Ubiquiti edge router site to site vpn setup guide for EdgeRouter OS: configure IPSec tunnels between networks, optimize performance, and troubleshoot effectively

Ubiquiti edge router site to site vpn is a method to connect two networks securely over the internet using a VPN tunnel. In this guide, you’ll get a practical, step-by-step approach to configuring a site-to-site IPSec tunnel on an EdgeRouter, plus troubleshooting, optimization, and security tips. This post includes a straightforward setup walkthrough, best practices for network design, and proven tips to keep your tunnels stable. Use this article as your one-stop resource for designing, implementing, and maintaining a reliable Ubiquiti edge router site to site vpn.

I’ll also share a quick privacy boost during testing with NordVPN’s current deal image below to keep your testing sessions private and secure:

Useful resources for quick reference:
– EdgeRouter documentation – ubnt.com
– IPSec basics – en.wikipedia.org/wiki/IPsec
– VPN site-to-site concepts – cisco.com
– NAT traversal and VPNs – ipvpn.example.org illustrative
– IPSec lifecycle management – up-to-date-vpn.org

Contents at a glance:
– What is a site-to-site VPN on Ubiquiti EdgeRouter and why you’d use it
– Prerequisites and planning for a successful deployment
– Step-by-step configuration guide CLI and UI options
– Network design considerations and routing setup
– Firewall and NAT considerations for VPN traffic
– Testing, validation, and common troubleshooting
– Performance tuning and security best practices
– Monitoring, maintenance, and refresh cycles
– Frequently asked questions

Understanding Ubiquiti edge router site to site vpn

A site-to-site VPN on an EdgeRouter creates an encrypted tunnel between two separate networks, allowing devices on each side to communicate as if they were on the same local network. The EdgeRouter OS EdgeOS uses IPSec to handle the tunnel, with IKE for key exchange and IPsec for the actual data encryption. Key concepts you’ll encounter include:
– Tunnel peers: the public IP addresses of the two gateways your EdgeRouter and the remote router
– Local and remote networks: the subnets on each side that will be reachable across the VPN
– IKE phase 1 IKE SA and phase 2 IPsec SA parameters: encryption, hash, and lifetime
– NAT traversal NAT-T: if either side is behind a NAT device
– Firewall rules and NAT exemptions: to ensure VPN traffic isn’t dropped or double-NAT’d

Commonly used encryption standards are AES-256 with SHA-256 for integrity, and an appropriate DH group for Phase 1. For many small to mid-size deployments, AES-256 with SHA-256 and a 3600-second IKE lifetime provides a solid balance of security and stability. EdgeRouter devices support both IKEv1 and IKEv2 depending on firmware and configuration, but most site-to-site guides you’ll follow today will use IKEv2 where available for better reconnect behavior and faster resync after network interruptions.

Prerequisites and planning

Before you start, gather and verify these essentials:
– EdgeRouter model and firmware: Ensure you’re on a recent EdgeOS release to get the latest IPSec features and bug fixes.
– Public IP addresses: A static public IP on both sides makes life easier. if you’re behind dynamic IPs, plan for a dynamic DNS method.
– Local and remote subnets: Have clear, non-overlapping networks for both sides for example, 192.168.10.0/24 on Site A and 192.168.20.0/24 on Site B.
– Authentication method: Pre-shared key PSK is common for small setups. for higher security, consider certificates if your EdgeRouter and remote device support it.
– Firewall policy: You’ll need to allow VPN-related traffic on WAN interfaces and ensure VPN traffic isn’t blocked by local firewall rules.
– Bandwidth and latency expectations: IPSec overhead adds roughly 10-20% on throughput depending on encryption, overhead, and encapsulation. Plan accordingly.
– Backup and change control: Prepare a rollback plan in case the tunnel doesn’t come up on the first attempt.

Optional but helpful:
– A spare test machine or VM on each site to verify connectivity across the tunnel during setup.
– A LAN-side monitoring tool or Cloud-based status page to keep an eye on tunnel health over time.

Step-by-step configuration guide

Below is a practical, end-to-end setup path. The commands shown are representative for EdgeOS. always adapt IPs, prefixes, and PSK to your actual environment. If you prefer the GUI, you’ll see the same options in the EdgeOS Web UI under VPN -> IPsec.

