Journalist
Ubiquiti edge router site to site vpn: complete guide to configuring a site-to-site IPsec tunnel between EdgeRouter devices
Ubiquiti edge router site to site vpn is possible. Yes, you can set up a reliable site-to-site VPN between two EdgeRouter devices using IPsec. In this guide, you’ll get a clear, practical step-by-step approach, tips for common pitfalls, and real‑world testing methods to ensure your tunnels stay up. This post covers the why, the how, and the how‑to of troubleshooting, with practical examples you can adapt to your own network.
– What you’ll learn: a practical site-to-site IPsec setup on EdgeRouter, best practices for topology and routing, how to verify tunnel integrity, and how to troubleshoot typical issues.
– Quick-start checklist: confirm public IPs, pick subnets that don’t overlap, decide which sites host the VPN endpoints, gather pre-shared secrets, and have a plan for monitoring and failover.
For added protection during remote administration or occasional offsite work, you might also consider a trusted VPN service as a supplementary layer. NordVPN is currently offering a strong deal you can explore here:
Introduction overview
This guide includes:
– A quick overview of why you’d use a site-to-site VPN with EdgeRouter
– A practical, step-by-step configuration path GUI and CLI
– Real‑world network diagrams to help you plan subnets
– Testing and validation steps to confirm the tunnel is up
– Common mistakes and how to fix them
– A thorough FAQ to cover edge cases
Body
What is a site-to-site VPN and why EdgeRouter?
A site-to-site VPN creates an encrypted tunnel between two networks over the public internet. It allows devices on one network to access resources on the other as if they were on the same LAN, but with the traffic secured by IPsec. EdgeRouter devices from Ubiquiti are popular for this because of their cost effectiveness, solid performance, and robust EdgeOS features. When you configure a site-to-site VPN on EdgeRouter, you typically use IKE Internet Key Exchange for the tunnel setup and IPsec for the actual encrypted traffic.
Key reasons to use EdgeRouter for site-to-site VPN:
– High control with EdgeOS: you can configure both GUI and CLI options
– Strong IPsec support with flexible phase 1/phase 2 IKE/ESP settings
– No yearly firewall or router licensing required for basic VPN functionality
– Good performance for small to mid-sized sites with a couple of subnets
Global VPN growth note: the demand for secure inter-site connectivity has grown as SMBs expand to multiple locations and remote work accelerates. Industry data suggests the VPN market remains a core component of enterprise and SMB networking strategies, with IPsec remaining a widely adopted standard for site-to-site hours of operation and reliability.
Prerequisites and planning
Before you start, have these ready:
– Two EdgeRouter devices one at each site, each with a public IP address or a reachable NAT‑mapped address
– Distinct, non-overlapping subnets for each site for example, Site A: 192.168.10.0/24, Site B: 192.168.20.0/24
– A stable shared pre-shared key PSK for IPsec authentication
– Basic routing plan: how traffic will enter/exit the VPN tunnels
– Firewall rules that permit VPN traffic if you’re using a firewall policy
– Optional: dynamic DNS if the remote site uses a dynamic public IP
Network planning tips:
– Avoid overlapping subnets and ensure you have clear local and remote subnets defined
– Decide which site will be primary for VPN gateway settings and logging
– Plan for optional redundancy or failover if you want multiple tunnels or alternate paths
Network diagram example
– Site A:
– EdgeRouter A public IP: 203.0.113.1
– Local LAN: 192.168.10.0/24
– WAN: eth0 public
– Site B:
– EdgeRouter B public IP: 198.51.100.1
– Local LAN: 192.168.20.0/24
Traffic path example:
– Traffic from 192.168.10.0/24 at Site A to 192.168.20.0/24 at Site B travels through an IPsec tunnel encrypted between 203.0.113.1 and 198.51.100.1.
Step-by-step: configuring a site-to-site VPN on EdgeRouter CLI and GUI
Option A: GUI configuration EdgeRouter
1 Open the EdgeRouter web UI on Site A and repeat on Site B for the remote peer
2 Navigate to the VPN section and choose IPsec
3 Create a new IPsec site-to-site connection
– Peer IP: remote public IP Site B
– Local network: Site A LAN e.g., 192.168.10.0/24
– Remote network: Site B LAN e.g., 192.168.20.0/24
– Authentication: Pre-Shared Key enter your PSK
– IKE/ESP settings: select a secure set see CLI options below
4 Save and apply
5 Ensure the site-to-site tunnel shows as up in the status panel
6 Create necessary firewall rules to allow 192.168.10.0/24 <-> 192.168.20.0/24 through the VPN tunnel
7 Repeat the same steps at Site B with the roles reversed
Option B: CLI configuration copy-and-edit example
Below is a generic, copy-ready example you can adapt. Replace the placeholders with your actual addresses, networks, and PSK.
