Heads up to anyone on Android 12, they removed L2TP support, and this latest version of Unifi OS only supports L2TP (it does not support IKEv2, which is the only option provided by Android)
Trying to map a SMB drive from my Windows Server so I can access through my VPN. No one has a clear answer out there on how to accomplish this. I can’t see devices and mapped drives on the LAN when connected through VPN. It would be nice if Ubiquiti built in a simple function to turn on that would “bridge” the LAN and VPN subnets together!
Thank you so much Mac. You helped me diagnose and fix a connection problem we were having. Getting an error when connecting to the VPN. Had to enable the "Require Strong Authentication" as discussed in your video. Wahhoooo!
because you are ON tghat interface, imagine the vpn is connected with a cable on the lan port, so you are already on that interface now you wanna go somwhere else like not lan. in would be blocking traffic to that interface, so you can block all other infaces from accessing something on lan by the lan in rule, or you only block lets say guest on the guest out rule
If I'm using DDNS to get a domain name that links back to my home's current external IP, do I just set up the iPhone VPN client to point to this domain? Just a home gamer here, not sure if FQDN = my DDNS domain. My hope is that when my ISP updates my external IP address it won't require me to go back into the iPhone and change the VPN settings to a new server/public IP address.
Another issue I can't find solution for is restricting access to networks on per user (or user group) basis. Ubiquiti markets UDMP as a solution for small and medium business, and this is functionality which is crucial for proper implementation of remote work.
I'd appreciate a video on how to make a port use a vpn out (in my case nord) so I can plug the port from my pc into it and it would be covered by the vpn and no need for software on the pc to messup other settings like it has done before.
Thank you for the help. I have a TrueNAS server I am using to back up my pics daily from my ipad and phone and still wanted access to them after deleting them off my mobile devices.
I can ping everything on my home network through my Open VPN connection, except for my Synology NAS. It seems to be a Synology issue. Would you happen to know off-hand what setting needs to be changed in the Synology so that I can connect to it from a different VLAN?
Great vidéo which I used to secure my UID One-Click VPN users. Still trying to block gateways from VPN users, you mentioned that UniFi needed to fill the gap on that. As it been done ? How to block those gateways ?
I have a sonicwall but I’m managing Unifi through the application on my server and using Unifi APs. What public IP address should I be using? The one for the sonicwall or should I be making my server host public through port forwarding? I tried the network’s public IP address but that didn’t work and I’m nervous to make the entire host available with a public IP address.
Would love a tutorial on this without using a phone. Perhaps a Windows 10 or 11 laptop? I also cant ping anything on any of my other VLAN's, but I want to be able to connect to them. Any ideas?
Hi, great thanks for your shared video first, I follow all firewall rule setup in my new UDM SE and work fine. only after I setup the block VPN to network rule(RFC1918 to RFC1918) , it turns out default network cannot connect HP AIO printer on IoT VLAN, would it make sense to setup the block rule (VPN user to RFC1918)? I did it and HP AIO printer work fine now.
Hi, stied to install following you guide, all is working however once is set up the rules on lan out i lost connectivity to the app under reverse proxy on my server , how can i solve
I have not been able to get the USG3 to do VPN, I have followed the guides ... it just doesnt connect. Is this normal or should I try and get UDM pro for it to work?
can connect from my iphone, cannot connect from my mac. If I connect to my iphone on cellular to simulate outside connection I can connect to the vpn but cannot ping anything on LAN
I followed along your video while looking at my setup but I could only ping the router no matter what I did. I tried several firewall rules and nothing helped, but then I wondered if it was the address that caused my issue. So, most of the networks are 192.168.x.x but I set one network to 10.0.4.x because there was software that had things setup with that address, I did it to stop issues, but it seems like I created issues instead. Is there a firewall rule I can add to allow this crossing of IP addresses? I will definitely be using your donate button if I can get this resolved!
