HOWTO: Ubiquiti USG, Site-to-site VPN and double NAT.

This article has been updated –

https://westwood.me.uk/2019/05/27/ubiquiti-site-to-site-vpn-double-nat/

Requirement: Two sites, each with a Ubiquiti USG appliance need to be connected by a Site to Site VPN.

Assumptions:

  • Both sites are already defined and managed by the same Cloudkey controller (version 5.7.23.0).
  • Site A has a static public IP address.
  • Site A has the internal subnet of 192.168.3.0/24.
  • Site A has the OpenVPN tunnel IP address of 10.0.0.1 port 1321.
  • Site B has a dynamic IP address and is behind a mandatory ISP router forcing “double NAT”. Therefore, the USG at site B has a private IP address. The ISP router at Site B is forwarding all traffic on to the private, external IP address of the USG.
  • Site B, having a dynamic public IP is registed with a DDNS service – for example http://www.no-ip.com.
  • Site B has the internal subnet of 192.168.1.0/24.
  • Site B has the OpenVPN tunnel IP address of 10.0.0.2 port 1321.

Background: Some ISP’s however implement restrictions meaning you have to use their own equipment – one example being SKY Broadband. This imposes a double NAT situation where the “public” IP address of the USG is a private RFC1918 address and this instantly breaks Ubiquiti’s easy VPN feature.

There is a workaround which uses OpenVPN. The only requirement is that both ends either have static public IP addresses or you have registered with a dynamic DNS provider such as NO-IP.com.

Configuration – Site A:

  1. Log into the Unifi Controller and select Site A.
  2. Go to Settings > Networks.
  3. Select + Create New Network.
  4. Select the Site-to-Site VPN radio button and then select OpenVPN from the VPN Type field.
  5. Enter the name for this VPN in the Name field. This is of local significance only.
  6. Check the Enabled checkbox if it isn’t already.
  7. In the Remote Subnets field, enter the subnet or subnets at Site B that will be tunnelled through this VPN. In this example, Site B is 192.168.1.0/24.
  8. In the Remote Host field, enter the hostname of the remote site – for example siteb.no-ip.com.Site B in this example has a dynamic public IP address. I have setup the USG at Site B to use a has hostname provided by a Dynamic DNS provider (Settings > Services > Dynamic DNS).
  9. The next two fields, Remote Address and Local Address define the OpenVPN tunnel between the two sites that traffic will be sent down to reach Site B.In this example:
    Site A uses 10.0.0.1 with a port value of 1321.
    Site B uses 10.0.0.2 with a port value of 1321.
    Remember these values as they will be required later.
  10. Enter a remote address in to the Remote Address field. In this example, 10.0.0.2 with a Port value of 1321. This is defining the OpenVPN tunnel so the values specified in the Remote Address and Local Address fields need to be within reach of each other.
  11. Enter the local address you want to assign to the local end of the OpenVPN tunnel in the Local Address field. In this example, 10.0.0.1 with a port value of 1321.
  12. Click Save.
  13. Finally, we need to define a route to tell the USG to send traffic for Site B down the VPN tunnel. Go to Settings > Routing & Firewall > Static Routes.
  14. Click + Create New Route.
  15. Give the new route a name in the Name field – example Site B.
  16. Make sure the Enabled checkbox is checked.
  17. In the Network field, enter the subnet for Site B – in this example, Site B is 192.168.1.0/24.
  18. Leave Distance blank.
  19. In Static Route Type – select Next Hop.
  20. In the Next Hop field, enter the IP address of the OpenVPN tunnel at Site B – in this example – 10.0.0.2.
  21. Click Save.

This completes the setup of Site A.

Configuration – Site B:
Remember that in this example, Site B is behind an ISP router so double NAT is in play. The ISP router should be configured so that all incoming connections are forwarded to the outside, private IP address of the USG at Site B. How to do this is beyond the scope of this document.

  1. Log into the Unifi Controller and select Site B.
  2. Go to Settings > Networks.
  3. Select + Create New Network.
  4. Select the Site-to-Site VPN radio button and then select OpenVPN from the VPN Type field.
  5. Enter the name for this VPN in the Name field. This is of local significance only.
  6. Check the Enabled checkbox if it isn’t already.
  7. In the Remote Subnets field, enter the subnet or subnets at Site A that will be tunnelled through this VPN. In this example, Site A is 192.168.3.0/24.
  8. In the Remote Host field, enter the hostname of the remote site – for example vpn.sitea.com
  9. Enter a remote address in to the Remote Address field. In this example, 10.0.0.1 (the tunnel endpoint at Site A) with a Port value of 1321.
  10. Enter the local address you want to assign to the local end of the OpenVPN tunnel in the Local Address field. In this example, 10.0.0.2 with a port value of 1321.
  11. Click Save.
  12. Finally, we need to define a route to tell the USG to send traffic for Site A down the VPN tunnel. Go to Settings > Routing & Firewall > Static Routes.
  13. Click + Create New Route.
  14. Give the new route a name in the Name field – example Site A.
  15. Make sure the Enabled checkbox is checked.
  16. In the Network field, enter the subnet for Site A – in this example, Site A is 192.168.3.0/24.
  17. Leave Distance blank.
  18. In Static Route Type – select Next Hop.
  19. In the Next Hop field, enter the IP address of the OpenVPN tunnel at Site A – in this example – 10.0.0.1.
  20. Click Save.

This completes the setup of Site B.

Testing:

  • Check the VPN widget within the Ubiquiti Unifi Dashboard. Hovering your mouse over this widget should show the number of Site to Site VPN statistics and how much data has been transferred.
  • Access a device at the remote site. Remember that some hosts and devices may have a local firewall – like the inbuild Windows firewall so you may not get a ping response!

Disclaimer: Like everything on this website, this article is an aide to memory rather than the definitive or best way of doing things although I hope it helps someone else with their Ubiquiti installation.

4 thoughts on “HOWTO: Ubiquiti USG, Site-to-site VPN and double NAT.

    1. I can only suggest checking the routing table on each USG (Go to Settings > Routing & Firewall > Static Routes) and making sure there is a route for the subnets at the opposite end of the VPN tunnel.

      At site A, there should be routes present for all the subnets at site B you want access to and the reverse is true at Site B.

      Like

  1. Hello and thanks for your tutorial.
    I have set up a double NATed VPN using two USG and openVPN.
    The devices can’t ping nor access devices in remote subnets. But the USB on site A can ping the devices on all subnets from site B.
    Why devices from site A can’t access devices from site B? How to solve this?
    Thanks a lot.

    Like

    1. I can only advise checking your firewall rules or IPS to make sure you are not inadvertently blocking the traffic. If you can ping through the VPN from one end and receive a response, this suggests the VPN and associated routing is good.

      Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.