I love this feature and have had it running since possible. My family members have UDR's and I have the SE. With Netflix cutting down on password sharing, I've been able to use this to forward all traffic from their respective apple tv's through the vpn
Great video. The only thing that stinks with using OpenVPN on a UDM is that it’s only TCP-based and not UDP. Not very efficient for an IPSec tunnel. Let’s hope Ubiquiti changes that or at least gives you an option between the two. Furthermore, you can only create one OpenVPN tunnel/server. Let’s hope they change that as well in the future.
Hi there, I've been using L2TP VPN on my USG Pro. It stopped working and Ubiquiti says my ISP is blocking the signal/traffic. The ISP says they don't do that. It's been a run around. Will this help me VPN back into my network or is it another round of back and forth? What are your thoughts on my current situation? Thank you
this don't work for me... I upload the file to OpenVPN Connect on android, add username and password i try and connect, but it instantly fails. blinking ON and then OFF in a fraction of a second. No error or even a log event. What do i do? any ideas?
Great video thanks! Quick question, is every traffic rule processed no matter what? I would have thought the traffic would have been immediately dropped after hitting your first block rule and disregarded your allow rule? Or are the rules processed from bottom to top?
Does this allow WAN traffic to be sent? If your outside the home and connect to the VPN and do a what is my ip does it show the VPN IP and DNS or your cellular IP and DNS?
Hi Cody, This OpenVPN setup works nice, however I cannot get out again via the internet. (Internet pass-throug?) The OpenVPN clients will not get an Gateway IP adress and are not able te get out to the web again. I like to use OpenVPN on my smartphone (when not at home) to use 2 Pi-Holes on my phone also. (I really hate annoying advertisements, and do not want to install "an other app" in my android phone) The only (known to me that is) work around is to "allow access to LAN/VLAN" to get internet on my smartphone. Big security risk here is access to all de LAN devices are allowed, no blocking is in place then. What I like to achieve: internet access with add-block capabilities AND access to selected devices (only NAS and LAN printer for example), but no access to Unifi Console via VPN. Equipment: UDM-Pro, Unifi OS 3.2.9, Unifi Network 8.028 with a 1/1gbit fiber connection.
Hey Cody does open VPN I tried all the settings does it not work with starlink I was thinking the dynamic DNS would maybe work with it but it'll probably doesn't cuz starling shares but I thought I don't know maybe I thought wrong or thought right or maybe I did something wrong but I followed all your steps to tea and it did not connect to the starlink but also open VPN the dynamic DNS name said I hit activate but it says I can't activate my name unless I pay money so I'm kind of confused cuz you made it seem like there was no paying for it so I just want to know
Год назад
Hey Cody! A month ago, DNSoMatic and Cloudflare DDNS (dyndns) stopped working on my UXG. Nothing's working so I have to use MarcsUpdater. Have you been able to make it work recently?
What do you guys think? I'm using the free home edition of Sophos Firewall with one of their access points. The access point is about to reach end-of-life later this year and will no longer function. Their newer access points are super expensive (we're talking almost $350 for the better entry-level models) and then you can only use them with Sophos firewalls. I have some Tp-link Omada switches and a controller. I would either stick with Sophos and go with a tp-link Omada access point which would make the most sense right now, or dump Sophos altogether and go with Ubiquity now that they are working on having OpenVPN server in their devices. From a security standpoint, Ubiquity is a kid's toy compared to Sophos, but Sophos can be a real pain to configure all the time and requires extensive amounts of configuration to keep working.
Great video as always my man 🇨🇦...Im curious...when you created that allow rule, did it automatically build out a route for that traffic flow? Would be interesting to see how it builds out the route. I know there are options for manually configuring routes.
What are the max simultaneous users at the time on OpenVPN? Can we do 10 users? Also, with OpenVPN, can we have more than 5 concurrent users on RDP on different computers?
Hi Cody. Is this setup an alternative to the WireGuard video you previously created? In other words, is OpenVPN just another way for allowing remote access INTO your network? If so, I'm curious what the differences are. This setup seemed way more involved than the WireGuard setup.
They are both used to login to your network remotely it’s just a personal preference. I wouldn’t think this is anymore involved and there is a lot of other things you can do with OpenVPN over wireguard. I may do a video comparing all of them
Hey Cody i have my cable modem as bridge mode but every time the model gets a new ip my udm pro looses wan and the only way to get it back online is to factory reset the modem.