– Define IKE and ESP groups
set vpn ipsec ike-group IKE-2 proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKE-2 proposal 1 hash ‘sha256’
set vpn ipsec ike-group IKE-2 proposal 1 dh-group ‘modp2048’
set vpn ipsec ike-group IKE-2 lifetime 3600
set vpn ipsec esp-group ESP-2 proposal 1 encryption ‘aes256’
set vpn ipsec esp-group ESP-2 proposal 1 hash ‘sha256’
set vpn ipsec esp-group ESP-2 pfs ‘enable’
set vpn ipsec esp-group ESP-2 lifetime 3600
– Configure the remote peer Site B from Site A
set vpn ipsec site-to-site peer 198.51.100.1 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 198.51.100.1 authentication pre-shared-secret ‘YourStrongPSK’
set vpn ipsec site-to-site peer 198.51.100.1 ike-group ‘IKE-2’
set vpn ipsec site-to-site peer 198.51.100.1 esp-group ‘ESP-2’
set vpn ipsec site-to-site peer 198.51.100.1 local-subnet ‘192.168.10.0/24’
set vpn ipsec site-to-site peer 198.51.100.1 remote-subnet ‘192.168.20.0/24’
– Apply WAN and routing specifics adjust to your interfaces
set interfaces ethernet eth0 address ‘203.0.113.1/24’ # Site A WAN
set interfaces ethernet eth1 address ‘192.168.10.1/24’ # Site A LAN
set protocols static route 192.168.20.0/24 next-hop ‘local’ # or via VPN interface if you have one
– Save and commit
commit
save
Notes for CLI:
– Some EdgeRouter models use eth0/eth1 differently. map your WAN interface correctly
– If you’re behind NAT, you’ll need to handle NAT-T NAT traversal in the IPsec settings
– If you use dynamic IPs at the remote site, consider a dynamic DNS setup or a keepalive mechanism
Routing and firewall considerations
Routing:
– Ensure that traffic destined for the remote site’s subnet is sent through the VPN tunnel
– If you’re running inter-site routing via static routes, add routes like: 192.168.20.0/24 via vpn tunnel interface
Firewall:
– Create allow rules to permit IPsec UDP 500, UDP 4500 if NAT-T, and IPsec ESP and the tunnel traffic
– If you run a stateful firewall, ensure related/established rules are in place to avoid dropping established tunnel traffic
NAT considerations:
– If either site uses NAT for internal addresses, you need to disable NAT for VPN traffic between the subnets, or configure NAT exemptions for the VPN traffic
Testing and validation
– Basic ping test: from Site A, ping a host in Site B e.g., 192.168.20.10
– Reverse test: from Site B, ping a host in Site A e.g., 192.168.10.10
– VPN status check: verify the tunnel is up in the EdgeRouter dashboard or CLI
– Traceroute: check the path to ensure traffic is going through the tunnel
– Logs: review VPN logs for any handshake errors, authentication failures, or MTU issues
– MTU check: if you experience intermittent connectivity, check MTU values on both sides and adjust TCP MSS if needed e.g., 1432 or 1460
Pro tips:
– Keep a standard PSK and rotate it periodically for security
– Maintain consistent IKE/ESP settings on both sides for compatibility
– Consider adding an optional second tunnel for redundancy if you have multiple internet links
Security considerations
– Use strong encryption and hash algorithms AES-256, SHA-256 and a robust DH group
– Do not reuse PSKs across multiple sites or devices
– Keep EdgeRouter firmware up to date to benefit from security and stability improvements
– Limit VPN access to necessary subnets, and ensure hosts behind the VPN are properly secured
– Monitor VPN uptime and set up alerts for tunnel down events
Performance considerations
– VPN throughput depends on CPU, crypto offloading, and the number of tunnels
– EdgeRouter devices provide solid performance for small to mid-size sites, but very busy environments may require hardware with stronger crypto support or offloading
– If you’re bottlenecked, consider splitting traffic across multiple tunnels or upgrading to a more capable EdgeRouter model
Multi-site and scalable setups
– For more than two sites, you can add multiple site-to-site peers, one per site, with a hub-and-spoke topology
– Each site-to-site tunnel is independent. you’ll maintain separate local/remote subnets per tunnel
– If you have a central data center, consider a hub site with multiple tunnels to remote sites for simplified management