I'm a noob, but I hope I can get some advice. I locked down my vlans from each other and all the gateways and udm like you advised in the firewall vids, and locked all my lan and vlan traffic to specific ports and disabled the rest, so now you have to log in on the land port only to get into my udm pro. I still want to use my unifi android app though, and cant because its locked out of the lan. Is it advisable to set up a remote VPN so my phone can access the udm pro for remote administrator with the app? I'm guessing this is a security no no.
Good video. One item that was not covered was how you allow multiple VPN connections at the same time. I have the exact same set up without the firewall restrictions and when the second VPN connection hits it will kick the first one off. Both Windows machines. This seems to be an open issue if you research the forums. How are you getting around this limitation?
Hi Guys, has someone tried to connect to the VPN with an android based phone, not working for me. I wonder whether the weak cyper option is not necessary for this.
Hello, I am trying to create a firewall rule on a UDM SE to prevent the remote network (Site-to-Site OpenVPN) from accessing the IP addresses of the gateway (UDM SE). Unfortunately I do not succeed.
Just ran into this today, buddies UDMP VPN connected and you can ping AP's etc but RDP would not work. IPS was set to high and it blocked it. I had to put it on low before RDP could hit the computer. Also can't ping local computers but apparently thats a windows firewall thing?
Sounds like one of the things that are blocked would either be the port or protocol for RDP when you increase the IPS.you can set a firewall rule for that
Every VPN/Firewall tutorial (from everyone) always shows how to block the VPN network(s) from accessing resources on the LAN (using LAN Out). I cannot seem to find any information for blocking traffic from a local network *TO* a VPN network (other than blocking returning packets via LAN Out), and I've been unsuccessful in trying to get it to work.
@@MactelecomNetworks I used your video to setup a vpn connection back in from another site and even locked it down to only reach the ip address for my NVR. Stay awesome dude. In theory once I have the remote site modem/router configured the cameras on that site should be able to talk about to my NVR at home. Ping test worked from the iPhones vpns connection.
When I access my noip account info, all I see is my basic info email address. I do not see my username and password. Do I have to upgrade my account to obtain a username and password?
Excellent video. I followed all your steps and when I ping from my phone while connected to t-mobile, it works like a charm. However, when I ping from my phone (or home computer) while on my home network (also a UniFi dream machine set up), I get timeouts to all office networks even though I’m connected. Help? Anyone?
I get an error when I try to connect to my VPN on windows, this is my error: a connection to the remote computer cannot be established.you might need to change the setting for this connection
It's frustrating that the firewall rules allow/block by network and not by user. What if I have a VPN user who want to give access to my NAS but another user who I don't. What if I have a user who I want to be able to rdp into a specific machine but another user who I don't want to. I think Ubiquiti needs to allow setting static IPs for VPN users so that the firewall can be configure for source and destination IPs rather then for the whole VPN Network.
Can you just move the https port # for the UDM login page to some secret non-standard number? That would 'hide' that page from a regular user. Good video, thank you!
I've noticed this issue few month ago. It is possible to ping GW and also access to the WEBUI of the GW ... ! I don't understand why Unifi don't patch this critical issue :/
I think it’s because most people aren’t using vpn on the UniFi devices directly since they aren’t doing WireGuard. Supposedly they are working on it but wouldn’t hold my breath. Having L2TP as your VPN these days is…well, not good. That’s all I’m going to say.
@@alexeichekovic5923 I would love them to improve their VPN, I have a small network with a USG not UDM and I have been unable to get a working VPN setup. I have had to setup a small vm with PiVPN.
I tried to set this up but for some reason my remote clients are ignoring the two simple lan out rules. Rules are Block RFC1918 and Allow VPN to 192.168.4.17. Allow VPN rule is above the RFC1918. VPN is on the 192.168.5.0/24 subnet. Firmware for UDM-Pro is 1.12.33
Cody, I’m pretty sure you can block the gateways. I made a group including the IP address of the gateways, then blocked the network to those. I used it to block IOT devices from getting to my regular network. I’m almost positive that Chris from Crosstalk solutions did a video about it.
