Nice overview. I've been setting up OpenVPN for remote users that just need access to the primary office NAS. What's nice is that only traffic to the NAS is routed through the VPN. I understand that Site Magic, and other options you showed would route all traffic through the VPN. Are you able to configure the VPN in any of the options you showed to only route traffic to a particular IP address (like when hosting VPN on Synology NAS)?
Great video thank you, Here are somethings I would like to see in a future video: Explain LAN in/out/local & Internet in/out/local. Also, I would like to see how you would connect both Unifi and non unifi devices to a UDMP using the Ubiquiti UMR as a remote for cameras both Unifi Protect and OnVif. Since the UMR seems to have a difficult time with port forwarding and the Site2Site is not really a Site2Site but just a vpn, I am wondering how you would approach that.
Would site to site be the option I need to choose if I’m wanting to connect a remote server to the main/local domain controller? Server B -> site to site VPN -> Server A?
Hi Cody - great video! All your content has been very helpful for me. I had a somewhat unrelated question for you. I'm setting up a different VLANs on my home network using your guides. In order to block vlans from accessing gateways and the management interfaces, you suggest setting up firewalls which , for example, block VLAN1 from accessing the gateway IPs of all other VLANs, and then also blocking access to its own gateway IP on ports 80, 22, and 443. However, someone else just suggest to me that I can simply select the VLANs I want isolated and make them "guest networks" and all the necessary rules will be automatically created to prevent inter-vlan routing and devices from accessing the firewall, while still having internet - plus I don't have to fiddle with confusing IP and port groups and keeping them up to date if something changes. Do you see any problem with that approach? Is there a reason you don't do that? Any insight is much appreciated.
This is a great video! But I still don't understand why we need to use "LAN Out" on VPN firewall rules instead of "LAN In"? Can't wrap my head around it...any help would be really appreciated!
Yes he sorta goes over this quick and doesn't really explain the reason why. You setup the rule on the UDM which you are blocking access to. You use lan out because from its perspective the UDM is sending traffic OUT to the devices on the LAN interface, therefore LAN Out. Lan In would be devices on the network going into the UDM LAN interface. The Port/IP Group is required to tell which source network to block. The traffic goes like this... Host-PC>Lan In->UDMA->site magic->UDMB-Lan out->Host-PC Therefore you make a rule on UDMB Lan out which blocks Host-PC from UDMA to Host PC on UDMB. Oh and if you are blocking entire subnet and only letting certain hosts through, it is also a good idea to allow established and related for the same Port/IP Group above the other rules... otherwise traffic cannot go out the other way from the UDM you are not blocking.
Just for testing purposes to ensure the VPN routing works on the remote site. Is it possible to route a Teleport clients through the VPN client on UDR? For example, if UDR has a PIA client, I connect to UDR via Teleport, and the endpoint should use the PIA IP instead of the WAN IP.
Great video :) . I am temporarily living in another country. I have purchased video striming services in my country, but they are not available in the country where I currently live. Should I use the VPN client method to have access on several devices?
very nice video and very good job. the question I have is at the point where you set up the wireguard (server address) there is an exclamation mark there should we deal with it or not (if I remember correctly it should say something about the dynamic ip)
Thx for video i was testing all this last week :) I have only 1 question how can i add speed limit to vpn users. I was looking everywhere but there is no option select vpn network or vpn client ip.
Any ideas or fixes for conflicting/overlapping OpenVPN tunnel IPs? I need to enable two different OpenVPN connections at the same time but it gives an IP conflict error because both are using 10.8.x.x for the tunnels. They work fine on their own. Great content, BTW! I have referenced many videos during my Unifi equipment setup.
Thanks for the video. What about routing tunneled wireguard clients to the commercial vpn connection? Is it possible to configure the wireguard clients to use the commercial VPN within Unify? In other words, In the case where unify has vpn client co figured with Nord and provides network wide vps for all devices. In this case, if we configure the wireguard ‘server’ in unify, and if i am connecting to unify from a different country via wireguard client. How can unify tunnel all my traffic through the Nord VPN for internet access while providing access to the LAN? i cannot find any tutorials to make this work. i tried it, but i’m my wireguard client doesn’t seem to use the nord vpn when connecting from outside (from a different country try for example)
Awesome vid Cody, thanks. One question. I dont think its possible yet but, can you create a wireless network that direct you into a vpn connection? The reason is for example, i want to connect my tv to a netflix outside of my region, so i can watch restricted content.
