Ubiquiti edge router site to site vpn: how to configure a secure IPsec site-to-site VPN between EdgeRouter devices, step-by-step guide, troubleshooting, and best practices

Ubiquiti edge router site to site vpn is a way to securely connect two networks over the internet using EdgeRouter devices. This article provides a practical, end-to-end guide to plan, set up, test, and harden a site-to-site IPsec VPN between two EdgeRouter units, with GUI-friendly steps, CLI examples, real-world tips, and common troubleshooting tricks. If you’re short on time, here’s a quick-start summary: plan your subnets, decide on a PSK, configure IPsec on both ends IKE and ESP, set up firewall rules to permit traffic across the VPN, add static routes for remote networks, test connectivity, and monitor with diagnostics. For extra security while experimenting with VPN setups, consider a trusted VPN service. NordVPN is offering a notable deal you can explore here:

Useful URLs and Resources:

• ubnt.com
• help.ubiquiti.com
• en.wikipedia.org/wiki/IPsec
• docs.cira.ca general VPN concepts
• internetengineering.org site-to-site VPN best practices

Introduction: what you’ll learn in this guide

• Yes, Ubiquiti edge router site to site vpn enables secure IPSec tunnels between two networks across the internet.
• We’ll cover planning subnets, public IPs, PSK, GUI and CLI setup for EdgeRouter devices, and how to verify the tunnel is up.
• We’ll walk through common pitfalls NAT, firewall rules, routing, performance tips, and security considerations.
• You’ll get a clean, actionable checklist you can follow end-to-end, plus a Troubleshooting quick-reference.
• Practical examples: two-site scenarios, typical IP schemes, and how to extend this to multiple sites.
• Data and context: IPsec remains the dominant site-to-site VPN protocol in enterprise deployments, and EdgeRouter devices support robust IPsec configurations with good throughput on modern hardware.

What is a site-to-site VPN and why use it with EdgeRouter?

• A site-to-site VPN creates a secure IPsec tunnel between two networks so devices on either side can talk as if they were on the same LAN.
• EdgeRouter devices EdgeOS offer built-in IPsec capabilities, including IKE phase 1 and ESP phase 2 configurations, plus GUI and CLI options for granular control.
• Benefits include centralized access control, secure cross-site communication, and the ability to route traffic between sites without exposing internal networks to the public internet.

Before you start: prerequisites and planning

• Two EdgeRouter devices with EdgeOS preferably v1.9.x or newer and access to their web UI.
• Public IP addresses on both sites, or at least one site with a stable public IP and a dynamic DNS setup for the other.
• Local subnets on each side for example, Site A 192.168.1.0/24. Site B 10.0.0.0/24.
• A shared pre-shared key PSK for IPsec authentication.
• Firewall permissions to allow IPsec UDP 500/4500 and ESP and traffic between the two subnets over the VPN.

Notable network design tips

• Plan subnets so there’s no overlap. If you must use overlapping subnets, consider NAT or redesigning the addressing e.g., Site A 192.168.1.0/24 and Site B 172.16.0.0/24.
• Decide whether you’ll route all traffic through the VPN or only traffic destined for the remote subnet split-tunnel vs full-tunnel. For many small business setups, a split-tunnel approach is simpler and preserves internet access for local devices.
• If you have dynamic IPs, plan for Dynamic DNS on both sites so peers can keep the tunnel up without manual IP updates.

Step-by-step setup GUI approach — Site A to Site B

1. Prepare data

• Site A: Public IP A, Local networks A e.g., 192.168.1.0/24
• Site B: Public IP B, Local networks B e.g., 10.0.0.0/24
• PSK: a strong shared secret e.g., 3dN0v3rS3cur3!

2. Log into Site A EdgeRouter GUI
3. Create the IKE/ESP groups optional but recommended

• IKE Group: AES256, SHA1, DH Group 2 2048-bit
• ESP Group: AES256, SHA1

4. Configure the IPsec peer site-to-site

• Peer IP: Public IP of Site B IPsec peer
• Authentication: Pre-Shared Key
• Pre-Shared Key: your chosen PSK
• Local Subnet: 192.168.1.0/24
• Remote Subnet: 10.0.0.0/24

5. Tie the tunnel to an IPsec tunnel

• IKE Group: IKE-GROUP-1 or the one you created with AES256/SHA1/DH2
• ESP Group: ESP-GROUP-1
• Dead Peer Detection DPD: enabled with a suitable interval e.g., 30 seconds

6. Apply and save
7. Create firewall rules to allow VPN traffic

• Allow ICMP/ping and TCP/UDP between 192.168.1.0/24 and 10.0.0.0/24 across the VPN
• Create a dedicated VPN firewall zone or use existing interfaces if you rely on policy routing