You can block networks from reaching your gateway that’s true but when connected through the vpn it doesn’t alllow it. I’ll give it a try again but don’t believe it works
@@MactelecomNetworks I haven’t tried it through a VPN. Although I was under the impression that the UDM with firewall rules just assumes it another VLAN. That is a valid point that it would not allow it to work with a VPN. Thanks for the feedback
@@MactelecomNetworks The firewall rule "Block VPN to Networks" on LAN_OUT will also affects all your UDM Site-to-Site VPNs, so, for somebody using S2S combined with VPN Client-to-Site, add another firewall rule on top to allow all your S2S VPNs as well.
the RFC1918 IP group is really unclear to me on what it is doing, is that every vlan you have on your UDM? I found the answer in another video ua-cam.com/video/tS4-ClQuo3g/v-deo.html
The protocol is outdated and unifi needs to move with the times with there VPN protocol. They need to added lime Wireguard, I hate to day this even OpenVPN at the least but defo Wireguard.
Heads up to anyone on Android 12, they removed L2TP support, and this latest version of Unifi OS only supports L2TP (it does not support IKEv2, which is the only option provided by Android)
Damn, that answers my one of my issues
My android vpn says l2tp/ipsec psk, l2tp/ipsec rsa, ipsec xauth psk, ipsec xauth rsa, ipsec hybrid rsa, then the ikev2
What is the solution? Can we use an app on Android instead?
I got S20fe and L2TP works well.
If you're running Android 12 or especially 13, this tutorial does not apply. L2TP is no longer supported.
Thank you! I was missing one step and your walkthrough helped me reconnect!
Amazing, finally a tutorial that I was able to follow and it actually worked first time exactly as you showed. 😀
Trying to map a SMB drive from my Windows Server so I can access through my VPN. No one has a clear answer out there on how to accomplish this. I can’t see devices and mapped drives on the LAN when connected through VPN. It would be nice if Ubiquiti built in a simple function to turn on that would “bridge” the LAN and VPN subnets together!
Thank you so much Mac. You helped me diagnose and fix a connection problem we were having. Getting an error when connecting to the VPN. Had to enable the "Require Strong Authentication" as discussed in your video. Wahhoooo!
That's great glad my video was of help
This video helped me configure mine, thank you! Some of Unifi's UI is a bit cryptic.
How come the "Block VPN to networks" firewall rule was created as LAN Out and not as LAN In?
Good question.
because you are ON tghat interface, imagine the vpn is connected with a cable on the lan port, so you are already on that interface now you wanna go somwhere else
like not lan. in would be blocking traffic to that interface, so you can block all other infaces from accessing something on lan by the lan in rule, or you only block lets say guest on the guest out rule
Thanks!
Wow thank you so much for the super chat :)
If I'm using DDNS to get a domain name that links back to my home's current external IP, do I just set up the iPhone VPN client to point to this domain? Just a home gamer here, not sure if FQDN = my DDNS domain. My hope is that when my ISP updates my external IP address it won't require me to go back into the iPhone and change the VPN settings to a new server/public IP address.
Another issue I can't find solution for is restricting access to networks on per user (or user group) basis. Ubiquiti markets UDMP as a solution for small and medium business, and this is functionality which is crucial for proper implementation of remote work.
Did you ever manage to resolve this?
@@showstopper81 Not yet. Probably I need to wait until my UDMP receives a Firmware update with Wireguard built in (already available in UDMP SE).
I'd appreciate a video on how to make a port use a vpn out (in my case nord) so I can plug the port from my pc into it and it would be covered by the vpn and no need for software on the pc to messup other settings like it has done before.
Are you supposed to be able to see active VPN client connections on the controllers client devices section?
