Ubiquiti Networks is a well-liked vendor of networking-related gear within the SMB / SME house. Their gear is immensely in style amongst prosumers too, due to the mixture of ease of use and the power to customise for particular necessities. I’ve been operating an Ubiquiti UniFi set up at dwelling for the final 5 years or so, and lately had the chance to create a brand new deployment abroad. There have been two fundamental causes to go together with Ubiquiti for the brand new location – a single administration airplane for each websites, and the power to simply create a site-to-site VPN.
The brand new set up was pretty clean and the site-to-site VPN was up and operating in a secure method till the ISP on the distant website moved the gateway from a public-facing WAN IP to 1 behind a carrier-grade NAT (CGNAT). That began a deeper investigation into varied choices obtainable for site-to-site VPNs with Ubiquiti’s gear for various eventualities. On this course of, I ended up encountering a number of points worthy of documentation to assist of us who would possibly encounter them in their very own installations. This text offers a recount of my journey down the rabbit gap – together with a step-by-step information detailing my makes an attempt to work across the varied pitfalls.
Introduction
Ubiquiti Networks affords a spread of merchandise concentrating on the networking market. Whereas wi-fi ISPs are a key market phase for the corporate (serviced by the airFiber line), in the present day’s piece is concentrated on their UniFi product line – a spread of managed software-defined networking gear for SMBs, SMEs, and prosumers. There are a selection of causes for UniFi’s reputation merchandise amongst tech-savvy customers. The corporate had a first-mover benefit in providing a cheap managed SDN answer. Isolating performance into totally different gadgets (safety gateways, routers, switches, and wi-fi entry factors) allowed customers to choose and select totally different gear primarily based on their customized wants. The unified administration airplane for all of the UniFi merchandise allows straightforward upkeep whereas retaining deployment flexibility. Community scaling in response to requirement adjustments can be easy. The corporate began out with an area administration controller, which has now been augmented with a cloud-based providing.
My first brush with Ubiquiti was their mFi product line (which has since been sadly EOL-ed). Their lineup of network-connected energy retailers with vitality and energy monitoring, in addition to distant relay management was (and continues to be) extra versatile than the rest out there – and this was with out even taking the low pricing into consideration. I had bought a number of of their items for my dwelling / AnandTech testing lab use, and written a brief evaluation after a few months of use (these items are nonetheless in deployment).
After I revealed the mFi evaluation, Ubiquiti’s PR division approached me with a proposal to evaluation their UniFi product line. Round that point again in 2017, I had the chance to put out a wired Cat 6 spine for all of the rooms in my home right here in California. I took up the provide to spec out a UniFi system for testing out. The USG Professional 4 gateway took up the routing duties with a UniFi Cloud Key (first technology) performing controller duties. Entry factors with various capabilities have been mounted round the home to keep away from wi-fi dead-spots. Plenty of switches have been positioned within the media middle and totally different lab places. I ended up augmenting the system with further PoE switches and in-wall APs alone.
The system was configured with the standard visitor wi-fi community, and a bunch of various VLANs (serving the IoT gadgets in the home, the house lab gear, and one other for gadgets such because the widespread household desktop, telephones, and so forth.). On the entire, it was an overkill for a residential set up. That stated, the deployment has held its personal over 5 years of annoying utilization (and nonetheless going sturdy). The one hiccup I had was when the CloudKey controller grew to become inaccessible on the community a few years again. It turned out {that a} energy interruption had ended up corrupting the database – nothing that a number of SSH instructions (thanks to the helpful community) could not resolve. Since then, I ended up investing in a UPS for the rack holding the UniFi gear to keep away from the recurrence of such eventualities.
Such points are additionally the explanation why I like to recommend Ubiquiti gear solely to tech-savvy customers. In nearly all instances, calling up the corporate’s help line and making a ticket finally ends up being a waste of time. There are innumerable sources on-line (each the corporate’s personal users forum, in addition to numerous prosumer bloggers comparable to Scott Hanselman and Troy Hunt. In gentle of evaluations from such sources, there may be not a lot for readers to realize from posting one more evaluation of the Ubiquiti UniFi lineup. As a substitute, I’m hoping to take up particular use-cases and work out how Ubiquiti’s product lineup can handle these in these sequence of articles.
Earlier this 12 months, my dad and mom again in India determined to downsize their dwelling. I took the chance to revamp their dwelling community from the ground-up. I had been intending so as to add options to the house community of my dad and mom, however had by no means had the chance as a result of my visits have been turning into rare. Nonetheless, with my first go to post-pandemic, I wished to get a number of issues arrange as a part of their transfer:
- Simpler distant administration and troubleshooting of community points with out the necessity for port forwarding.
