Today, let’s take a step by step look at how to create VPN server on UniFi Network controller version 8.
Background
What’s VPN?
VPN stands for virtual private network. This technology allows us to connect a client device from remote location securely to the other local network.
From UniFi user perspective, there are two types of VPN to consider.
- VPN client
- VPN server
VPN client is used to connect our UniFi Network to another network using VPN service. This is essentially the same as connecting one client device to VPN service such as NordVPN, ExpressVPN or perhaps your work VPN. I won’t be talking about this today.
VPN server is to make our UniFi network into VPN service provider. This allows me to remotely connect to my own home network as if I am locally in the network. In this article, we will be focusing on VPN server setup.
Why do we want VPN sever?
If there is pretty much any reason that you want to access home network remotely, then VPN should be considered.
Some example situations include followings:
- Access home media server e.g. Plex, Roon etc.
- Proxy region blocked content e.g. Netflix
- Access non-internet connected device status e.g. home WiFi security camera without internet streaming
Access home media servers
We use Plex media and Roon music servers in our home. Despite both allow port forwarding setup for remote access, port forwarding is often considered less secured approach. Even if security wasn’t a concern, port forwarding requires configuration for each system, and if I change part of network such as server IP address within my network, I need to reconfigure them. In contrast, VPN server setup is closer to do it once, and forget.
Proxy region blocked content
When using VPN, the client device is seen as if it is connected from your home network location. This allows us to watch streaming service of the country that I am subscribed for even during international trip.
Access non-internet connected device
Another potential use case is accessing local-only network device such as surveillance camera remotely. I personally don’t do this, but many home users like to create a surveillance camera specific VLAN and block the VLAN to have internet access. Using VPN, you can still access these came remotely without exposing them overtly on internet.
Setup
My setup consists of followings:
- UniFi Dream Machine Pro
- UniFi OS v3.2.7
- UniFI Network v8.0.24
- ISP: Xfinity 2 Gbps Down/200 Mbps Up asymmetric service
VPN Server Options
UniFi currently offers two main ways of setting up VPN Server on the UniFi Cloud Gateway.
- Teleport
- VPN Server
| Teleport | VPN Server | |
|---|---|---|
| Protocol | Wireguard | – Wireguard – OpenVPN – L2TP |
| Client Device | WiFiMan App | Any |
| Throughput | ⭐️⭐️⭐️⭐️⭐︎ | ⭐️⭐️⭐️⭐️⭐︎* |
| Ease | ⭐️⭐️⭐️⭐️⭐️ | ⭐️⭐️⭐️⭐️⭐︎ |
| Flexibility | ⭐️⭐︎⭐︎⭐︎⭐︎ | ⭐️⭐️⭐️⭐️⭐️ |
Teleport is a hair touch easier to configure when compared to VPN Server approach because VPN Server method is already fairly easy. For Teleport approach, client device must be able to run WiFiMan App by Ubiquiti. At the time of this writing, I’ve only tested on Apple Platform. But there are Android, Windows and Linux versions as well. For the actual implementation of Teleport VPN, they user Wireguard.
The primary benefit of VPN server approach is its flexibility. This approach allows VPN client setting on almost on any device while providing several customization options.
Top: VPN Server Method (Wireguard). Middle: No VPN. Bottom: Teleport Method
For the throughput, since Teleport uses Wireguard protocol, two are identical with ~15% of download throughput reduction when compared to no VPN. Since my testing site did not have gigabit speed, I believe the bottleneck was the on-site network speed rather than that of VPN.
You just need one or the other though if you like you can certainly set up both on a single client device and turn whichever you like, or even both and still worked fine for me. Though turning both on may result in strange, unknown issue.
Personally, I find myself using VPN approach with Wireguard more than Teleport. This is because Wireguard app connection establishment is nearly instant while teleport takes a few seconds. Also, there were couple times that I found teleport had issue connecting but somehow Wireguard approach did not.
Next let’s look at each method step by step.
If the client device has UniFi OS installed, you can do all from a single device and may even save some step. I will briefly talk about this where its applicable, but my examples are using browser based network controller access.
Teleport Method
If the client device supports WiFiMan app, this is the easier way to make secure, high performance VPN.
General steps are followings:
- Install WiFiMan on the client device
- Enable Teleport on Network Controller
- Link client to VPN
Step 1: Install WiFiMan
On the intended client device, install Ubiquiti WiFiMan.
Step 2: Enable Teleport on Network Controller
First, log into UniFi OS and Go to Network Controller.
Then select VPN.
Under default selected, Teleport tab, check Enabled box on the Teleport section. Now you have Teleport VPN server running on your controller.
Step 3: Link Teleport
The final step is linking teleport server to a client device through the WiFiMan app. There are two ways to do this.
- UI account Link
- Invitation code
UI Account Link
The simplest way is to login to UI account that is associated with UniFi Network controller where the teleport server is running.
Open WiFiMan on your client device. Select Teleport from the bottom navigation bar. Click Log into UI Account button.