Have you tried blocking the gateway addresses as destination and VPN as source on the IN interfaces?
Thank you for the help. I have a TrueNAS server I am using to back up my pics daily from my ipad and phone and still wanted access to them after deleting them off my mobile devices.
Any word on if the gateway issue has been solved?
I can ping everything on my home network through my Open VPN connection, except for my Synology NAS. It seems to be a Synology issue. Would you happen to know off-hand what setting needs to be changed in the Synology so that I can connect to it from a different VLAN?
This is a GREAT video! THANK YOU!!!
Great vidéo which I used to secure my UID One-Click VPN users. Still trying to block gateways from VPN users, you mentioned that UniFi needed to fill the gap on that. As it been done ? How to block those gateways ?
I have a sonicwall but I’m managing Unifi through the application on my server and using Unifi APs. What public IP address should I be using? The one for the sonicwall or should I be making my server host public through port forwarding?
I tried the network’s public IP address but that didn’t work and I’m nervous to make the entire host available with a public IP address.
I assume you need to enable your radius server also? Mine isnt enabled by default.
Even by default my apple device does not want to talk to other devices on the vpn lan network
Would love a tutorial on this without using a phone. Perhaps a Windows 10 or 11 laptop? I also cant ping anything on any of my other VLAN's, but I want to be able to connect to them. Any ideas?
No changes for blocking gateway pinging?
Hi, great thanks for your shared video first, I follow all firewall rule setup in my new UDM SE and work fine. only after I setup the block VPN to network rule(RFC1918 to RFC1918) , it turns out default network cannot connect HP AIO printer on IoT VLAN, would it make sense to setup the block rule (VPN user to RFC1918)? I did it and HP AIO printer work fine now.
Ya that would be fine as well
Hi, stied to install following you guide, all is working however once is set up the rules on lan out i lost connectivity to the app under reverse proxy on my server , how can i solve
Great video. What’s the name of the Ping app on your iPhone. Thanks
It’s just call ping
@@MactelecomNetworks Thanks
I'm trying to setup ddns for my VPN as I have a dynamic IP address but having issues.
Please can you show us how to do L2TP VPN from windows server 2022 RRAS server using Ubiquiti please
I have a problem. I can only connect with one vpn l2tp user at a time from the same remote ip. Does anyone know how to fix?
What if you don’t have a static public IP. What would be the best solution?
DDNS
I have not been able to get the USG3 to do VPN, I have followed the guides ... it just doesnt connect. Is this normal or should I try and get UDM pro for it to work?
can connect from my iphone, cannot connect from my mac. If I connect to my iphone on cellular to simulate outside connection I can connect to the vpn but cannot ping anything on LAN
I have a similar issue. My issue is I cannot ping any LANs from home wifi, but am successful from cell service.
I followed along your video while looking at my setup but I could only ping the router no matter what I did. I tried several firewall rules and nothing helped, but then I wondered if it was the address that caused my issue. So, most of the networks are 192.168.x.x but I set one network to 10.0.4.x because there was software that had things setup with that address, I did it to stop issues, but it seems like I created issues instead. Is there a firewall rule I can add to allow this crossing of IP addresses? I will definitely be using your donate button if I can get this resolved!
Very useful video. Thanks
I'm a noob, but I hope I can get some advice. I locked down my vlans from each other and all the gateways and udm like you advised in the firewall vids, and locked all my lan and vlan traffic to specific ports and disabled the rest, so now you have to log in on the land port only to get into my udm pro. I still want to use my unifi android app though, and cant because its locked out of the lan. Is it advisable to set up a remote VPN so my phone can access the udm pro for remote administrator with the app? I'm guessing this is a security no no.
Good video. One item that was not covered was how you allow multiple VPN connections at the same time. I have the exact same set up without the firewall restrictions and when the second VPN connection hits it will kick the first one off. Both Windows machines. This seems to be an open issue if you research the forums. How are you getting around this limitation?
