admin
Ubiquiti Networks is a well-liked vendor of networking-related gear within the SMB / SME area. Their gear is immensely standard amongst prosumers too, due to the mix of ease of use and the flexibility to customise for particular necessities. I’ve been operating an Ubiquiti UniFi set up at house for the final 5 years or so, and lately had the chance to create a brand new deployment abroad. There have been two most important causes to go along with Ubiquiti for the brand new location – a single administration aircraft for each websites, and the flexibility to simply create a site-to-site VPN.
The brand new set up was pretty clean and the site-to-site VPN was up and operating in a secure method till the ISP on the distant web site moved the gateway from a public-facing WAN IP to at least one behind a carrier-grade NAT (CGNAT). That began a deeper investigation into varied choices out there for site-to-site VPNs with Ubiquiti’s gear for various situations. On this course of, I ended up encountering a bunch of points worthy of documentation to assist people who may encounter them in their very own installations. This text gives a recount of my journey down the rabbit gap – together with a step-by-step information detailing my makes an attempt to work across the varied pitfalls.
Introduction
Ubiquiti Networks presents a spread of merchandise focusing on the networking market. Whereas wi-fi ISPs are a key market section for the corporate (serviced by the airFiber line), right now’s piece is concentrated on their UniFi product line – a spread of managed software-defined networking gear for SMBs, SMEs, and prosumers. There are a variety of causes for UniFi’s recognition merchandise amongst tech-savvy shoppers. The corporate had a first-mover benefit in providing a cheap managed SDN resolution. Isolating performance into completely different gadgets (safety gateways, routers, switches, and wi-fi entry factors) allowed customers to choose and select completely different gear based mostly on their customized wants. The unified administration aircraft for all of the UniFi merchandise allows straightforward upkeep whereas retaining deployment flexibility. Community scaling in response to requirement adjustments can also be easy. The corporate began out with a neighborhood administration controller, which has now been augmented with a cloud-based providing.
My first brush with Ubiquiti was their mFi product line (which has since been sadly EOL-ed). Their lineup of network-connected energy retailers with vitality and energy monitoring, in addition to distant relay management was (and continues to be) extra versatile than the rest available in the market – and this was with out even taking the low pricing into consideration. I had bought a number of of their models for my house / AnandTech testing lab use, and written a brief evaluate after a few months of use (these models are nonetheless in deployment).
After I revealed the mFi evaluate, Ubiquiti’s PR division approached me with a suggestion to evaluate their UniFi product line. Round that point again in 2017, I had the chance to put out a wired Cat 6 spine for all of the rooms in my home right here in California. I took up the supply to spec out a UniFi system for testing out. The USG Professional 4 gateway took up the routing duties with a UniFi Cloud Key (first technology) performing controller duties. Entry factors with various capabilities have been mounted round the home to keep away from wi-fi dead-spots. Quite a few switches have been positioned within the media middle and completely different lab places. I ended up augmenting the system with extra PoE switches and in-wall APs by myself.
The system was configured with the standard visitor wi-fi community, and a bunch of various VLANs (serving the IoT gadgets in the home, the house lab gear, and one other for gadgets such because the frequent household desktop, telephones, and many others.). On the entire, it was an overkill for a residential set up. That stated, the deployment has held its personal over 5 years of nerve-racking utilization (and nonetheless going robust). The one hiccup I had was when the CloudKey controller grew to become inaccessible on the community a few years again. It turned out {that a} energy interruption had ended up corrupting the database – nothing that a number of SSH instructions (thanks to the helpful community) could not resolve. Since then, I ended up investing in a UPS for the rack holding the UniFi gear to keep away from the recurrence of such situations.
Such points are additionally the rationale why I like to recommend Ubiquiti gear solely to tech-savvy customers. In nearly all instances, calling up the corporate’s assist line and making a ticket finally ends up being a waste of time. There are innumerable assets on-line (each the corporate’s personal users forum, in addition to numerous prosumer bloggers comparable to Scott Hanselman and Troy Hunt. In gentle of evaluations from such sources, there may be not a lot for readers to achieve from posting one more evaluate of the Ubiquiti UniFi lineup. As a substitute, I hope to take up particular use-cases and work out how Ubiquiti’s product lineup can tackle these in these collection of articles.
Earlier this yr, my dad and mom again in India determined to downsize their house. I took the chance to revamp their house community from the ground-up. I had been intending so as to add options to the house community of my dad and mom, however had by no means had the chance as a result of my visits have been changing into rare. Nevertheless, with my first go to post-pandemic, I wished to get a number of issues arrange as a part of their transfer:
- Simpler distant administration and troubleshooting of community points with out the necessity for port forwarding.
