i really want to use magic vpn but 1) cant use it for policy based routing (aka all traffic of this kind e.g. netflix exits from one base location) and 2) can use it the same time as OSPF for local use
I had setup sitemagic or teleport and able to acces any of my devices remotely...except all pc. As soon as disable pc firewall, I got ping. I had try a lot of things in the pc firewall with no result. Any hint?
Thanks for the video. What about routing tunneled wireguard clients to the commercial vpn connection? Is it possible to configure the wireguard clients to use the commercial VPN within Unify? In other words, In the case where unify has vpn client co figured with Nord and provides network wide vps for all devices. In this case, if we configure the wireguard ‘server’ in unify, and if i am connecting to unify from a different country via wireguard client. How can unify tunnel all my traffic through the Nord VPN for internet access while providing access to the LAN? i cannot find any tutorials to make this work. i tried it, but i’m my wireguard client doesn’t seem to use the nord vpn when connecting from outside (from a different country try for example)
What about firewall rules *TO* the VPN? I've never been able to figure out how to block that. Tried adding a rule to LAN In and LAN Out saying local traffic to the VPN network should be dropped, but it seems to still go through?
This is a great video! But I still don't understand why we need to use "LAN Out" on VPN firewall rules instead of "LAN In"? Can't wrap my head around it...any help would be really appreciated!
Yes he sorta goes over this quick and doesn't really explain the reason why. You setup the rule on the UDM which you are blocking access to. You use lan out because from its perspective the UDM is sending traffic OUT to the devices on the LAN interface, therefore LAN Out. Lan In would be devices on the network going into the UDM LAN interface. The Port/IP Group is required to tell which source network to block. The traffic goes like this... Host-PC>Lan In->UDMA->site magic->UDMB-Lan out->Host-PC Therefore you make a rule on UDMB Lan out which blocks Host-PC from UDMA to Host PC on UDMB. Oh and if you are blocking entire subnet and only letting certain hosts through, it is also a good idea to allow established and related for the same Port/IP Group above the other rules... otherwise traffic cannot go out the other way from the UDM you are not blocking.
I found though if you add the 5th VPN user, the VPN will connect but no traffic will route to the local network, so can't ping servers and printers on the network I'm connecting to. Anyone can help me?
Hi Cody - great video! All your content has been very helpful for me. I had a somewhat unrelated question for you. I'm setting up a different VLANs on my home network using your guides. In order to block vlans from accessing gateways and the management interfaces, you suggest setting up firewalls which , for example, block VLAN1 from accessing the gateway IPs of all other VLANs, and then also blocking access to its own gateway IP on ports 80, 22, and 443. However, someone else just suggest to me that I can simply select the VLANs I want isolated and make them "guest networks" and all the necessary rules will be automatically created to prevent inter-vlan routing and devices from accessing the firewall, while still having internet - plus I don't have to fiddle with confusing IP and port groups and keeping them up to date if something changes. Do you see any problem with that approach? Is there a reason you don't do that? Any insight is much appreciated.
Nice overview. I've been setting up OpenVPN for remote users that just need access to the primary office NAS. What's nice is that only traffic to the NAS is routed through the VPN. I understand that Site Magic, and other options you showed would route all traffic through the VPN. Are you able to configure the VPN in any of the options you showed to only route traffic to a particular IP address (like when hosting VPN on Synology NAS)?
Any ideas or fixes for conflicting/overlapping OpenVPN tunnel IPs? I need to enable two different OpenVPN connections at the same time but it gives an IP conflict error because both are using 10.8.x.x for the tunnels. They work fine on their own. Great content, BTW! I have referenced many videos during my Unifi equipment setup.
Great video :) . I am temporarily living in another country. I have purchased video striming services in my country, but they are not available in the country where I currently live. Should I use the VPN client method to have access on several devices?
I successfully use the wireguard server for site-to-site with proper routing both ways...and it works great....however the server has multiple wans...but the config only allows a single WAN ip to be selected. Is there a way to have the fail over to WAN2 or load balanced both ways with a hostname that shows both ips?
Great video thank you, Here are somethings I would like to see in a future video: Explain LAN in/out/local & Internet in/out/local. Also, I would like to see how you would connect both Unifi and non unifi devices to a UDMP using the Ubiquiti UMR as a remote for cameras both Unifi Protect and OnVif. Since the UMR seems to have a difficult time with port forwarding and the Site2Site is not really a Site2Site but just a vpn, I am wondering how you would approach that.
Thx for video i was testing all this last week :) I have only 1 question how can i add speed limit to vpn users. I was looking everywhere but there is no option select vpn network or vpn client ip.
Awesome vid Cody, thanks. One question. I dont think its possible yet but, can you create a wireless network that direct you into a vpn connection? The reason is for example, i want to connect my tv to a netflix outside of my region, so i can watch restricted content.
