Unifi VPNs 2024: Site Magic, Teleport, Wireguard

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone Cody from Mac Telecom networks in this video we're going to be looking at the VPN options within our ubiquity consoles there are quite a bit of VPN options that we can do whether that be site magic or we use something like teleport openvpn or wire guard now there are a couple that I'm not going to talk about and that's the l2tp and the wire guard client VPN I use nordvpn and we'll be using the openvpn profile for that if you'd like to support my channel the best way to do so is with the U affiliate links Down Below in the description if you'd like to hire me for Network Consulting visit my website ATM Telecom networks.com and we do have a Discord server if you want to become a part of the community before we get started let's take a look at the setup so we have our site one which is our remote site and it has an internet connection of 1 gig down and 50 up and that's connecting to the UniFi Cloud Gateway on the cloud Gateway we have a Zab board which is running open Speed tests for us to do some testing at the end with these VPN now in the middle we're going to have a site magic VPN configured so both of these sites could talk to each other and that's going to my second site or my main site which this computer is living on and that's going to my udm and that internet connection is 3 gig down and 3 gig now within our UniFi Network controllers where we find the vpns is just under the VPN section and the first one that we'll talk about and probably the easiest to set up is the teleport VPN even if you have double knot or you're using CG knot this will still work work as a VPN and you could also have remote phones at different sites in a picture shown here all we need to do is scan the QR code and we could make our phones talk back to our main and that makes it really really great for remote workers who you want to be able to have an extension and connected to your phone system now you could use this VPN on your phone or you could use it on your computer and I'll show you on the computer so I've downloaded the windows client but you could also do it on Mac OS the first thing we need to do for this VPN is to make sure that it's enabled and then we need to generate a new link by generating this link we could then hand it to whoever or we could put this link in a web browser and it's going to show us a QR code now if we're doing this from our phone the only thing we need to do we just open up our camera app scan the QR code and it will bring up the Wi-Fi Man app if we have it downloaded on our iOS and our Android and we could now there's a few different ways we could go about using this Windows client we could sign into our single signin and if the teleport is enabled on the site and we're an admin on the site we're able to just join it but right now I'm not signed in all I did was copied this link and I'm going to bring back open the Wi-Fi man client and we'll copy that okay and now you can see that we've been connected for a few seconds and there's a bit of traffic going through but we want to make sure that we could hit some client devices so we'll look at the IP for save my sonology Nas 19216811 161 and we'll bring open a command prompt from here we're just going to do a ping of 19216811 161 and you could see that we could hit that sonology Nas now if I turn off the VPN we shouldn't be able to hit it so I'm going to go ahead and disconnect and then I'm just going to hit the up arrow and then enter and you can see since we're disconnected from the VPN we can't hit that sonology Nas that's why WI-Fi man is probably the easiest one using teleport now if I click in the lefthand corner of the Wi-Fi man Windows client we could log into our single sign on so I'm going to do that now I'm signed into my single sign on the icon is a little bit broken but once I hit this drop- down menu it's going to show me all the sites that I could connect to so here you could see ma Telecom lab and then we could see Mac Telecom SE below and then I have a bunch of other clients but if you don't have teleport enabled on the site it's going to let you know as you can see here this site says unavailable for teleport so that's either it's disconnected or it's maybe just a unvr that doesn't support teleport now connecting to the teleport client we're going to do a couple tests we'll do open speed test and then we'll do a internet speed test as well for the other VPN I'll just end up putting them into a Google worksheet and then we'll look at it at the end so I'm going to press start on this open Speed Test okay so the results were 53.7 down and that's around the max that I'll be getting because that internet connection only has 50 upload and then the upload of open speed test was 356 which is relatively good now let's try doing a speed test to see what we get now we're connecting to Wi-Fi man.com that is their speed test and we'll see what we get and our final results were 50.9 99 down and 51.9 5 up which is pretty good and we would still be able to connect to our servers and do our work now the next VPN we're going to be looking at is the wire guard server and after that we'll do openvpn it's pretty much the same thing but we could name the server it has a private and a public key and then we have our server address which is our public IP of our Wan one we could also use a different address for clients if we want to use a different public IP or fqdn under manual I'm going to go ahead head and switch this host address because 192.168.20.10 we could go to manual and we could put in pre-shared keys and additional routes now to automatically connect a client we either need to scan this QR code or we need to download the config file so let me download the config file you can see that that popped up wireguard server1 cod. comp and we're going to press add and then we're going to add the VPN now going back to our VPN server we could see wire guard server one we could see the type and