Create a VLAN for these specific clients, create a new WLAN SSID, Map the WLAN to use the specific VLAN. Create your VPN Client. Now go into Routing and route all traffic for your specific VLAN to the Wireguard or OpenVPN client, rather than the WAN
i really want to use magic vpn but 1) cant use it for policy based routing (aka all traffic of this kind e.g. netflix exits from one base location) and 2) can use it the same time as OSPF for local use
I had setup sitemagic or teleport and able to acces any of my devices remotely...except all pc. As soon as disable pc firewall, I got ping. I had try a lot of things in the pc firewall with no result. Any hint?
I successfully use the wireguard server for site-to-site with proper routing both ways...and it works great....however the server has multiple wans...but the config only allows a single WAN ip to be selected. Is there a way to have the fail over to WAN2 or load balanced both ways with a hostname that shows both ips?
What about firewall rules *TO* the VPN? I've never been able to figure out how to block that. Tried adding a rule to LAN In and LAN Out saying local traffic to the VPN network should be dropped, but it seems to still go through?
I found though if you add the 5th VPN user, the VPN will connect but no traffic will route to the local network, so can't ping servers and printers on the network I'm connecting to. Anyone can help me?
Im guessing because the VPN server is already "inside" the router, so it never enters the router/firewall from an interface a rule applies to, and so the soonest you can apply a rule is as the traffic is going to be sent out an interface.
Hi, I’m a colorist and your tutorial are extremely helpful and generally helped me a lot. That’s said I have to say that I don’t particularly enjoy your choice of colors in your videos. If you are interested in looking for a new style I will gladly help for free.
in the ads for the magic vpn their mentionning that " new york is on 192.168.20.0 and they fight over because London is also on 192.168.20.0 but apparently it is not an issue with magic vpn" nobody seems to cover what happen if you have the same network, did you try ? caus in the video .. they all pick diferent network lol? ... /watch?v=hqnl9awwYiM&ab_channel=Ubiquiti
Whaaaa I was just researching this 5 minutes before this uploaded
Excellent video! Was just doing research on these last week and this was great timing! 🎉
THIS helped me sooo much! Tried out Wireguard and Teleport. Thank you!
Excellent video breakdown thank you. Like to see more detailed firewall rules around using site magic and blocking between to site please.
Nice overview. I've been setting up OpenVPN for remote users that just need access to the primary office NAS. What's nice is that only traffic to the NAS is routed through the VPN. I understand that Site Magic, and other options you showed would route all traffic through the VPN. Are you able to configure the VPN in any of the options you showed to only route traffic to a particular IP address (like when hosting VPN on Synology NAS)?
Another informative video, it would be interesting if you made a video on how to create static routes between other manufacturers
Thanks so much for doing these explanations and walkthroughs.
Hi, another great video! Can you make a separate video specifically on setting up a wire guard client. Thanks
Great video thank you, Here are somethings I would like to see in a future video: Explain LAN in/out/local & Internet in/out/local. Also, I would like to see how you would connect both Unifi and non unifi devices to a UDMP using the Ubiquiti UMR as a remote for cameras both Unifi Protect and OnVif. Since the UMR seems to have a difficult time with port forwarding and the Site2Site is not really a Site2Site but just a vpn, I am wondering how you would approach that.
Would site to site be the option I need to choose if I’m wanting to connect a remote server to the main/local domain controller? Server B -> site to site VPN -> Server A?
I just like the L2TP does not require a client to be installed on macOS, but I get it's basically being deprecated.
great video! - I would like to see real use cases, like best VPN for specific networks/devices. For IoT, Cams, Servers, and so on..
Hi Cody - great video! All your content has been very helpful for me. I had a somewhat unrelated question for you.
I'm setting up a different VLANs on my home network using your guides. In order to block vlans from accessing gateways and the management interfaces, you suggest setting up firewalls which , for example, block VLAN1 from accessing the gateway IPs of all other VLANs, and then also blocking access to its own gateway IP on ports 80, 22, and 443.