Step 1: Prepare EdgeRouter and remote router
– Confirm both devices have reachable public IPs or are reachable via a dynamic DNS if you’re dealing with dynamic public IPs.
– Confirm the local and remote subnets do not overlap.

Step 2: Define the IPSec or IKE group Phase 1
– Choose a solid IKE group e.g., ECP-256 or modp1024-compatible and a lifetime of 3600 seconds or 28800 for longer lifetimes. The exact naming varies by firmware, but the concepts stay the same.

CLI example:
configure
set vpn ipsec ike-group IKE-GROUP1 proposal 1 encryption aes256
set vpn ipsec ike-group IKE-GROUP1 proposal 1 hash sha256
set vpn ipsec ike-group IKE-GROUP1 lifetime 3600

Step 3: Define the ESP Phase 2 protections
– AES-256 with SHA-256 is a common choice for data integrity and confidentiality.

set vpn ipsec esp-group ESP-GROUP1 proposal 1 encryption aes256
set vpn ipsec esp-group ESP-GROUP1 proposal 1 hash sha256

Step 4: Create the site-to-site peer
– Replace x.x.x.x with the remote gateway’s public IP and set the appropriate local and remote networks.

set vpn ipsec site-to-site peer x.x.x.x authentication mode pre-shared-secret
set vpn ipsec site-to-site peer x.x.x.x authentication pre-shared-secret ‘your-psk’
set vpn ipsec site-to-site peer x.x.x.x ike-group IKE-GROUP1
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 local prefix 192.168.10.0/24
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 remote prefix 192.168.20.0/24

Step 5: Tie the tunnel to your interfaces
– Point the IPSec traffic to the correct interface usually the WAN interface.

set vpn ipsec ipsec-interfaces interface eth0

Step 6: Configure NAT exemption so VPN traffic isn’t translated
– You don’t want traffic over the tunnel to be NAT’d, or you’ll break the tunnel.

set firewall group-name VPN-EXEMPT networks 192.168.10.0/24
set firewall group-name VPN-EXEMPT networks 192.168.20.0/24
set firewall name WAN_LOCAL rule 100 action accept
set firewall name WAN_LOCAL rule 100 protocol 50 # ESP
set firewall name WAN_LOCAL rule 100 state new
set vpn ipsec policy 1 proposal ESP-GROUP1

Step 7: Commit, save, and test
commit
save
ping 192.168.20.1 # from Site A if there’s a host at that IP

exit

Step 8: Firewall rules and routing
– Ensure there are rules that permit IKE UDP 500 and UDP 4500 for NAT-T and ESP protocol 50 between both sites.
– Add static routes if you’re not using dynamic routing. For example, route 192.168.20.0/24 via the tunnel on Site A.

Step 9: Validate with a test
– From a host on Site A, ping a host on Site B, and reverse. If you see timeouts, double-check PSK, remote subnet, and firewall rules.
– Use traceroute to confirm the traffic is traversing the VPN and not going out to the internet directly.

Optional UI approach:
– In the EdgeRouter UI, go to VPN -> IPsec, create a site-to-site tunnel, input the peer IP, PSK, IKE group, ESP group, local/remote subnets, and select the WAN interface. Save and apply, then test with a ping from a host on Site A to a host on Site B.

Tips during setup:
– Ensure the remote side is not using a conflicting PSK or a different IKE/ESP proposal.
– If you’re behind NAT, enable NAT-T and confirm UDP port 4500 is allowed on your firewall.
– Keep logs enabled for VPN. EdgeRouter logs can help you identify handshake failures, mismatched proposals, or authentication issues.

Network design considerations and routing

– Subnet planning: Avoid overlapping subnets between sites. If you must connect similar subnets, consider renaming or re-subnetting one side to a unique range for the tunnel.
– Split-tunnel vs full-tunnel: In a typical site-to-site VPN, traffic destined for the remote site uses the tunnel full route to the remote subnet. If you want to allow only specific routes across the tunnel, you’re effectively doing a controlled split-tunnel.
– Redundancy: For critical sites, consider a second VPN path or a secondary ISP for failover. You can run a secondary tunnel to the same remote network to improve resilience.
– Dynamic routing: If you plan to have multiple sites, you might want to add a dynamic routing protocol like OSPF or BGP between sites. EdgeRouter supports protocols like OSPF. you can enable OSPF on the tunnel endpoints to automatically learn routes to remote nets.