then we could see the local IP and active clients there currently are no active clients you can see the config file right here wire guard server one-c I'll click open now it's going to show us a couple of things on here it's going to say the status which is inactive we can see the public key we could see the addresses and then we could see the DNS down below our Pier we're going to also see the public key there and we'll see allowed IPS as well as our endpoint which is our public IP and then the wire guard Port so let's go ahead and activate this VPN under our Client List it is showing who is connecting to the VPN it's Cody so that was done under my profile and you could see that I got an IP of 1921 168282 let's go ahead and try to Ping that Synology again so we're going to Ping 192.168.1.1 161 and we are able to get there so we could access resources from our business now openvpn is pretty much the same thing except we need to create users so we have their name we have the server address then we could use the alternate address as well and then we have user authentication so we need to create a new user here we're going to put in a name and a password so so this name will be test and the password will be test 1 2 3 4 you can go to the radius and create a bunch of users if you'd want at one time we're just going to do the single user now again since teleport uses 1921 16821 we're going to need to switch this we'll put it at 23. one and we're going to leave everything else the same and we'll press add now this is going to prepare a config file for us so we're going to have to wait a few minutes and then come back and then download it now the configuration file is ready we're going to click on download this will download loed and we need to open up our openvpn server or if we just click on the file it will bring up the openvpn client for us now with the configuration file done we need to upload the file I'm going to browse to my downloads and then bring this in going to show us a couple of things here so we have our profile name and then we have the server host name which is my public IP we need to put in that username that I created which was test and then press connect now it's going to ask us for our password for that and it was test 1 2 3 4 and once we press okay it should connect us to the VPN and there you go we're connected to the VPN and just to verify again we'll bring up the command prompt and then I'll hit the up arrow and we'll try to get to that sonology Nas and we're able to hit it now the next VPN that we're going to talk about is the VPN client and what I would primarily use this for is with something like a privacy VPN so like nordvpn I could route all my traffic on a subnet or an individual device through it and we do use nordvpn over here and I'm going to be using openvpn to do that so we give it a name openvpn client and then we need to get the configuration file so whoever you're with if you're with private internet access nordvpn you need to find that openvpn config or wire guard config now on the nordvpn website you could see all the different servers that they have for openvpn I'm just going to grab one from the United States and I'm going to download the UDP file now with that file downloaded we're going to upload it into our firewall so I'll click upload and then at the top you could see us101 185. nordvpn and that's the server we're going to connect to and we'll press open now it's going to ask us for a username and password and this is going to be different for whichever vendor that you're using for your privacy VPN on nordvpn it's done under the manual setup you can see the username and the password so I'm going to copy both of these and then I'm going to paste them in now with the username and password inputed we need to press apply changes and then this should show us that it's up and running so we can see that it's connecting and it's currently yellow but it should come up green afterwards and then we could route through it it said add traffic routes traffic routes are required to send ipv4 traffic from devices on networks to this VPN client connection we're going to skip this for now but I will show you that in just a second now if we click the back arrow on the VPN clients we could see the name the type and then we could see the tunnel or subnet that it's given us as well as the server IP address currently there's no download or upload because nothing's going through it and then we could see the uptime so to route a client or a subnet through this nordvpn connection we need to do a traffic rad and I'm really glad that they add this tool tip in it's very useful for people just getting started so we'll go to our traffic routes here I'm going to say Cody's computer to nordvpn we're going to say all traffic but you could do specific traffic if you'd like and then we're going to select a network or a device so the source we just need to click and we could do a full subnet or we could just do one of these devices my computer is called Mac Telecom so we'll select that and we'll press save and then we're going to select the interface so the interface that we're going to be using is this openvpn client and we can turn a fall back on so if we were doing this to do uh load balancing or policy based routing through Wan one and Wan 2 and Wan 2 fails well it would push us back to WAN one I'm going to leave that unchecked for now and just add the entry now if we look at what my IP is we're getting an IP of 1381 199 10134 which is nordvpn so our traffic is routing properly now I'm going to skip over the sight to sight VPN because I don't have another W connection that has a public IP so I can't show you it working but it is pretty straightforward to do we could either do openvpn or we could do IP SEC the only reason I would use this site to site VPN is if I'm connecting to another type of firewall like a pfSense all we would need to do is put in a name a pre-shared key the remote IP or the host we'd also have to put in our remote networks