I believe the UDM Pro can do outbound VPN connections to a commercial VPN provider. Not sure what protocols it supports, I’ve seen proof of L2TP but assume others are supported too. My VPN provider prefers WireGuard.
Using the UDM Pro and a connected access point, is it possible for the traffic from only specific clients (wifi and wired) to be routed through such a tunnel where all the other traffic goes through the normal WAN route?
If so, is it then also possible to switch the VPN destination easily? I’m a Dutch national living in Thailand, and between my wife and myself we would like to be able to watch Dutch, Korean and American content. It would be fine to have to go into a GUI to switch the destination, but a command line would be a challenge for my wife.
Any help you can offer is greatly appreciated!
I’ve done this on the USG, so I imagine it should be possible with UDM. I used OpenVPN, not sure if Wireguard is possible. I have 3 SSIDs, two of which are connected to different VPN servers in different countries. So, I can connect my TV to a different WiFi to get new content on Netflix, for example. It required manually crafting the json configuration on the device, however.
I find that the USG device is just barely powerful enough to get reasonable speeds over OpenVPN. 6mbps is not unusual (on 1g symmetric fiber, FYI). The UDM Pro may work slightly better, but I wouldn’t expect great speeds. Although, I think Wireguard is supposed to be faster than OpenVPN.
I ultimately decided that I would offload the encryption to a virtual VPN appliance running in a VM instead. The setup is quite a bit more complicated, but throughput is much higher…
I don’t think this is supported, but would be happy to learn otherwise. From what I can tell, UDMP supports two kinds of VPN configurations:
- L2TP for remote clients to join your LAN
- IPSec for site-to-site connections between UDMPs
It would be nice to get flexible Wireguard support.
I was able to get this running on a UDMPro by using an inexpensive external router that manages the OpenVPN connection to the vpn provider, then that router connection is mapped to a vlan and SSID so any devices on that Network are routed thru the VPN. External router isn’t too powerful but I still get 50+ Mbps which works for me. It does require 2 ports on a managed switch to connect the external router.
This guide helped me a lot: https://community.ui.com/questions/Guide-VPN-VLAN-How-to-Run-a-VPN-on-a-Separate-Device-for-a-VLAN-integrated-in-the-Unifi-Network/dc5e346a-5fb0-4c4b-b94d-5531f965b316
Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic and picture posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
I could never get it to work
I’m not sure if I should piggyback this, but I think it’s relevant to your issue. I want to do something similar, but I want to run a SOCKS server on my EdgeRouter X that forwards to a VPN.
That way I can, for example, have a VPN-ized version of Firefox and a non-VPN-ized version of firefox. Since SOCKS forwarding can be done with SSH this should be possible with packages already installed on these devices (both the UDM and the ER), but I’m just not sure how to do the nuts and bolts… Let me know if maybe there’s somewhere else I should ask…
I don’t believe its possible (yet?) to set up PBR on the UDM line. Last I’d read the UnifiOS while newer lacks a lot of underlying features that were accessible via config files. After rereading your request, it seems like you want to be able to force ALL traffic through an outbound VPN. That my very well be likely doable using static routes, though I’ve not even attempted to set up an site to site vpn connection on the Pro.
Hm. I’d only need enough capacity for 1-2 video streams, but that’s still 50Mbps or so. Offloading it would always be an option, but I like the idea of running it on the router I guess. Thanks very much for the insight provided. Hopefully somebody with experience running this on a UDMP can add to this.
Outbound VPN in general, or the setup where specific devices only go out over the VPN?
All traffic for two specific devices. To a commercial vpn provider end point.
Not sure I can help. My configuration used the router with WAN and Lan ports. I think the RPi has only 1 port
Setup were a network goes thru a vpn tunnel.
yea, the specific devices is your biggest problem. That would require policy based routing (PBR). Fairly certain this is not doable on the UDM line yet, if ever. The fact that Ubiquiti still hasn’t even added multiple address or nat support to the USG line after all these years leads me to believe that its a very unlikely feature to appear any time soon. The more people that contact them to show interest might shift priorities though…
Ouch. That’s not good if it can’t even route an entire network through a tunnel.
Sounds like the UDM line isn’t for me. Thanks for your clarification, much appreciated.
Policy based routing, Easy on edge router not possible on udm
NP. Its a real shame, there’s a lot to like there, but Ubiquiti’s priorities don’t seem to line up well with a large body of their target demographic’s. I’ve got a rather semi convoluted PA-220 setup in my homelab with teh UDM Pro to counter a lot of the short comings. What I’ve had to do I would not recommend :). I do remain hopeful that in the future they remember they are an SMB / small enterprise device supplier that has a rabid fanbase of prosumers, and that they return to their old form.