However, someone else just suggest to me that I can simply select the VLANs I want isolated and make them "guest networks" and all the necessary rules will be automatically created to prevent inter-vlan routing and devices from accessing the firewall, while still having internet - plus I don't have to fiddle with confusing IP and port groups and keeping them up to date if something changes.
Do you see any problem with that approach? Is there a reason you don't do that?
Any insight is much appreciated.
Site Magic is just freaking awesome!
Hey Cody. How about a video with the Site Magic VPN and DNS resolving from remote site to main site? Thanks for the videos, very helpful.
Great video! Using Site Magic, I can not seem to map a share from one site to another. Are there any firewall rules I need to setup?
This is a great video! But I still don't understand why we need to use "LAN Out" on VPN firewall rules instead of "LAN In"? Can't wrap my head around it...any help would be really appreciated!
Yes he sorta goes over this quick and doesn't really explain the reason why. You setup the rule on the UDM which you are blocking access to. You use lan out because from its perspective the UDM is sending traffic OUT to the devices on the LAN interface, therefore LAN Out. Lan In would be devices on the network going into the UDM LAN interface. The Port/IP Group is required to tell which source network to block. The traffic goes like this... Host-PC>Lan In->UDMA->site magic->UDMB-Lan out->Host-PC Therefore you make a rule on UDMB Lan out which blocks Host-PC from UDMA to Host PC on UDMB.
Oh and if you are blocking entire subnet and only letting certain hosts through, it is also a good idea to allow established and related for the same Port/IP Group above the other rules... otherwise traffic cannot go out the other way from the UDM you are not blocking.
@@bsem68 Thank you so much for taking your time to lay this out. The chart really helps! Truly appreciate it!
@@bsem68absolute Chad response bro, was having trouble understanding this as well but I think I got it now. Cheers 🎉
@@bsem68 I was able to connect using both Teleport and WireGuard but I'm unable to hit any of the local IP addresses like he did. What am I missing?
Hey. You have 3gb up and down. can you do a video on that setup with the udm pro
Just for testing purposes to ensure the VPN routing works on the remote site. Is it possible to route a Teleport clients through the VPN client on UDR? For example, if UDR has a PIA client, I connect to UDR via Teleport, and the endpoint should use the PIA IP instead of the WAN IP.
Excellent video❤
Great video :) . I am temporarily living in another country. I have purchased video striming services in my country, but they are not available in the country where I currently live. Should I use the VPN client method to have access on several devices?
Can you tell about GRE over IPSec protocol? How manage rules in firewall in this protocol? I want make the same IP in two offices in different places.
very nice video and very good job. the question I have is at the point where you set up the wireguard (server address) there is an exclamation mark there should we deal with it or not (if I remember correctly it should say something about the dynamic ip)
Ya it’s becuase I don’t have a static ip address. You could use a ddns service for this
Is it possible to set up a VPN connection to the deivce to get onto the network but not route internet traffic through the VPN?
Thx for video i was testing all this last week :) I have only 1 question how can i add speed limit to vpn users. I was looking everywhere but there is no option select vpn network or vpn client ip.
Any ideas or fixes for conflicting/overlapping OpenVPN tunnel IPs? I need to enable two different OpenVPN connections at the same time but it gives an IP conflict error because both are using 10.8.x.x for the tunnels. They work fine on their own. Great content, BTW! I have referenced many videos during my Unifi equipment setup.
Do the same thing for the updated VLAN UI please.
Thanks for the video. What about routing tunneled wireguard clients to the commercial vpn connection? Is it possible to configure the wireguard clients to use the commercial VPN within Unify? In other words, In the case where unify has vpn client co figured with Nord and provides network wide vps for all devices. In this case, if we configure the wireguard ‘server’ in unify, and if i am connecting to unify from a different country via wireguard client. How can unify tunnel all my traffic through the Nord VPN for internet access while providing access to the LAN? i cannot find any tutorials to make this work. i tried it, but i’m my wireguard client doesn’t seem to use the nord vpn when connecting from outside (from a different country try for example)
Awesome vid Cody, thanks. One question. I dont think its possible yet but, can you create a wireless network that direct you into a vpn connection? The reason is for example, i want to connect my tv to a netflix outside of my region, so i can watch restricted content.