that we want to connect to the pre shared key on the other side needs to be exactly the same I do have some sight tosite videos that I did a couple years back and I'll post a few down below another VPN that we could do is unify identity and we could either do this on our Windows machine or we could do this on our phones I believe it works for Mac OS as well but I'm going to create a new user so I'm going to click the plus arrow and we're going to add the user the user I'll just call sales and then I'll give it my sales email address under the network what we want them to do is just to be able to connect to the oneclick VPN this does work for Wi-Fi and door access as well I'm going to press add now adding this user it says invite user to join unify identity and once I press send it's going to push this out to their email and it will tell us how to set up now we have an email from unify identity and click to install the app so we're going to click and then we're going to download UniFi identity manually so this will be for our computer I already had it downloaded but I do need to update the version so we'll click on update now with it updated we're going to press launch identity now we can see in the bottom right corner it says YouTube test Mac Telecom SE this was an old configuration that I had done previously but if we go back to the web page we're going to want to load your credentials so we're going to open the identity and it's currently loading the credentials for us now you can see we are connected to our Gateway and all we need to do to connect to the VPN is hit this toggle switch now that we're connected to the VPN let's try to hit that sonology Nas once more and you can see we're able to do it unify identity the free version is very easy to use as you can see here now the last VPN that we're going to talk about is site magic and I love site magic it makes it very easy to do sight tosite vpns between your UniFi Cloud consoles it says right in the middle site magic makes sight tosite VPN setup effortless and it really does so we're going to click here to get started now currently as of this video we could only connect up to 15 sites but they will end up adding more in the future we need to have at least one site that has a public IP and then we could connect to it but what we're going to do we're going to connect the Mac Telecom lab because that has a public IP and then we're going to connect my Mac Telecom SE which this computer is sitting on once we do that we could give it a name and we could add them together now after we press add we could see all of our subnets popping up on the screens on our consoles so my Mac Telecom se you can see that I have quite a few networks on my Mac Telecom lab we just have two which is default Insight magic the two n that I want to communicate is my default on Mac Telecom SE 1921 16810 and the default on the lab once we have our Network selected that we want to be able to talk we can press connect now you can see that it's going yellow but once it's connected and configured it will go green and we should be able to hit that sonology NAS from this site because we're doing that sight tosite VPN now we can see that they're both green that means the sight to sight VPN is connected and just to verify that I'm on the default Network we'll go ip config and you could see that I get a IP address 192168101 126 so now let's try to hit the syy nas on the other side so ping 192.168.1.1 161 and we're able to hit it so that's great the site to site is working perfectly now the last thing we'll talk about is some basic firewall rules so say this computer we don't want them to reach my zma board but we want it to go over to my sonology Nas so that we could access resources you'd see my casos is on 192168 1.10 which is my Zab board and if we ping that we could go 192168 1.10 and we're able to hit it so we want to block that out so let's make a firewall rule to do that the first thing I'm going to do is create an IP group and then we're going to create new and call this VPN users the type is going to be ipv4 and the address will be of 192.168.10.0 sl24 we'll press add and then we'll add again now we need to go over to Security traffic and firewall rules from here we're going to create an entry the type is going to be land out so anytime we're talking about VPN firewall rules it's always going to be under L out and we'll say deny VPN to Zab board the action I'm going to have is to reject the source is going to be that group that I just created VPN users and the destination will be the address of my zema board so 192 .1 16811 and then we'll add in the rule now if we bring my command prompt back up we shouldn't be able to hit that Zab board and you could see that it's getting rejected but we could still get to our sonology Nas so let's try to hit it and we could still access those resources on Urology now just from the few VPN speed tests that I did internally and externally internally I was using open Speed Test externally I was using Wi-Fi man.com but let's go over the internal first so for our download teleport one at 53.7 and for upload unify identity the free version one at 64.4 so externally out to the internet the one that one was teleport so 5099 and then for our upload it was unify identity the one that I would probably use more than not is unify identity free this way we could track our users now that was a lot to go over for the VPN section and I hope you guys enjoyed this if there are specific things that you want to see done with VPN I will do up a follow-up video If you like this video hit the Thumbs Up Button if you're new here please subscribe and hit the Bell icon all right thanks

Info

Channel: Mactelecom Networks

Views: 17,025

Rating: undefined out of 5

Keywords: ubiquiti networks, unifi vpn setup, unifi network, ubiquiti unifi vpn setup, unifi site to site vpn, unifi wireguard, unifi vpn, unifi site magic

Id: gm5Y59RQ2Lw

Channel Id: undefined

Length: 17min 12sec (1032 seconds)

Published: Thu Apr 04 2024