Create a VLAN for these specific clients, create a new WLAN SSID, Map the WLAN to use the specific VLAN. Create your VPN Client. Now go into Routing and route all traffic for your specific VLAN to the Wireguard or OpenVPN client, rather than the WAN
very nice video and very good job. the question I have is at the point where you set up the wireguard (server address) there is an exclamation mark there should we deal with it or not (if I remember correctly it should say something about the dynamic ip)
Im guessing because the VPN server is already "inside" the router, so it never enters the router/firewall from an interface a rule applies to, and so the soonest you can apply a rule is as the traffic is going to be sent out an interface.
Hi, I’m a colorist and your tutorial are extremely helpful and generally helped me a lot. That’s said I have to say that I don’t particularly enjoy your choice of colors in your videos. If you are interested in looking for a new style I will gladly help for free.
in the ads for the magic vpn their mentionning that " new york is on 192.168.20.0 and they fight over because London is also on 192.168.20.0 but apparently it is not an issue with magic vpn" nobody seems to cover what happen if you have the same network, did you try ? caus in the video .. they all pick diferent network lol? ... /watch?v=hqnl9awwYiM&ab_channel=Ubiquiti
Way too much sentences cut before ending... This is highly frustrating
Ya bad edit
i really want to use magic vpn but 1) cant use it for policy based routing (aka all traffic of this kind e.g. netflix exits from one base location) and 2) can use it the same time as OSPF for local use
How to use NordVPN on UDM PRO?
I had setup sitemagic or teleport and able to acces any of my devices remotely...except all pc. As soon as disable pc firewall, I got ping. I had try a lot of things in the pc firewall with no result. Any hint?
Whaaaa I was just researching this 5 minutes before this uploaded
I just like the L2TP does not require a client to be installed on macOS, but I get it's basically being deprecated.
Thanks for the video. What about routing tunneled wireguard clients to the commercial vpn connection? Is it possible to configure the wireguard clients to use the commercial VPN within Unify? In other words, In the case where unify has vpn client co figured with Nord and provides network wide vps for all devices. In this case, if we configure the wireguard ‘server’ in unify, and if i am connecting to unify from a different country via wireguard client. How can unify tunnel all my traffic through the Nord VPN for internet access while providing access to the LAN? i cannot find any tutorials to make this work. i tried it, but i’m my wireguard client doesn’t seem to use the nord vpn when connecting from outside (from a different country try for example)
What about firewall rules *TO* the VPN? I've never been able to figure out how to block that. Tried adding a rule to LAN In and LAN Out saying local traffic to the VPN network should be dropped, but it seems to still go through?
This is a great video! But I still don't understand why we need to use "LAN Out" on VPN firewall rules instead of "LAN In"? Can't wrap my head around it...any help would be really appreciated!
Yes he sorta goes over this quick and doesn't really explain the reason why. You setup the rule on the UDM which you are blocking access to. You use lan out because from its perspective the UDM is sending traffic OUT to the devices on the LAN interface, therefore LAN Out. Lan In would be devices on the network going into the UDM LAN interface. The Port/IP Group is required to tell which source network to block. The traffic goes like this... Host-PC>Lan In->UDMA->site magic->UDMB-Lan out->Host-PC Therefore you make a rule on UDMB Lan out which blocks Host-PC from UDMA to Host PC on UDMB.
Oh and if you are blocking entire subnet and only letting certain hosts through, it is also a good idea to allow established and related for the same Port/IP Group above the other rules... otherwise traffic cannot go out the other way from the UDM you are not blocking.
@@bsem68 Thank you so much for taking your time to lay this out. The chart really helps! Truly appreciate it!
@@bsem68absolute Chad response bro, was having trouble understanding this as well but I think I got it now. Cheers 🎉
Some editing errors in this one.
I assume you mean the quick cuts? My stream deck cuts off to early gotta get it figured out
@@MactelecomNetworks yeah, that's it then.
@@MactelecomNetworks yep noticed them mostly in the beginning of the video. sorry to point these out 0:57 1:13 1:40 2:20 2:38
@@romayojr thanks yup I noticed them as well. Will figure out the stream deck asap or just won’t use when recording
Thanks for the nord vpn setup. Never tried setting up nordvpn network wide, but always wondered if unifi supported it. Might have to do that.
I found though if you add the 5th VPN user, the VPN will connect but no traffic will route to the local network, so can't ping servers and printers on the network I'm connecting to. Anyone can help me?
Hi Cody - great video! All your content has been very helpful for me. I had a somewhat unrelated question for you.
I'm setting up a different VLANs on my home network using your guides. In order to block vlans from accessing gateways and the management interfaces, you suggest setting up firewalls which , for example, block VLAN1 from accessing the gateway IPs of all other VLANs, and then also blocking access to its own gateway IP on ports 80, 22, and 443.
However, someone else just suggest to me that I can simply select the VLANs I want isolated and make them "guest networks" and all the necessary rules will be automatically created to prevent inter-vlan routing and devices from accessing the firewall, while still having internet - plus I don't have to fiddle with confusing IP and port groups and keeping them up to date if something changes.
Do you see any problem with that approach? Is there a reason you don't do that?
Any insight is much appreciated.
