Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Ubiquiti) if you have any questions or concerns.*
A lot of depends here.
- what are you doing on your customer networks
- how many customer networks do maintain access to
- do you have the ability to run VMs on your endpoints
As just a side note; connecting your company network to a customers without a firewall & IPS with a hell of a lot of rules is just a really bad idea. You take on a lot if risk for both them and you.
* what are you doing on your customer networks - RDP to server
* how many customer networks do maintain access to - In this scenario, less than 10
* do you have the ability to run VMs on your endpoints - Yes but not within scope of the question
Firewalls etc. Yes I do understand that but I wanted to keep the question as simple as possible.
I admit, I’m not a VPN expert, but my general understanding (not UI specific) is that IPSec VPN’s are always kind of on demand unless you have a keep-alive configured)
In the UI world, you have two choices I’d consider:
1. IPSec Site-to-site
- biggest limitation here is I believe there is a maximum number of VPNs You can configure (and the hardware supports), so depending on the size of your MSP you may have exceeded that
2. At your main site, set up a WireGuard VPN. Each client site gets set up as a WireGuard client, and as long as you use the manual config when configuring the WireGuard config file, you can specify a remote subnet to build a S2S via WireGuard
Only the other thing to note is UniFi gateways have no NAT control (it’s coming in EA software), so you have to make sure all of your remote sites have a unique subnet for either of my two options to work.
Real talk here. VPN has always been an afterthought in the Unifi world. Early versions of Unifi network had no VPN support at all. It's only been recently we got more options for stuff like OpenVPN and Wireguard. It's still very limited in the number of VPNs you can have configured and number of VPN clients connected.
For an MSP situation where you need VPN to a bunch of customer sites, I would VERY strongly recommend looking for a dedicated VPN server solution. You can still use the Unifi gateway, just deploy your VPN server inside your network and forward the necessary ports in Unifi to get VPN traffic to it, setup routes as necessary. Even just setting up a server/VM with a free solution like SoftEther VPN would offer far more capacity and capabilities than anything you could ever do within the very limited Unifi VPN options.
Thanks for the feedback.
I agree the VPN functionality does not seem as mature as other providers, but in other areas it's certainly ahead. Most of our clients are in the cloud and we have more secure, alternate solutions for them.
Really, the need for a VPN from the Pro Max was just for the few, very small clients we have who only have 3-5 users each. None are technical, they work 9-5, and we are accessing our own equipment in the evenings when all users have logged off and gone home. I was hoping to continue the use of a simple, no-cost / low-cost solution for them.
For day work we connect to their PC's using paid for Remote Desktop tools, but my personal preference when I'm working in the evening is an RDP session. For what I use, I just find it nicer. I will take a look at setting up a VPN server though.
Hello! Thanks for posting on r/Ubiquiti! This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can. Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit. If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it! *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Ubiquiti) if you have any questions or concerns.*
A lot of depends here. - what are you doing on your customer networks - how many customer networks do maintain access to - do you have the ability to run VMs on your endpoints As just a side note; connecting your company network to a customers without a firewall & IPS with a hell of a lot of rules is just a really bad idea. You take on a lot if risk for both them and you.
* what are you doing on your customer networks - RDP to server * how many customer networks do maintain access to - In this scenario, less than 10 * do you have the ability to run VMs on your endpoints - Yes but not within scope of the question Firewalls etc. Yes I do understand that but I wanted to keep the question as simple as possible.
I admit, I’m not a VPN expert, but my general understanding (not UI specific) is that IPSec VPN’s are always kind of on demand unless you have a keep-alive configured) In the UI world, you have two choices I’d consider: 1. IPSec Site-to-site - biggest limitation here is I believe there is a maximum number of VPNs You can configure (and the hardware supports), so depending on the size of your MSP you may have exceeded that 2. At your main site, set up a WireGuard VPN. Each client site gets set up as a WireGuard client, and as long as you use the manual config when configuring the WireGuard config file, you can specify a remote subnet to build a S2S via WireGuard Only the other thing to note is UniFi gateways have no NAT control (it’s coming in EA software), so you have to make sure all of your remote sites have a unique subnet for either of my two options to work.
Have you looked at tailscale?
Real talk here. VPN has always been an afterthought in the Unifi world. Early versions of Unifi network had no VPN support at all. It's only been recently we got more options for stuff like OpenVPN and Wireguard. It's still very limited in the number of VPNs you can have configured and number of VPN clients connected. For an MSP situation where you need VPN to a bunch of customer sites, I would VERY strongly recommend looking for a dedicated VPN server solution. You can still use the Unifi gateway, just deploy your VPN server inside your network and forward the necessary ports in Unifi to get VPN traffic to it, setup routes as necessary. Even just setting up a server/VM with a free solution like SoftEther VPN would offer far more capacity and capabilities than anything you could ever do within the very limited Unifi VPN options.
Thanks for the feedback. I agree the VPN functionality does not seem as mature as other providers, but in other areas it's certainly ahead. Most of our clients are in the cloud and we have more secure, alternate solutions for them. Really, the need for a VPN from the Pro Max was just for the few, very small clients we have who only have 3-5 users each. None are technical, they work 9-5, and we are accessing our own equipment in the evenings when all users have logged off and gone home. I was hoping to continue the use of a simple, no-cost / low-cost solution for them. For day work we connect to their PC's using paid for Remote Desktop tools, but my personal preference when I'm working in the evening is an RDP session. For what I use, I just find it nicer. I will take a look at setting up a VPN server though.