Create a VLAN for these specific clients, create a new WLAN SSID, Map the WLAN to use the specific VLAN.
Create your VPN Client.
Now go into Routing and route all traffic for your specific VLAN to the Wireguard or OpenVPN client, rather than the WAN
How would you route traffic from a remotely connected machine using wireguard to go via Nord VPN that is currently setup on the UDM?
Is there wa way that we can use device names to ping when we do site to site VPN? or any other way ?
i really want to use magic vpn but 1) cant use it for policy based routing (aka all traffic of this kind e.g. netflix exits from one base location) and 2) can use it the same time as OSPF for local use
I had setup sitemagic or teleport and able to acces any of my devices remotely...except all pc. As soon as disable pc firewall, I got ping. I had try a lot of things in the pc firewall with no result. Any hint?
I was able to connect using both Teleport and WireGuard but I'm unable to hit any of the local IP addresses like he did. What am I missing?
I successfully use the wireguard server for site-to-site with proper routing both ways...and it works great....however the server has multiple wans...but the config only allows a single WAN ip to be selected. Is there a way to have the fail over to WAN2 or load balanced both ways with a hostname that shows both ips?
What about firewall rules *TO* the VPN? I've never been able to figure out how to block that. Tried adding a rule to LAN In and LAN Out saying local traffic to the VPN network should be dropped, but it seems to still go through?
Im sooo glad, i bought a unifi dream Machine instead of a pfsense router 😂
Wish Unifi added Policy Based Routing for Site to Site VPN's and not just others :/
What happens to a site magic config if one of the sites primary internet fails over to its backup connection? Does it "heal itself"?
Teleport appears to continue to work in countries where VPN is banned (Pakistan)
Still no possibility to prevent access to UDM admin interface for WireGuard clients using firewall rules?
Dont think so
@@MactelecomNetworks i was about to ask the same question, thanks for the clarifications and i thought i was doing something wrong on my end.
@@mapotoyfu there actually is a way now look at this post
twitter.com/underlinux/status/1775987918147887431
@@MactelecomNetworks followed his instructions but created a group and it worked. thanks for the link!
Is it possible to create Site-to-Site connection with Fortigate - Unifi UDM Pro?
Yup I don't see why not
I found though if you add the 5th VPN user, the VPN will connect but no traffic will route to the local network, so can't ping servers and printers on the network I'm connecting to. Anyone can help me?
How I can get the manual setup to get user and password?
How to use NordVPN on UDM PRO?
Why are VPN firewall rules always lan_out?
Im guessing because the VPN server is already "inside" the router, so it never enters the router/firewall from an interface a rule applies to, and so the soonest you can apply a rule is as the traffic is going to be sent out an interface.
13:43 14 different UDMs at different sites. I feel poor.
Some editing errors in this one.
I assume you mean the quick cuts? My stream deck cuts off to early gotta get it figured out
@@MactelecomNetworks yeah, that's it then.
@@MactelecomNetworks yep noticed them mostly in the beginning of the video. sorry to point these out 0:57 1:13 1:40 2:20 2:38
@@romayojr thanks yup I noticed them as well. Will figure out the stream deck asap or just won’t use when recording
Thanks for the nord vpn setup. Never tried setting up nordvpn network wide, but always wondered if unifi supported it. Might have to do that.
😍👏👏👏👏👏👏
Hi, I’m a colorist and your tutorial are extremely helpful and generally helped me a lot. That’s said I have to say that I don’t particularly enjoy your choice of colors in your videos. If you are interested in looking for a new style I will gladly help for free.
Way too much sentences cut before ending... This is highly frustrating
Ya bad edit
in the ads for the magic vpn their mentionning that " new york is on 192.168.20.0 and they fight over because London is also on 192.168.20.0 but apparently it is not an issue with magic vpn" nobody seems to cover what happen if you have the same network, did you try ? caus in the video .. they all pick diferent network lol? ...
/watch?v=hqnl9awwYiM&ab_channel=Ubiquiti