Nice overview. I've been setting up OpenVPN for remote users that just need access to the primary office NAS. What's nice is that only traffic to the NAS is routed through the VPN. I understand that Site Magic, and other options you showed would route all traffic through the VPN. Are you able to configure the VPN in any of the options you showed to only route traffic to a particular IP address (like when hosting VPN on Synology NAS)?
Wish Unifi added Policy Based Routing for Site to Site VPN's and not just others :/
Is it possible to set up a VPN connection to the deivce to get onto the network but not route internet traffic through the VPN?
Hi, another great video! Can you make a separate video specifically on setting up a wire guard client. Thanks
Excellent video breakdown thank you. Like to see more detailed firewall rules around using site magic and blocking between to site please.
Any ideas or fixes for conflicting/overlapping OpenVPN tunnel IPs? I need to enable two different OpenVPN connections at the same time but it gives an IP conflict error because both are using 10.8.x.x for the tunnels. They work fine on their own. Great content, BTW! I have referenced many videos during my Unifi equipment setup.
Is it possible to create Site-to-Site connection with Fortigate - Unifi UDM Pro?
Yup I don't see why not
Great video :) . I am temporarily living in another country. I have purchased video striming services in my country, but they are not available in the country where I currently live. Should I use the VPN client method to have access on several devices?
I successfully use the wireguard server for site-to-site with proper routing both ways...and it works great....however the server has multiple wans...but the config only allows a single WAN ip to be selected. Is there a way to have the fail over to WAN2 or load balanced both ways with a hostname that shows both ips?
Great video thank you, Here are somethings I would like to see in a future video: Explain LAN in/out/local & Internet in/out/local. Also, I would like to see how you would connect both Unifi and non unifi devices to a UDMP using the Ubiquiti UMR as a remote for cameras both Unifi Protect and OnVif. Since the UMR seems to have a difficult time with port forwarding and the Site2Site is not really a Site2Site but just a vpn, I am wondering how you would approach that.
😍👏👏👏👏👏👏
great video! - I would like to see real use cases, like best VPN for specific networks/devices. For IoT, Cams, Servers, and so on..
Can you tell about GRE over IPSec protocol? How manage rules in firewall in this protocol? I want make the same IP in two offices in different places.
Hey. You have 3gb up and down. can you do a video on that setup with the udm pro
How would you route traffic from a remotely connected machine using wireguard to go via Nord VPN that is currently setup on the UDM?
Thx for video i was testing all this last week :) I have only 1 question how can i add speed limit to vpn users. I was looking everywhere but there is no option select vpn network or vpn client ip.
What happens to a site magic config if one of the sites primary internet fails over to its backup connection? Does it "heal itself"?
Another informative video, it would be interesting if you made a video on how to create static routes between other manufacturers
Is there wa way that we can use device names to ping when we do site to site VPN? or any other way ?
Do the same thing for the updated VLAN UI please.
Thanks so much for doing these explanations and walkthroughs.
Still no possibility to prevent access to UDM admin interface for WireGuard clients using firewall rules?
Dont think so
@@MactelecomNetworks i was about to ask the same question, thanks for the clarifications and i thought i was doing something wrong on my end.
@@mapotoyfu there actually is a way now look at this post
twitter.com/underlinux/status/1775987918147887431
@@MactelecomNetworks followed his instructions but created a group and it worked. thanks for the link!
13:43 14 different UDMs at different sites. I feel poor.
Excellent video! Was just doing research on these last week and this was great timing! 🎉
Site Magic is just freaking awesome!
Awesome vid Cody, thanks. One question. I dont think its possible yet but, can you create a wireless network that direct you into a vpn connection? The reason is for example, i want to connect my tv to a netflix outside of my region, so i can watch restricted content.
Create a VLAN for these specific clients, create a new WLAN SSID, Map the WLAN to use the specific VLAN.
Create your VPN Client.
Now go into Routing and route all traffic for your specific VLAN to the Wireguard or OpenVPN client, rather than the WAN
very nice video and very good job. the question I have is at the point where you set up the wireguard (server address) there is an exclamation mark there should we deal with it or not (if I remember correctly it should say something about the dynamic ip)
Ya it’s becuase I don’t have a static ip address. You could use a ddns service for this
Excellent video❤
Why are VPN firewall rules always lan_out?
Im guessing because the VPN server is already "inside" the router, so it never enters the router/firewall from an interface a rule applies to, and so the soonest you can apply a rule is as the traffic is going to be sent out an interface.
Hi, I’m a colorist and your tutorial are extremely helpful and generally helped me a lot. That’s said I have to say that I don’t particularly enjoy your choice of colors in your videos. If you are interested in looking for a new style I will gladly help for free.
in the ads for the magic vpn their mentionning that " new york is on 192.168.20.0 and they fight over because London is also on 192.168.20.0 but apparently it is not an issue with magic vpn" nobody seems to cover what happen if you have the same network, did you try ? caus in the video .. they all pick diferent network lol? ...
/watch?v=hqnl9awwYiM&ab_channel=Ubiquiti