- Potential to seamlessly use their Indian dwelling community throughout journey / visits over right here to California
- Potential to carry out safe distant offsite backups for my knowledge with out counting on an exterior cloud storage supplier
- Potential to seamlessly make the most of Indian OTT service subscriptions no matter person location both in California or in India
After I initially arrange the Cloud Key again in 2017, there was no requirement to make use of a cloud account. Sadly, the UniFi Community cellular software person expertise grew to become fairly onerous with no ui.com ID a few years again. I caved in and ended up associating my set up with a cloud ID only for this objective. Since I used to be already managing my community by way of this ID, it grew to become a simple determination to go together with Ubiquiti for the deployment again in India.
The important thing to fulfilling the above necessities was a safe VPN tunnel between my dwelling community right here in California and my dad and mom’ community in India. Previous to touring, I organized for a Ubiquiti Dream Machine to be delivered to the brand new dwelling. The Ubiquiti UniFi Dream Machine is an all-in-one answer / UniFi starter equipment. It integrates a 4-port swap, a 4×4 802.11ac entry level, a safety gateway, and an built-in controller. The Annapurna Labs AL314-based answer comes with a single WAN port, and is an appropriate answer for many dwelling networks within the the 1000 sq. ft – 1200 sq. ft vary.
From my use-case perspective, I wished an answer that might help easy VPN tunnel configuration and straightforward app-based entry for each the US and Indian networks by way of a single interface.
The Evolution of UniFi – A Quick Recap
Ubiquiti’s UniFi lineup was launched after their lineup of edge-focused merchandise for WISPs began gaining traction in different markets. These EdgeRouters and EdgeSwitches have been primarily based on Vyatta OS, and the UniFi merchandise initially began out with the identical EdgeOS firmware base. The UniFi Safety Gateway Professional 4 in my major deployment runs EdgeOS to this point.
The USG Professional 4 is predicated on Cavium’s OCTEON II networking SoC, with a MIPS64 software processor. Nonetheless, Ubiquiti’s newest gateways / routers / switches within the UniFi lineup now run a customized Debian-based Linux distribution. The UniFi Dream Machine makes use of the Annapurna Labs AL314, and runs a distribution meant for the AArch64 platform. The UniFi OS itself runs as a container utilizing podman.
The top result’s that there are fairly a lot of disconnects between the options obtainable on EdgeOS and UbiOS / UniFi OS. Migration from the EdgeOS line to UniFi OS isn’t easy sufficient for closely personalized installs. With focus shifting to UbiOS / UniFi OS, the updates for the older gear have turn out to be few and much aside. Whereas that may not be a priority for secure networks, it has sadly not saved updated with evolving community safety practices. For instance, Android’s latest releases have utterly dropped help for L2TP VPNs, whereas EdgeOS has L2TP because the really helpful VPN server kind. This brings us to the subject of VPNs.
VPN Server Choices in Ubiquiti’s Stack
Ubiquiti affords a spread of VPN choices relying on the gateway getting used. At dwelling right here in California with the USG Professional 4, I’ve been operating a L2TP VPN server (permitting me to connect with it from public espresso retailers and airports for safe shopping functions) for a number of years now. I had minimal trouble setting it up for entry from a Home windows pocket book. Nonetheless, as talked about within the earlier sub-section, this VPN server is of no use for my cell phone operating Android 12. The USG Professional 4 additionally helps PPTP VPN, however it isn’t really helpful even by Ubiquiti themselves.
The first choice for a VPN server within the UniFi Dream Machine operating UbiOS / UniFi OS is kind of totally different.
Right here, Teleport (Ubiquiti’s personalized Wireguard implementation) takes priority. This can be a one-click VPN extra in tune with in the present day’s mobile-first ecosystem. Purchasers are licensed by way of invitations that may be generated both from the configuration web page (on the unifi.ui.com cloud, or by way of the machine’s native IP) or the UniFi Community cellular app. The invitations could be opened on the shopper system utilizing the Wifiman cellular software. The unlucky side right here is that Home windows customers are out of luck. Whereas MacOS, Android, and iOS are coated, Home windows customers are left within the lurch. This can be a massively disappointing state of affairs provided that the L2TP choice in EdgeOS works with Home windows shoppers, however not Android and the Teleport choice in UbiOS / UniFi OS works with Android shoppers, however not Home windows. It should be famous that the UDM nonetheless helps L2TP for Home windows shoppers.
Beneath the Teleport & VPN part, Ubiquiti additionally offers an choice to create site-to-site VPNs, which is the place our story begins.