Using credential for UI network controller, sign in.
You should now see screen like above. To establish VPN connection, just toggle the off switch to on. For the first time use, your device will prompt adding VPN configuration to the system. You need to hit accept.
After a few seconds, you should see the screen like above. You are now connected to home network.
Invitation Code
Sometimes, you might not want to log in with UI account. For example, the client device may be your family member’s device and not want to give any more privilege than necessary. In such case, invitation code is the proper way. Another benefit of invitation code linking is you can revoke their access from controller screen.
This approach consists two steps.
- Creation of invitation code on Network Controller
- Registering invitation code in client device
On the UniFi Network Controller, under the Settings > VPN > Teleport tab, click Generate New link.
Click the Copy to copy the invitation link. This is one time use code. Technically, you can type the link to client device WiFiMan but it’s much easier to copy the link and paste on the client device.
If you used UniFi App on the client device, this step will automatically take you to WiFiMan. So you don’t need to do copy & paste.
If the client device already has WiFi Man installed, opening the link on the device should open the app and show message like above. You hit connect to accept. Similar to UI log in linking, you will be prompted to allow adding VPN configuration on the device when setting this up for the first time. If you do not have the WiFiMan installed on your device already, I believe it will take you to the app download screen.
After a few seconds, you should see the screen like above. You are now connected to home network.
VPN Server
Alternative to Teleport method, UniFi offers more flexible VPN Server setup. If your client device does not support Teleport app installation, you have no choice but to use this approach. Also, if you prefer using OpenVPN or L2PT protocol instead of Wireguard protocol, this is the way. Furthermore, this approach offer a few other customization that is otherwise not readily achievable via Teleport approach.
General steps are followings:
- Install Wireguard client on the client device e.g. iPhone
- Create VPN Server entry on Network Controller e.g. UniFi Dream Machine Pro.
- Create client pass on VPN Server
- Register the client pass on the client device
Step 1: Install Wireguard client
In order to use Wireguard VPN access from the client, not surprisingly, the target client device needs to install Wireguard app.
In my case, I installed on MacBook, iPad and iPhone.
You can find proper installer from the official site.
Step 2: Create VPN Server
First, log into UniFi OS from browser and Go to Network Controller.
From the left navigation icon, choose Settings.
Then select VPN, and choose VPN Server tab.
First item on this page is VPN Type.
| WireGuard | OpenVPN | L2TP | |
| Speed | ⭐️⭐️⭐️ | ⭐️⭐️ | ⭐️⭐️ |
| Security | ⭐️⭐️⭐️ | ⭐️⭐️⭐️ | ⭐️⭐️ |
Unless you have specific reason not otherwise, keep default VPN Type, WireGuard.
Name field is just for easy reference purpose, so you can name any way you like and if you need to, you can even change later without affecting registered clients.
Everything else, I would keep default based on my “keep it simple” motto.
Hbit add to save the change.
Step 3: Create client pass
Now open the VPN entry again. On the VPN Server page, under the clients, click Add client.
This pop up screen provides a pass to a client device. As the note here says, one pass is for one device. So I usually name this to identify the device such as “My iPhone”.
In next step, you will use the configuration file, or what I call this “client pass” to register the client device to this VPN server.
If the target client device has ability to scan this QR code, leave this page open. Otherwise, click download hyperlink button to download the configuration file. Then hit add.
If you are using UniFi app, you can jump directly from here to Wireguard, and configuration will be copied.
Step 4: Register the client pass
The last step is register a client device using the “client pass”.
There are two main ways to add the client pass, and the interface may be different depending on your client device.
Here I am showing my iPhone Wireguard app. On right upper corner, click “+”.
There are 3 options to Add a new WireGuard connection, but with UniFi we don’t need to do choose create from scratch.
QR code
If the client device has camera and you have ability to see scan the QR code, you should choose create from QR code.
This opens camera and all you need to do is just scan the QR code shown on the other computer screen.
Configuration file
If the client device does not support QR code registration, download the configuration file to the client device. Then choose create from file or archive option, and choose the downloaded configuration file.
If not already done so, be sure to hit “add” on VPN Server Add Wired Guard Client screen.
Now you have Wireguard VPN setup.
VPN Tunnel tips
In this section, I will list some common, or anticipated issues or other tips when using VPN.
Don’t forget VPN could be on!
VPN can result in slower connection speed, may even be blocked in certain network, or cause inconsistent behavior. This can be a particular problem if you forget that you are actually using VPN. I have done this number of times.
I noticed my cellular network connection were extreme slow one day, and another day not even connecting to internet at all. Each time, I actually forgot I was connected to VPN from earlier and never turned it off. So I turned it off, and everything working as intended. In fact, I then turned back VPN on, and it got full VPN speed. So once you have VPN on a device, if you notice any connection issue, one of the first thing you should check is if you are connected to VPN and it is a source the issue.
Conclusion
In conclusion, creating high performance VPN server with UniFI system is simple. This is my preferred approach of using home network attached services like Plex. I hope you find this helpful.