making a ticket finally ends up being a waste of time. There are innumerable assets on-line (each the corporate’s personal customers discussion board, in addition to numerous prosumer bloggers equivalent to Scott Hanselman and Troy Hunt. In mild of opinions from such sources, there may be not a lot for readers to realize from posting yet one more overview of the Ubiquiti UniFi lineup. As a substitute, I hope to take up particular use-cases and determine how Ubiquiti’s product lineup can deal with these in these sequence of articles.
Earlier this yr, my dad and mom again in India determined to downsize their house. I took the chance to revamp their house community from the ground-up. I had been intending so as to add options to the house community of my dad and mom, however had by no means had the chance as a result of my visits had been turning into rare. Nonetheless, with my first go to post-pandemic, I wished to get a couple of issues arrange as a part of their transfer:
- Simpler distant administration and troubleshooting of community points with out the necessity for port forwarding.
- Capacity to seamlessly use their Indian house community throughout journey / visits over right here to California
- Capacity to carry out safe distant offsite backups for my information with out counting on an exterior cloud storage supplier
- Capacity to seamlessly make the most of Indian OTT service subscriptions regardless of consumer location both in California or in India
After I initially arrange the Cloud Key again in 2017, there was no requirement to make use of a cloud account. Sadly, the UniFi Community cell utility consumer expertise grew to become fairly onerous with no ui.com ID a few years again. I caved in and ended up associating my set up with a cloud ID only for this objective. Since I used to be already managing my community by this ID, it grew to become a simple determination to go together with Ubiquiti for the deployment again in India.
The important thing to fulfilling the above necessities was a safe VPN tunnel between my house community right here in California and my dad and mom’ community in India. Previous to touring, I organized for a Ubiquiti Dream Machine to be delivered to the brand new house. The Ubiquiti UniFi Dream Machine is an all-in-one answer / UniFi starter equipment. It integrates a 4-port change, a 4×4 802.11ac entry level, a safety gateway, and an built-in controller. The Annapurna Labs AL314-based answer comes with a single WAN port, and is an appropriate answer for many house networks within the the 1000 sq. ft – 1200 sq. ft vary.
From my use-case perspective, I wished an answer that might assist easy VPN tunnel configuration and simple app-based entry for each the US and Indian networks by way of a single interface.
The Evolution of UniFi – A Quick Recap
Ubiquiti’s UniFi lineup was launched after their lineup of edge-focused merchandise for WISPs began gaining traction in different markets. These EdgeRouters and EdgeSwitches had been primarily based on Vyatta OS, and the UniFi merchandise initially began out with the identical EdgeOS firmware base. The UniFi Safety Gateway Professional 4 in my main deployment runs EdgeOS thus far.
The USG Professional 4 is predicated on Cavium’s OCTEON II networking SoC, with a MIPS64 utility processor. Nonetheless, Ubiquiti’s newest gateways / routers / switches within the UniFi lineup now run a customized Debian-based Linux distribution. The UniFi Dream Machine makes use of the Annapurna Labs AL314, and runs a distribution meant for the AArch64 platform. The UniFi OS itself runs as a container utilizing podman.
The tip result’s that there are fairly a variety of disconnects between the options obtainable on EdgeOS and UbiOS / UniFi OS. Migration from the EdgeOS line to UniFi OS is just not easy sufficient for closely personalized installs. With focus shifting to UbiOS / UniFi OS, the updates for the older gear have change into few and much aside. Whereas that may not be a priority for steady networks, it has sadly not stored updated with evolving community safety practices. For instance, Android’s current releases have fully dropped assist for L2TP VPNs, whereas EdgeOS has L2TP because the advisable VPN server sort. This brings us to the subject of VPNs.
VPN Server Choices in Ubiquiti’s Stack
Ubiquiti presents a spread of VPN choices relying on the gateway getting used. At house right here in California with the USG Professional 4, I’ve been operating a L2TP VPN server (permitting me to hook up with it from public espresso outlets and airports for safe looking functions) for a number of years now. I had minimal hassle setting it up for entry from a Home windows pocket book. Nonetheless, as talked about within the earlier sub-section, this VPN server is of no use for my cell phone operating Android 12. The USG Professional 4 additionally helps PPTP VPN, however it isn’t advisable even by Ubiquiti themselves.
The first possibility for a VPN server within the UniFi Dream Machine operating UbiOS / UniFi OS is kind of completely different.
Right here, Teleport (Ubiquiti’s personalized Wireguard implementation) takes priority. This can be a one-click VPN extra in tune with as we speak’s mobile-first ecosystem. Purchasers are licensed by way of invitations that may be generated both from the configuration web page (on the unifi.ui.com cloud, or by way of the machine’s native IP) or the UniFi Community cell app. The invitations could be opened on the consumer system utilizing the Wifiman cell utility. The unlucky side right here is that Home windows customers are out of luck. Whereas MacOS, Android, and iOS are lined, Home windows customers are left within the lurch. This can be a massively disappointing state of affairs provided that the L2TP possibility in EdgeOS works with Home windows shoppers, however not Android and the Teleport possibility in UbiOS / UniFi OS works with Android shoppers, however not Home windows. It have to be famous that the UDM nonetheless helps L2TP for Home windows shoppers.
Beneath the Teleport & VPN part, Ubiquiti additionally gives an choice to create site-to-site VPNs, which is the place our story begins.