Example of static route addition:
set protocols static route 192.168.20.0/24 next-hop 192.168.10.1 # example

Firewall and NAT considerations for VPN traffic

– WAN firewall rules: Allow IPsec and IKE traffic from the internet to your EdgeRouter. Typically, you’ll need to permit UDP 500, UDP 4500, and ESP protocol 50 on the WAN interface.
– VPN firewall rules: Place VPN traffic on a dedicated VPN group to ensure it’s treated separately from your normal LAN traffic.
– NAT exemptions: Ensure there’s a NAT exemption for traffic moving between the local and remote subnets across the tunnel so it’s not translated on the way out.
– Default firewall policy: A secure default with explicit allow rules for VPN is safer than a broad permit-all approach.

CLI snippet for a firewall exemption illustrative:
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 protocol 50
set firewall name WAN_LOCAL rule 30 description “IPSec ESP pass-through”
set firewall name WAN_LOCAL rule 30 state related enable
set firewall name WAN_LOCAL rule 30 state established enable

Testing, validation, and troubleshooting

– Basic connectivity checks: Ping remote hosts, traceroute, and verify that traffic to the remote subnet is indeed going through the VPN.
– Common issues:
– Mismatched PSK: The pre-shared key must match on both sides exactly.
– Mismatched IKE/ESP proposals: Ensure that both sides use the same algorithms, lifetimes, and DH groups.
– NAT traversal issues: If NAT is involved, verify NAT-T is active and UDP 4500 is allowed.
– Route misconfiguration: If the local or remote subnet isn’t reachable, check routing tables and static routes.
– Firewall blocks: Ensure the VPN’s IPsec traffic isn’t blocked by either site’s firewall.

Troubleshooting commands and checks:
– Show current IPsec status and active tunnels:
show vpn ipsec sa
– Check connection status and phases:
show vpn ipsec ike-group
show vpn ipsec site-to-site peers
– Verify firewall rules hitting or dropping VPN traffic:
show firewall log
show firewall name WAN_LOCAL

If you still can’t get the tunnel up after verifying PSK, proposals, and NAT, consider resetting the tunnel configuration and reapplying the settings from scratch. Sometimes a clean slate helps when neighbors have slightly mismatched hardware or firmware.

Performance tuning and security best practices

Performance tuning:
– Encryption choice: AES-256 is widely supported and provides strong security with decent throughput. If your hardware handles it, you can consider AES-XCBC or SHA-256, but AES-256 with SHA-256 is a safe default.
– MTU and fragmentation: Start with an MTU of 1500 and adjust down to around 1400-1472 depending on tunneling overhead. Smaller MTU can reduce fragmentation but might impact performance.
– Fast path and hardware offloading: Ensure Fast Path where available is enabled to take advantage of hardware acceleration on EdgeRouter.
– Keep-alive and rekey: Keep IKE and IPsec rekey intervals reasonable e.g., IKE lifetime 3600 seconds, IPsec lifetime 3600-7200 seconds to balance security with stability.

Security best practices:
– Use unique pre-shared keys per site pair and rotate them regularly.
– Prefer certificate-based authentication if your devices support it. avoid sharing PSKs across multiple tunnels.
– Disable weak encryption algorithms and enforce strong ciphers AES-256, SHA-256 or better.
– Keep EdgeOS firmware up to date and monitor release notes for security patches.
– Log VPN activity and monitor for unusual patterns e.g., repeated failed handshakes or unexpected remote IPs.

Monitoring and maintenance:
– Regularly test tunnels using ping/traceroute, especially after firmware updates or network changes.
– Use onboard EdgeRouter monitoring to watch VPN up-time, latency, and packet loss.
– Document changes in a centralized changelog to track configurations across multiple sites.

Monitoring, maintenance, and refresh cycles

– Quarterly reviews of tunnel health and throughput
– Announce key rotation schedules for PSKs or certificates
– Update EdgeRouter firmware during maintenance windows to minimize user impact
– Create backups of the EdgeOS configurations after a stable setup
– Set up alerting for tunnel down events where possible to act quickly

Frequently Asked Questions

# What is a site-to-site VPN on Ubiquiti EdgeRouter?
A site-to-site VPN on a Ubiquiti EdgeRouter creates a secure, encrypted tunnel between two separate networks over the internet so devices on either side can communicate as if they were on the same network.