I want to know this too!
Hi Guys, has someone tried to connect to the VPN with an android based phone, not working for me. I wonder whether the weak cyper option is not necessary for this.
Can you do split VNP on udm pro
Hello,
I am trying to create a firewall rule on a UDM SE to prevent the remote network (Site-to-Site OpenVPN) from accessing the IP addresses of the gateway (UDM SE). Unfortunately I do not succeed.
How does this work on mobile networks that use ipv6 addresses?
Just ran into this today, buddies UDMP VPN connected and you can ping AP's etc but RDP would not work. IPS was set to high and it blocked it. I had to put it on low before RDP could hit the computer. Also can't ping local computers but apparently thats a windows firewall thing?
Sounds like one of the things that are blocked would either be the port or protocol for RDP when you increase the IPS.you can set a firewall rule for that
Could you do an updated one?
Every VPN/Firewall tutorial (from everyone) always shows how to block the VPN network(s) from accessing resources on the LAN (using LAN Out). I cannot seem to find any information for blocking traffic from a local network *TO* a VPN network (other than blocking returning packets via LAN Out), and I've been unsuccessful in trying to get it to work.
VPN Access, once connected I cant access my local network, only Unifi SE
do you have to bridge the router?
Can't you drop ICMP on the gateways Cody ? Could you create a rule to block the PORT for the gateway ip's that direct to the log in page ?
Nope tried all of it doesn’t work
@@MactelecomNetworks Bummer. :(
Thanks for this. Folks, what do Name server1 and 2 relate to?
Your dns servers
@@MactelecomNetworks I used your video to setup a vpn connection back in from another site and even locked it down to only reach the ip address for my NVR. Stay awesome dude. In theory once I have the remote site modem/router configured the cameras on that site should be able to talk about to my NVR at home. Ping test worked from the iPhones vpns connection.
Can you make a video with IPv6?
When I access my noip account info, all I see is my basic info email address. I do not see my username and password. Do I have to upgrade my account to obtain a username and password?
Excellent video. I followed all your steps and when I ping from my phone while connected to t-mobile, it works like a charm. However, when I ping from my phone (or home computer) while on my home network (also a UniFi dream machine set up), I get timeouts to all office networks even though I’m connected. Help? Anyone?
Is the massive issue of VPN users being able to access to the gateways being fixed? It seems not, right?
Not yet unfortunately
In the first firewall rule to block, you used RFC1918 for both Source and Destination. Was that a mistake?
Obviously a mistake or he has no idea what he is doing because he blocked all private IP traffic at least that is Lan out.
Everything makes sense, except your rushed over the IP Port Groups (what you call RFC1918). Where do those IP address come from?
Making an updated firewall video this week. But RFC1918 if request for comments 1918 its a white paper based on all the private IPv4 addresses
There was an error deleting the VPN network. Object is referenced by User
Any good options to set this up for an android phone? Unfortunately android does not support L2TP anymore.
I have a Samsung A71 and it works :)
@@alexeichekovic5923 Android 12 removed some of the protocols, L2TP is not an option anymore.
L2TP/IPSec PSK type works on a Samsung Galaxy S10
Would be great to have fixed ip address to VPN users.
Do the firewall rules also apply when using the UID VPN option?
This I’m unsure of I need to load UID again but I willl do in the next week and let you know
@@MactelecomNetworks that would be great as the one click VPN is very nice
I get the iphone to work with no issues, but my Macbook I have no luck with.
I get an error when I try to connect to my VPN on windows, this is my error:
a connection to the remote computer cannot be established.you might need to change the setting for this connection
what's that PING app?
It's frustrating that the firewall rules allow/block by network and not by user. What if I have a VPN user who want to give access to my NAS but another user who I don't. What if I have a user who I want to be able to rdp into a specific machine but another user who I don't want to. I think Ubiquiti needs to allow setting static IPs for VPN users so that the firewall can be configure for source and destination IPs rather then for the whole VPN Network.
thats the same question i have. did u ever figure out how to give each user there own vpn access ?