8. Add a static route for the remote subnet

• Destination: 10.0.0.0/24
• Next hop: ipsec0 the VPN interface

9. Verify the VPN is up

• Check VPN Status in the EdgeRouter UI
• Confirm IKE SA and IPsec SA are established
• Ping a host on the remote subnet e.g., from Site A, ping 10.0.0.10

10. Repeat on Site B

• Mirror the configuration on Site B with roles reversed Local Subnet 10.0.0.0/24. Remote Subnet 192.168.1.0/24. PSK identical

CLI alternative typical EdgeRouter syntax
Note: exact commands can vary by firmware version. Use these as a guide and adapt to your device’s prompts.

• On Site A peer 203.0.113.2:
  set vpn ipsec ipsec-interfaces interface eth0
  set vpn ipsec ike-group IKE-G1 proposal 1 encryption aes256
  set vpn ipsec ike-group IKE-G1 proposal 1 hash sha1
  set vpn ipsec ike-group IKE-G1 proposal 1 dh-group 2
  set vpn ipsec esp-group ESP-G1 proposal 1 encryption aes256
  set vpn ipsec esp-group ESP-G1 proposal 1 hash sha1
  set vpn ipsec site-to-site peer 203.0.113.2 authentication mode pre-shared-secret
  set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret ‘3dN0v3rS3cur3!’
  set vpn ipsec site-to-site peer 203.0.113.2 ike-group IKE-G1
  set vpn ipsec site-to-site peer 203.0.113.2 tunnel 1 esp-group ESP-G1
  set vpn ipsec site-to-site peer 203.0.113.2 local-subnet 192.168.1.0/24
  set vpn ipsec site-to-site peer 203.0.113.2 remote-subnet 10.0.0.0/24
  commit
  save
• On Site B peer 198.51.100.2:
  set vpn ipsec site-to-site peer 198.51.100.2 authentication mode pre-shared-secret
  set vpn ipsec site-to-site peer 198.51.100.2 authentication pre-shared-secret ‘3dN0v3rS3cur3!’
  set vpn ipsec site-to-site peer 198.51.100.2 ike-group IKE-G1
  set vpn ipsec site-to-site peer 198.51.100.2 tunnel 1 esp-group ESP-G1
  set vpn ipsec site-to-site peer 198.51.100.2 local-subnet 10.0.0.0/24
  set vpn ipsec site-to-site peer 198.51.100.2 remote-subnet 192.168.1.0/24

Firewall and routing considerations

• Firewall rules: ensure VPN traffic is allowed by both sides’ firewall policies. You’ll typically need to permit IPsec’s control and data planes UDP 500, UDP 4500, and ESP and allow traffic between the two subnets through the VPN tunnel.
• Routing: after the tunnel is established, add static routes so that devices on Site A know how to reach Site B’s network via ipsec0, and vice versa. Example:
  • Site A: set protocols static route 10.0.0.0/24 next-hop ipsec0
  • Site B: set protocols static route 192.168.1.0/24 next-hop ipsec0
• NAT considerations: disable NAT for traffic that traverses the VPN to avoid double NAT and potential hairpin issues. In EdgeRouter, you can implement NAT exemptions via firewall rules or policy-based routing so VPN traffic is not NATed.

Tips to optimize performance and reliability

• Use IKEv2 where possible. it tends to be more reliable and faster on many devices. If your EdgeRouter firmware supports IKEv2 profiles, prefer them over IKEv1 where you can.
• Choose strong encryption AES-128/256 and a solid hash SHA-256 if available to balance security and performance.
• Enable Dead Peer Detection DPD with sensible intervals to recover from dropped tunnels quickly.
• If you have multiple remote sites, consider using a hub-and-spoke topology or auto-scaling VPN configurations to simplify management.
• For dynamic IPs, configure a dynamic DNS service on both sides so the peer can update the remote end if the public IP changes.
• Regularly check VPN health metrics in the EdgeRouter UI: IKE SA, IPsec SA, tunnel status, and data throughput to catch issues early.

Security best practices

• Use a unique, strong PSK or, if supported, certificate-based authentication for even stronger security.
• Limit the VPN firewall rules to only what’s necessary: allow traffic between the two specific subnets, not everything from VPN peers.
• Keep EdgeRouter firmware up to date to benefit from security and performance improvements.
• Regularly rotate PSKs and review access controls to minimize risk if a device is compromised.