Not sure why UI has to make it this difficult. On Untangle, it takes 20 sec to setup and just works. I've set and re-set this up multiple times and can never hit anything on my network while on VPN. I get my 192.168.2.x IP but can't talk to 192.168.1.x...no rules or traffic management. So damn frustrating
Does this mean that I can finally route my clients to use the UDM as an exit point out to the internet. For a while I have been trying to work out how to get my remote site a to egress to the internet via site b. If I set up a client on site b and create the appropriate rule, do you think I will be able to achieve this? As always thanks for the great videos.
Is this new version changing anything on the Site-to-Site side of things? Or is it mainly just for clients to connect? I have a client who needs a Site-to-Site VPN between 2 sites, where 1 site has static IP but the other is behind CG-NAT. Any ideas how to solve this in UniFi?
So this is just for client to site. Ubiquiti is coming out with a new VPN for site to site check it out here ( need an EA account) community.ui.com/questions/Introducing-the-Magic-Site-to-Site-VPN-feature/5caa6244-6cae-472a-ac79-6922c211fe43
Hello, great video. I also have it working but found an issue. I cant setup tunneling on the Android openvpn client. as soon as I connect al my web trafic goes trough the UNIFI. I tried anualy editing the config file adding route-nopull settings but no luck. could you please test or give some help? many thanks
Do they still have the issue where traffic management rules don't order properly as additional rules are added in 7.4.156? In the past if you added a rule that needed to be higher in the list you'd have to remove everything and add them all again in the correct order.
You can organize the traffic management rules it does it for you. It seems Ubiquiti is trying to push traffic management more than firewall it’s a little easier to understand. The traffic management rules really are just firewall rules so which ever you feel more comfortable creating
@@MactelecomNetworks ahh okay that makes sense. They are easier. I just didn’t know if you can re-organize them. I saw some users couldn’t on the forums. I’ll try to make sure.
Hi Cody. please comment on the subject of using hotel WiFi to use internet or Teams meeting thru openVPN on Dream Machine but not exposing internal nodes for employies. Thank you in advance Best regards Per
Hey Bro awesome videos, can you show how to connect to cloudflare? Also you have any vids on site to site connections with cloud providers? I have aws, and oracle cloud. Thanks in advance for any help you can give.
Wouldn't the Teleport 'Zero configuration remote access VPN' be an out of the box alternative ? I just want to give to my son so he can access our netflix 'from within the housegold'
useless as doubleNAT is still not supported... for 5+ years the DynDNS implementation in EdgeOS has been able to figure out my WAN address even when I am forced to run behind the ISP router (inside its DMZ) - why wont UBNT add this to Unifi? We have been requestion this for so many years..... also why do we still have to manually edit the wireguard / ovpn config file to add the dyndns name?.... same goes for when you dont want inbound wireguard connections to route the devices internet traffic through the tunnel (like when you just need remote access to your site), you must to go into the config file and remove the DNS entries...... VPN is still such a half baked solution in unifi.
That's a great Video! Let's hope they'll release IKEV2 at some point.
I love this feature and have had it running since possible. My family members have UDR's and I have the SE. With Netflix cutting down on password sharing, I've been able to use this to forward all traffic from their respective apple tv's through the vpn
how did you do that, are there links provided to set such a thing up?
Great video. The only thing that stinks with using OpenVPN on a UDM is that it’s only TCP-based and not UDP. Not very efficient for an IPSec tunnel. Let’s hope Ubiquiti changes that or at least gives you an option between the two. Furthermore, you can only create one OpenVPN tunnel/server. Let’s hope they change that as well in the future.
Using TCP on port 443 for OpenVPN can be useful for bypassing firewalls that block other outbound ports since it looks like normal HTTPS traffic.
Hey Cody, love ur job ! Keep going
Hurray for dark mode! Thanks. Cody 😊
Any information on the network speed impact when doing this in an UDM Pro? Does it really go down to 800 Mbps?
Hi there, I've been using L2TP VPN on my USG Pro. It stopped working and Ubiquiti says my ISP is blocking the signal/traffic. The ISP says they don't do that. It's been a run around. Will this help me VPN back into my network or is it another round of back and forth? What are your thoughts on my current situation? Thank you
How do I prevent the clients from accessing the other network if the VPN goes down?
this don't work for me... I upload the file to OpenVPN Connect on android, add username and password i try and connect, but it instantly fails. blinking ON and then OFF in a fraction of a second. No error or even a log event.
What do i do? any ideas?
So, is it better to do the VPN set up on the Unifi or on Synology side? Also, what about Tailscale, as a replacement for all these VPN configurations?
Great video thanks! Quick question, is every traffic rule processed no matter what? I would have thought the traffic would have been immediately dropped after hitting your first block rule and disregarded your allow rule? Or are the rules processed from bottom to top?