Can you just move the https port # for the UDM login page to some secret non-standard number? That would 'hide' that page from a regular user. Good video, thank you!
Netgate 7100 1u rack vs udm pro plz
If netgate wants to send me a 7100 I’ll do it
Android is not the same and seems to have issues for me.
I've noticed this issue few month ago. It is possible to ping GW and also access to the WEBUI of the GW ... ! I don't understand why Unifi don't patch this critical issue :/
I think it’s because most people aren’t using vpn on the UniFi devices directly since they aren’t doing WireGuard. Supposedly they are working on it but wouldn’t hold my breath. Having L2TP as your VPN these days is…well, not good. That’s all I’m going to say.
@@curtispavlovec I totally agree ! But it is very strange that Unifi don't make a better VPN. It's not a poor chinese network brand..
@@alexeichekovic5923 I would love them to improve their VPN, I have a small network with a USG not UDM and I have been unable to get a working VPN setup. I have had to setup a small vm with PiVPN.
This VPN LT2P or whatever is NOT working any longer on Win 11!
Windows 10 had a "optional" update to fix the VPN issue they created in an update. Check into that.
I tried to set this up but for some reason my remote clients are ignoring the two simple lan out rules.
Rules are Block RFC1918 and Allow VPN to 192.168.4.17.
Allow VPN rule is above the RFC1918.
VPN is on the 192.168.5.0/24 subnet.
Firmware for UDM-Pro is 1.12.33
Anyone get OSX working. Can connect to VPN and get the WAN IP but unable to ping or connect to local devices.
Every time I create a user , it disappears after restarting the UDM.
Something is wrong with the latest release.
Cody, I’m pretty sure you can block the gateways. I made a group including the IP address of the gateways, then blocked the network to those. I used it to block IOT devices from getting to my regular network. I’m almost positive that Chris from Crosstalk solutions did a video about it.
You can block networks from reaching your gateway that’s true but when connected through the vpn it doesn’t alllow it. I’ll give it a try again but don’t believe it works
@@MactelecomNetworks I haven’t tried it through a VPN. Although I was under the impression that the UDM with firewall rules just assumes it another VLAN. That is a valid point that it would not allow it to work with a VPN. Thanks for the feedback
@@patleonard8079 Ya thats how it should work ive tired under each place WAN_IN, LAN_Out eveyrthing and nothing blocks. hopefully it gets updated
@@MactelecomNetworks The firewall rule "Block VPN to Networks" on LAN_OUT will also affects all your UDM Site-to-Site VPNs, so, for somebody using S2S combined with VPN Client-to-Site, add another firewall rule on top to allow all your S2S VPNs as well.
Just wondering how can you block the gateway if you are connected through VPN to that gateway?
I guess the modem should be on bridge mode....
the RFC1918 IP group is really unclear to me on what it is doing, is that every vlan you have on your UDM?
I found the answer in another video ua-cam.com/video/tS4-ClQuo3g/v-deo.html
Video does not exist anymore :( at least with that link
Thanks
The protocol is outdated and unifi needs to move with the times with there VPN protocol. They need to added lime Wireguard, I hate to day this even OpenVPN at the least but defo Wireguard.
They have UID in early access. That's probably their solution.
why is this easier than nordlayer....
L2TP is an outdated and *insecure* VPN protocol!
It is but the only options right now. Wireguard is coming
@@MactelecomNetworks Do you know when this might be happening?
I WISH I could see your screenshots clearly. Ruined an otherwise excellent video.
What screenshots are you referring to? I just watched the whole video again and everything is clean. Are you watching on a phone?
Make the rule to Lan Local destinations the gateway on every vland and the gateway for the vpn drop only port 80, 443,22