ABOUT BENCH FORUMS PODCAST LOGIN REGISTER
PC Components
Smartphones & tablets
Systems
ENTERPRISE & IT
GUIDES
DEALS

The Ubiquiti Diaries: A Site-to-Site VPN Story

 by Ganesh T S on December 21, 2022 8:00 AM EST
35 Comments | Add A Comment
35 Comments

Teleport VPN - Ubiquiti's WireGuard

Ubiquiti recommends Teleport for VPN purposes in the UniFi Dream Machine. Activating this feature requires remote access to be enabled on the controller followed by Wifiman in the Network application. While this is straightforward enough for most setups, there are certain situations that trip up this flow. In my case, one of the power failures ended up corrupting the UDM - Internet access from within the network worked, but the web UI was inaccessible, SSH attempts timed out, and Teleport would simply give up. The unit had to be resuscitated via the recovery IP using a firmware image downloaded offline. After recovery, the UDM was accessible over the local network and Internet access worked. However, it was not visible either in the mobile app or the cloud-based management portal as remote access was disabled (and couldn't be activated despite repeated attempts). It turned out that the inability of the unit to communicate with the default NTP servers from behind the CGNAT had resulted in the date / time of the unit being set based on the firmware build date. Fixing this manually allowed the remote access feature in the controller to be activated.

Enabling WiFiman is done in the System section of the Network application.

After taking care of these two aspects, Teleport invites can be generated under the 'Teleport & VPN' section of the web UI as well as the mobile application.


Teleport Invite Generation using Cloud Management / Local Web UI

Teleport Invite Generation using the UniFi Network Android App

The advantage of using the Android app to generate the invite link is the ability to directly open it with the WiFiman app to get into the target network. Upon accepting the invite in the app, the connection is available for activation as long as the source gateway (UDM in this case) has a connection to the Internet.

The Teleport functionality in the UDM currently forces the invited device into the 192.168.2.0/24 network. This is currently not user-configurable. In my case, this was not a show-stopper, as the UDM automatically took care of enabling seamless communication between the primary 172.16.0.0/24 subnet and the VPN subnet.

In the first few days of grappling with CGNAT, I attempted to set up a dedicated Android device to act as a Teleport client for other devices in the US to connect to. Unfortunately, except for my Pixel 6a, none of the Android devices at my disposal (I even tried setting up an old NUC with Bliss OS) could help in this aspect. Either the Teleport feature in the WiFiman app was not available for the old Android version, or, the connection proved to be extremely unstable. After a fruitless couple of days, I gave up completely on this approach.

The Teleport feature did end up serving me well beyond the attempt, though. Throughout the course of future experiments, I had Teleport as a fall-back to be able to SSH into the UDM network and configure the gateway as well as machines local to that network.


SSH over Teleport via an Android Intermediary
(From L to R) Clumsy SSH access, Activating SSH server on the Pixel 6a, Allowing ADB access

As a good security measure, Ubiquiti does not allow SSH access to the UDM over remote access by default, and the only safe way to achieve this is to create a secure tunnel into the target network prior to attempting a SSH login. Initially, I used the termux app to directly SSH into the UDM (after connecting via Teleport, obviously). Executing shell commands over a mobile keyboard turned out to be frustrating exercise. Fortunately, it is possible to run a SSH server on an Android phone and connect to it via ADB. With the Teleport connection active in the background, it became easy to access the UDM over SSH from a proper desktop.


SSH over Teleport via an Android Intermediary using a PC

Prior to starting the whole exercise, one of my goals was to avoid any sort of third-party relay server or cloud service in the communication between the USG Pro 4 and UDM. However, after exhausting all possibilities within my limited networking knowledge, I regretfully started to look at options involving third-party services. <a href="https://www.vpn.net/'>Hamachi, Tailscale, and ZeroTier appeared to be popular, with the most common use-cases tending to be connection between individual systems. Of these three, Tailscale and ZeroTier had multiple write-ups and guides, with some specifically talking of site-to-site setups involving Ubiquiti gear. Armed with these guides, I took the plunge into ZeroTier first.