- Capability to seamlessly use their Indian house community throughout journey / visits over right here to California
- Capability to carry out safe distant offsite backups for my knowledge with out counting on an exterior cloud storage supplier
- Capability to seamlessly make the most of Indian OTT service subscriptions no matter person location both in California or in India
After I initially arrange the Cloud Key again in 2017, there was no requirement to make use of a cloud account. Sadly, the UniFi Community cell software person expertise grew to become fairly onerous and not using a ui.com ID a few years again. I caved in and ended up associating my set up with a cloud ID only for this function. Since I used to be already managing my community by way of this ID, it grew to become a simple resolution to go along with Ubiquiti for the deployment again in India.
The important thing to fulfilling the above necessities was a safe VPN tunnel between my house community right here in California and my dad and mom’ community in India. Previous to touring, I organized for a Ubiquiti Dream Machine to be delivered to the brand new house. The Ubiquiti UniFi Dream Machine is an all-in-one resolution / UniFi starter equipment. It integrates a 4-port change, a 4×4 802.11ac entry level, a safety gateway, and an built-in controller. The Annapurna Labs AL314-based resolution comes with a single WAN port, and is an appropriate resolution for many house networks within the the 1000 sq. ft – 1200 sq. ft vary.
From my use-case perspective, I wished an answer that might assist easy VPN tunnel configuration and simple app-based entry for each the US and Indian networks by way of a single interface.
The Evolution of UniFi – A Brief Recap
Ubiquiti’s UniFi lineup was launched after their lineup of edge-focused merchandise for WISPs began gaining traction in different markets. These EdgeRouters and EdgeSwitches have been based mostly on Vyatta OS, and the UniFi merchandise initially began out with the identical EdgeOS firmware base. The UniFi Safety Gateway Professional 4 in my main deployment runs EdgeOS to this point.
The USG Professional 4 is predicated on Cavium’s OCTEON II networking SoC, with a MIPS64 software processor. Nevertheless, Ubiquiti’s newest gateways / routers / switches within the UniFi lineup now run a customized Debian-based Linux distribution. The UniFi Dream Machine makes use of the Annapurna Labs AL314, and runs a distribution meant for the AArch64 platform. The UniFi OS itself runs as a container utilizing podman.
The tip result’s that there are fairly plenty of disconnects between the options out there on EdgeOS and UbiOS / UniFi OS. Migration from the EdgeOS line to UniFi OS shouldn’t be easy sufficient for closely personalized installs. With focus shifting to UbiOS / UniFi OS, the updates for the older gear have turn into few and much aside. Whereas that may not be a priority for secure networks, it has sadly not stored updated with evolving community safety practices. For instance, Android’s current releases have utterly dropped assist for L2TP VPNs, whereas EdgeOS has L2TP because the advisable VPN server sort. This brings us to the subject of VPNs.
VPN Server Choices in Ubiquiti’s Stack
Ubiquiti presents a spread of VPN choices relying on the gateway getting used. At house right here in California with the USG Professional 4, I’ve been operating a L2TP VPN server (permitting me to hook up with it from public espresso outlets and airports for safe shopping functions) for a number of years now. I had minimal trouble setting it up for entry from a Home windows pocket book. Nevertheless, as talked about within the earlier sub-section, this VPN server is of no use for my cell phone operating Android 12. The USG Professional 4 additionally helps PPTP VPN, however it’s not advisable even by Ubiquiti themselves.
The first possibility for a VPN server within the UniFi Dream Machine operating UbiOS / UniFi OS is sort of completely different.
Right here, Teleport (Ubiquiti’s personalized Wireguard implementation) takes priority. This can be a one-click VPN extra in tune with right now’s mobile-first ecosystem. Purchasers are licensed by way of invitations that may be generated both from the configuration web page (on the unifi.ui.com cloud, or by way of the machine’s native IP) or the UniFi Community cell app. The invitations could be opened on the shopper system utilizing the Wifiman cell software. The unlucky side right here is that Home windows customers are out of luck. Whereas MacOS, Android, and iOS are coated, Home windows customers are left within the lurch. This can be a vastly disappointing scenario on condition that the L2TP possibility in EdgeOS works with Home windows shoppers, however not Android and the Teleport possibility in UbiOS / UniFi OS works with Android shoppers, however not Home windows. It have to be famous that the UDM nonetheless helps L2TP for Home windows shoppers.
Underneath the Teleport & VPN part, Ubiquiti additionally gives an choice to create site-to-site VPNs, which is the place our story begins.