Common issues and quick fixes

• VPN tunnel not forming: check that both sides have matching IKE/ESP proposals, identical PSK, and non-overlapping subnets. Verify that UDP 500/4500 and ESP are allowed on both ends.
• Traffic not routing through VPN: ensure static routes exist for the remote subnet, and confirm the VPN interface ipsec0 is the next-hop for the remote network.
• Intermittent connectivity: verify DPDP settings, check for NAT traversal issues, and review logs for dropped SA negotiations or rekey failures.
• Subnet overlap causing route conflicts: re-evaluate subnets to ensure they don’t collide. adjust local/remote subnets if needed and reconfigure.
• Slow performance: consider upgrading EdgeRouter hardware, enabling hardware offload where available, or adjusting encryption settings e.g., AES-GCM for better performance if supported.

Advanced topics and real-world use cases

• Multi-site deployment: replicate the same IPsec site-to-site configuration to connect more branches, using unique subnets per site and a central hub for routing.
• Failover and redundancy: pair two tunnels per peer with different remote peers and implement monitoring to switch over automatically if one link fails.
• Centralized policy control: use a central firewall policy to govern traffic across all VPN tunnels, ensuring consistent access controls and logging across sites.
• Integrating VPN with remote access for admins: in addition to site-to-site, you can configure an admin client VPN to manage devices from outside the sites, ensuring you have secure admin access without exposing devices to the internet.
• Monitoring and analytics: enable logging, SNMP, or syslog to detect VPN issues early and keep an eye on tunnel uptime and QoS impacts on internal networks.

Frequently asked questions

What is a site-to-site VPN on Ubiquiti EdgeRouter?

A site-to-site VPN on an EdgeRouter is an IPsec tunnel that securely connects two separate networks over the internet, allowing traffic to flow between the two subnets as if they were on the same LAN.

Do I need to use IKEv2 or is IKEv1 fine?

IKEv2 is generally preferred for its reliability and faster rekeying, but EdgeRouter devices can work with IKEv1 depending on firmware and configurations. If you have a choice, go with IKEv2.

Can I use a dynamic IP address on one side?

Yes, but you’ll need dynamic DNS on the side with changing IPs so the remote peer can re-establish the tunnel when the IP changes.

How do I know if the VPN tunnel is up?

Check the EdgeRouter’s VPN status page or CLI: look for IKE SA and IPsec SA indicators, verify the tunnel interface ipsec0 is up, and perform a ping test to a remote host.

Should I use a PSK or certificates?

PSK is simpler for small setups but certificates provide stronger authentication and easier management at scale. If your network grows, consider migrating to certificate-based auth. Browsec vpn microsoft edge

How do I allow traffic from Site A to Site B?

Create firewall rules to permit traffic between the two subnets over the VPN and add static routes so devices on Site A know to reach Site B via ipsec0.

How do I prevent VPN traffic from being NATed?

Disable NAT on traffic that traverses the VPN—use NAT exemption rules or policy-based routing to ensure VPN traffic isn’t NATed.

Can I connect more than two sites with EdgeRouter IPSec?

Yes, you can connect multiple sites by repeating the IPsec site-to-site configuration for each pair of sites and ensuring there are unique subnets for each site and proper routing rules.

What are some common pitfalls to avoid?

Overlap of subnets, mismatched PSKs, blocked VPN ports on firewalls, and forgetting to add static routes for remote subnets. Always double-check IP addresses, PSK, and routing before bringing the tunnel up.

Is EdgeRouter suitable for enterprise-scale VPNs?

EdgeRouter devices are great for small to medium-scale deployments and home labs. For large enterprises with many sites, you may want to consider dedicated VPN appliances or more scalable firewall solutions, but EdgeRouter can handle several sites with proper planning and management. Edge vpn location: how to choose the best Edge VPN server location for speed, privacy, and streaming

Summary and next steps

• With two EdgeRouter devices, you can securely connect two networks using a site-to-site IPsec VPN. Plan your subnets, configure IKE and ESP groups, set PSK, create firewall rules, apply static routes, and verify connectivity with real tests.
• If you’re new to IPsec, take it slow: start with a simple two-site setup, test traffic precisely, and then gradually introduce multiple branches, dynamic IP handling, or more advanced routing policies.
• Keep security in mind by rotating credentials, updating firmware, and auditing firewall rules regularly.

If you want more tutorials and hands-on videos about VPNs with EdgeRouter and EdgeOS, stay tuned for more in this VPNs guide series. And again, if you’re testing VPN setups and want extra privacy, you can check out the NordVPN offer above in the introduction.

奔腾vpn安卓完整使用指南与评测：安卓端VPN设置、隐私保护、跨境访问与速度优化

Change vpn edge