The CGNAT Spanner in the Works Activating ZeroTier - A Virtual SDN
PRINT THIS ARTICLE
Comments Locked

35 Comments

View All Comments

  • prophet001 - Wednesday, December 21, 2022 - link

    Not really a ubiquiti fan.

  • Threska - Wednesday, December 21, 2022 - link

    Ubiquiti vacuum.

  • OddballSix - Wednesday, December 21, 2022 - link

    There's no point in even talking about Ubiquiti, you can't buy most of their products. Some of them have been out of stock in the entire channel for months.

    Entire parts and lines of products gone. You can't buy them. One breaks? You're screwed. Need to upgrade the firewall? Tough.

  • HalcyonDays - Wednesday, December 21, 2022 - link

    I actually went down a similar path as you did. Years ago, when I moved out, I needed away to troubleshoot my parents network remotely when I inevitably get the dreaded phone call "internet is not working".

    My requirements for this setup are as follows:
    1. Bidirectional encrypted tunnel(s) - preferably peer-to-peer
    2. No third-party cloud services
    3. Each site access internet through their its own ISP
    4. Router at each site will handle the VPN connection - no additional hardware

    After attempting and investigating multiple methods, I eventually settled on "tinc" based on the suggestion from the openwrt forums.

    "tinc" is a peer-to-peer VPN supported by Tomato, Openwrt, and asuswrt-merlin. It doesn't need all sites to have public IP to work. It just need one site to have public IP (I think). To handle dynamic IPs, I use a free DDNS service and assign a domain name to each of the site.

    Since then, I have expanded VPN network to include the in-laws and parents' home in Taiwan. It just required the router at each site to have the public key of at least one other site and it'll be able to see all sites. This means that I can be at any of these sites and still see every site.

    Some caveats: I am uncertain of the performance. From what I can tell, "tinc" is pretty lightweight but not as performant as wireguard. Because I don't stream anything over tinc tunnels, I can't vouch for how well it works for for that.

    Give it a try.

  • Samus - Thursday, December 22, 2022 - link

    Amazing hardware and stability totally ruined by crap software. The controller is trash. Relying on Java is already a red flag but the way the controller database functions is bazaar and totally insecure. Inheriting\adopting hardware into a new instance results in a mandatory config wipe. No fortune 500 or enterprise network would use this so what really separates it from a $100 consumer product? A consumer product that often has more basic functionality; Ubiquiti has to this day failed to implement MAC cloning, axing it from consideration to anybody who has AT&T or Verizon fiber that need to emulate their gateway from the ONT\media converter. Such a basic feature dating back to the Linksys routers of the 90's missing from a $300 prosumer product is embarrassing and should alone put the company underwater. I mean why?

  • Hamm Burger - Thursday, December 22, 2022 - link

    My ISP provides CGNAT by default, but one can pay extra (€1.95/month afair) for a non-fixed but routable address. Which I do. Of course, you have to to know that you can ask, because they don't advertise this feature.

  • Samus - Saturday, December 24, 2022 - link

    That is cheap. Commercial block IP's are rarely offered in the US to residential subscribers, and even 'business' internet plans find a way to screw you out of $15 minimum for a "usable" static address.

    It's worth noting over the years I've seen most IP addresses - even for residential internet - have become statically assigned to subscribers, but they are non-routable.

  • ballsystemlord - Thursday, December 22, 2022 - link

    @Ganesh , why not just contact the ISP and tell them that you were paying for an IP address that is *not* behind CGNAT? I mean, if you're spending the money for the IP you should get it.

  • Jorgp2 - Thursday, December 22, 2022 - link

    Yup, or just pay for a /29 or something.

  • coburn_c - Thursday, December 22, 2022 - link

    ipv6 is dead and rightly so
Copyright © 2024. All rights reserved.
BENCH
TOPICS
FOLLOW
ABOUT

Log in

Don't have an account? Sign up now