There is no way to order traffic management rules as of yet and not sure if there will be.
So if you add allow rules under block rules it still works
Does this allow WAN traffic to be sent? If your outside the home and connect to the VPN and do a what is my ip does it show the VPN IP and DNS or your cellular IP and DNS?
Keep up the great work
Thanks Matt 😊
Hi Cody,
This OpenVPN setup works nice, however I cannot get out again via the internet. (Internet pass-throug?)
The OpenVPN clients will not get an Gateway IP adress and are not able te get out to the web again.
I like to use OpenVPN on my smartphone (when not at home) to use 2 Pi-Holes on my phone also. (I really hate annoying advertisements, and do not want to install "an other app" in my android phone)
The only (known to me that is) work around is to "allow access to LAN/VLAN" to get internet on my smartphone.
Big security risk here is access to all de LAN devices are allowed, no blocking is in place then.
What I like to achieve: internet access with add-block capabilities AND access to selected devices (only NAS and LAN printer for example), but no access to Unifi Console via VPN.
Equipment: UDM-Pro, Unifi OS 3.2.9, Unifi Network 8.028 with a 1/1gbit fiber connection.
Hey Cody does open VPN I tried all the settings does it not work with starlink I was thinking the dynamic DNS would maybe work with it but it'll probably doesn't cuz starling shares but I thought I don't know maybe I thought wrong or thought right or maybe I did something wrong but I followed all your steps to tea and it did not connect to the starlink but also open VPN the dynamic DNS name said I hit activate but it says I can't activate my name unless I pay money so I'm kind of confused cuz you made it seem like there was no paying for it so I just want to know
Hey Cody! A month ago, DNSoMatic and Cloudflare DDNS (dyndns) stopped working on my UXG. Nothing's working so I have to use MarcsUpdater. Have you been able to make it work recently?
Thanks for the video. Does this OpenVPN implementation support static IP assignments for the vpn clients?
Great video! Could you make a video on a OpenVPN Site to Site later on as well? Would like to see it! Keep up the good work!
What do you guys think? I'm using the free home edition of Sophos Firewall with one of their access points. The access point is about to reach end-of-life later this year and will no longer function. Their newer access points are super expensive (we're talking almost $350 for the better entry-level models) and then you can only use them with Sophos firewalls. I have some Tp-link Omada switches and a controller. I would either stick with Sophos and go with a tp-link Omada access point which would make the most sense right now, or dump Sophos altogether and go with Ubiquity now that they are working on having OpenVPN server in their devices. From a security standpoint, Ubiquity is a kid's toy compared to Sophos, but Sophos can be a real pain to configure all the time and requires extensive amounts of configuration to keep working.
Very solid
Great video as always my man 🇨🇦...Im curious...when you created that allow rule, did it automatically build out a route for that traffic flow? Would be interesting to see how it builds out the route. I know there are options for manually configuring routes.
Ya it’s all automatic I didn’t do anything else. I’m sure you can go into the cli and see how it routes it
@@MactelecomNetworks makes sense brother. Appreciate your great work as always Sir.
What are the max simultaneous users at the time on OpenVPN? Can we do 10 users?
Also, with OpenVPN, can we have more than 5 concurrent users on RDP on different computers?
Hi Cody. Is this setup an alternative to the WireGuard video you previously created? In other words, is OpenVPN just another way for allowing remote access INTO your network? If so, I'm curious what the differences are. This setup seemed way more involved than the WireGuard setup.
They are both used to login to your network remotely it’s just a personal preference.
I wouldn’t think this is anymore involved and there is a lot of other things you can do with OpenVPN over wireguard. I may do a video comparing all of them
@@MactelecomNetworks With the various VPN options, a comparison video would be great!
Hey Cody i have my cable modem as bridge mode but every time the model gets a new ip my udm pro looses wan and the only way to get it back online is to factory reset the modem.
hi, how can I make the ddns update my ip automatically on the unifi device itself?
Did you had success with Stripe / payment logistic yet with the new captive portal page?
Not sure why UI has to make it this difficult. On Untangle, it takes 20 sec to setup and just works. I've set and re-set this up multiple times and can never hit anything on my network while on VPN. I get my 192.168.2.x IP but can't talk to 192.168.1.x...no rules or traffic management. So damn frustrating
Does this mean that I can finally route my clients to use the UDM as an exit point out to the internet. For a while I have been trying to work out how to get my remote site a to egress to the internet via site b. If I set up a client on site b and create the appropriate rule, do you think I will be able to achieve this? As always thanks for the great videos.