EdgeRouter vs other devices
– EdgeRouter offers strong CLI control, frequent firmware updates, and a competitive price point
– Other vendors’ devices may have simpler GUI wizards, but EdgeRouter’s flexibility is a big advantage for custom topologies
– If you’re already invested in Ubiquiti gear, staying in the EdgeRouter ecosystem simplifies management
Common pitfalls and how to avoid them
– Subnet overlap: Always double-check that local and remote subnets don’t intersect
– Mismatched PSK: A single typo in the pre-shared key will block the tunnel
– Wrong local vs remote subnets: The tunnel’s local and remote subnets must be swapped correctly on each side
– NAT-T issues: If behind NAT, ensure NAT-T is enabled and the correct ports are open
– Firewall misconfig: If traffic is blocked, re-check firewall rules and order
Quick reference checklist final checklist
– Public IPs verified and reachable
– Subnets non-overlapping
– PSK created and mirrored on both sides
– IKE and ESP profiles aligned on both sides
– VPN tunnel configured on both EdgeRouter devices
– WAN/firewall rules allowing IPsec and tunnel traffic
– Connectivity test results logged ping/traceroute
– VPN status monitored. set up alerts if possible
Frequently Asked Questions
# What exactly is a site-to-site VPN?
A site-to-site VPN joins two separate networks over the internet, creating a secure, encrypted tunnel so devices on one network can reach devices on the other as if they were on the same LAN.
# What is IPsec and why is it used for EdgeRouter site-to-site VPNs?
IPsec provides encryption, integrity, and authentication for IP traffic. It’s the standard for securing VPN tunnels between routers, including EdgeRouter devices.
# Can I use a private IP address behind NAT on one side?
Yes, but you’ll typically enable NAT-T NAT Traversal so IPsec can function through NAT devices. Ensure you configure the tunnel to account for NAT boundaries.
# Do I need dynamic DNS for site-to-site VPN?
If your remote site has a dynamic public IP, dynamic DNS can help keep the tunnel stable by providing a consistent hostname to reach.
# What encryption should I use?
AES-256 with SHA-256 is a common and strong choice. Use a modern DH group e.g., modp2048 to enhance security.
# Can EdgeRouter handle multiple site-to-site VPNs?
Yes. You can configure multiple site-to-site VPN peers, each with its own local/remote subnets and authentication settings.
# How do I verify the VPN is up?
Check the EdgeRouter UI for tunnel status or use the CLI to show vpn ipsec sa or tunnel status. Ping tests across subnets are also helpful.
# What should I do if the tunnel won’t come up?
Double-check PSK, peer IP, IKE/ESP profiles, and local/remote subnets. Inspect logs for handshake errors like “AUTH_FAILED” or “NO_PROPOSAL_CHOSEN” and adjust settings accordingly.
# How do I troubleshoot performance issues?
Test with a single active tunnel first, then enable logging at a higher level to see where crypto or routing delays occur. Consider hardware limits and MTU adjustments.
# Is a GUI setup enough, or should I use CLI?
GUI is great for quick setups and visual status, but CLI offers deeper control and more precise tuning. Use whichever you’re most comfortable with, or combine both.
# How do I handle changes if one site’s network changes?
Update the site-to-site tunnel configuration to reflect new subnets or new remote networks. Revisit firewall rules and routing to ensure everything aligns.
# Can I integrate site-to-site VPN with existing remote access VPNs?
Yes, but you’ll need to segment traffic appropriately and ensure firewall/routing policies do not conflict between site-to-site and remote-access VPNs.
If you’re building a robust, multi-site network with EdgeRouter devices, this guide should give you a solid foundation. Remember to test thoroughly, document your configurations, and keep monitoring in place so you catch issues early. As your network grows, you can expand with additional tunnels, refined routing policies, and even backup connectivity strategies to keep everything online.