# Do I need two EdgeRouters for a site-to-site VPN?
Not necessarily. You can configure a site-to-site VPN with one EdgeRouter connecting to a remote gateway that may be a different vendor’s device or another EdgeRouter.

# Which VPN protocol does EdgeRouter use for site-to-site VPN?
Most EdgeRouter site-to-site VPNs use IPSec with IKE for key exchange and ESP for the actual data encryption. You can configure IKEv1 or IKEv2 depending on firmware and setup.

# How do I choose the right encryption and hashing for my tunnel?
AES-256 with SHA-256 is a common, strong default that offers good performance. If your devices support AES-128 as a balance, you can consider that for slightly higher throughput, but ensure security requirements are met.

# Can I run multiple site-to-site VPN tunnels on one EdgeRouter?
Yes. EdgeRouter devices can handle multiple IPSec tunnels simultaneously. Just ensure you have enough resources and that you avoid overlapping local/remote networks.

# How do I test if the site-to-site VPN is up?
Ping a host on the remote network from a host on the local network. Use traceroute to ensure traffic is taking the VPN path, not the public internet. Check EdgeRouter’s IPSec status in the UI or via CLI.

# What are common reasons site-to-site VPN tunnels fail to come up?
Mismatched PSKs, mismatched IKE/ESP proposals, NAT-T issues, firewall blocks, or incorrect local/remote subnets. Correcting one of these usually fixes most problems.

# How can I improve stability for cloud-based paths or dynamic IPs?
If you’re dealing with dynamic IPs, consider a dynamic DNS service on the remote site and keep your failover strategy simple. Static IPs are simplest to configure and maintain.

# Should I use certificates or pre-shared keys for site-to-site VPNs?
PSKs are simpler and work well for smaller setups, but certificates provide stronger security, scalable management, and better automation for larger deployments. If security requirements demand it, go with certificates.

# How often should I update EdgeRouter firmware for VPNs?
Update when security patches are released or when you encounter known issues resolved by newer firmware. Plan updates during low-traffic windows and maintain backups before applying changes.

# Is there a difference between site-to-site VPN and remote access VPN on EdgeRouter?
Yes. Site-to-site VPN connects two networks, creating a tunnel between gateways. Remote access VPN lets individual users connect to a network as a client, typically using a VPN client on a device rather than routing entire networks through a tunnel.

# Can I use a single PSK across multiple site-to-site tunnels?
It’s possible but not recommended. Each tunnel should ideally have its own unique PSK to limit risk if a key is compromised.

# How do I handle overlapping subnets between sites?
Redesign one of the subnets to avoid overlap. This is the cleanest solution. otherwise, you’ll face routing ambiguity and traffic misrouting.

# What are best practices for logging VPN activity?
Enable logging for VPN handshake events, tunnel up/down messages, and any failed authentication attempts. Regularly review logs and alert on repeated failures.

# Where can I find official EdgeRouter IPSec configuration guidance?
The official EdgeRouter EdgeOS documentation and community forums are the best sources for up-to-date, model-specific instructions and examples.

If you found this guide helpful and you’re looking to expand your VPN capabilities, don’t forget to check out the NordVPN offer included at the top of this post. It’s a nice addition for extra privacy while you test and manage your tunnels across sites.

Useful URLs and Resources text only

• EdgeRouter Documentation – ubnt.com
• IPSec Overview – en.wikipedia.org/wiki/IPsec
• VPN Concepts for Remote Networking – cisco.com
• NAT Traversal in IPSec – cisco.com/ipsec-nat-t
• IKEv2 vs IKEv1 – techradiant.net/ikev2-vs-ikev1
• EdgeOS CLI Guide – ubnt.com/downloads
• Site-to-Site VPN Best Practices – networkworld.com
• IPsec Troubleshooting Guide – ipsec-troubleshooting.org
• Virtual Private Network Security Standards – nist.gov
• Networking Subnet Planning – skytopics.net
• VPN Performance Tuning Tips – network-performance.org

海鸥vpn官网详细评测与使用指南：海鸥vpn官网、海鸥 vpn 安全、隐私保护、速度测试、服务器覆盖、跨平台支持、价格方案与优惠