How many concurrent users can connect with this?
How can I block the vpn clientes to been able to access the web interface of the UDM
Is this new version changing anything on the Site-to-Site side of things? Or is it mainly just for clients to connect? I have a client who needs a Site-to-Site VPN between 2 sites, where 1 site has static IP but the other is behind CG-NAT. Any ideas how to solve this in UniFi?
So this is just for client to site. Ubiquiti is coming out with a new VPN for site to site check it out here ( need an EA account)
community.ui.com/questions/Introducing-the-Magic-Site-to-Site-VPN-feature/5caa6244-6cae-472a-ac79-6922c211fe43
Hello, great video.
I also have it working but found an issue. I cant setup tunneling on the Android openvpn client.
as soon as I connect al my web trafic goes trough the UNIFI.
I tried anualy editing the config file adding route-nopull settings but no luck.
could you please test or give some help?
many thanks
Hi this is very useful tutorial. I wonder how to add speed limit over the VPN connection?
Awesome!
Thanks for watching
Do they still have the issue where traffic management rules don't order properly as additional rules are added in 7.4.156? In the past if you added a rule that needed to be higher in the list you'd have to remove everything and add them all again in the correct order.
Nope seems its been corrected. I do know I was having that issues in a previous video but seems good now
Is there no way to organize the rules like the firewall rules? What is better, Firewall Rules or Traffic Management? What’s the difference if any.
You can organize the traffic management rules it does it for you. It seems Ubiquiti is trying to push traffic management more than firewall it’s a little easier to understand.
The traffic management rules really are just firewall rules so which ever you feel more comfortable creating
@@MactelecomNetworks ahh okay that makes sense. They are easier. I just didn’t know if you can re-organize them. I saw some users couldn’t on the forums. I’ll try to make sure.
Does this allow for 2FA? Most commerical VPN server/clients also support 2FA which adds an extra layer of security.
That I will have to get back to you on. The only VPN within Unifi that I know 100% does support 2fa is UID VPN
Thanks.
Do you use dynamic IP from ISP
Amigo boa noite, posso usar outra porta tipo 1195 ?
Hi, can anybody tell me how many openvpn tunnels are possible with the Dream Machine Pro. I don't find any specs in the internet
you can do 1
Hi Cody. please comment on the subject of using hotel WiFi to use internet or Teams meeting thru openVPN on Dream Machine but not exposing internal nodes for employies. Thank you in advance Best regards Per
Solved it it was easy
is it possible to add 2fa with openvpn
It sucks that this doesn't work on USG PRO
Do we need any subscription to use that vpn ? It is free? Thank you for your videos
It’s free :) I mean beside buying the Ubiquiti hardware but no subscription
What is the ping utility you are using?
It’s just called ping on iOS
Hey Bro awesome videos, can you show how to connect to cloudflare? Also you have any vids on site to site connections with cloud providers? I have aws, and oracle cloud. Thanks in advance for any help you can give.
Is WireGuard more secure than open VPN?
They are both open-source protocols but wireguard is faster and newer!
Wireguard is much simpler protocol and code. Simplicity if friend of Security. That said, OpenVPN can support MFA while Wireguard does not.
Wouldn't the Teleport 'Zero configuration remote access VPN' be an out of the box alternative ? I just want to give to my son so he can access our netflix 'from within the housegold'
Sure but there is no windows client for teleport
Hope that unifi brings up a client version for windows too.
useless as doubleNAT is still not supported...
for 5+ years the DynDNS implementation in EdgeOS has been able to figure out my WAN address even when I am forced to run behind the ISP router (inside its DMZ) - why wont UBNT add this to Unifi? We have been requestion this for so many years.....
also why do we still have to manually edit the wireguard / ovpn config file to add the dyndns name?....
same goes for when you dont want inbound wireguard connections to route the devices internet traffic through the tunnel (like when you just need remote access to your site), you must to go into the config file and remove the DNS entries......
VPN is still such a half baked solution in unifi.
Just port forward port 1194 from your isp gear towards the dream machine. Problem solved
Can you make a video of site to site using openvpn
Why not use teleport ?
Teleport doesn't have a windows client
It would've been cool to put MacTeleComNetwork on the back of the t-shirts.
That’s actually not a bad idea. I can make different variations just need to get the graphic artist to send me it
I'm here for a pre-order special lol
@@darealdynasty 😂 I can talk to the person today and see
New shirt with branding on the back
mactelecomstore.com/listing/mactelecom-ufo-shirt
@@MactelecomNetworks good looking out 🔥 order placed!!