Black Friday and Cyber Monday! I have listed the best Smart Home Deals for you to expand your smart home. Read more here

How to setup UniFi VPN on UDM Pro

When you are away from home you might need to have access to your home network, to get files from your NAS for example. Or when you are on a public WiFi, you probably want to use a secure VPN connection before you access your bank account. With UniFi VPN we can arrange all this.

With UniFi network we can easily set up a remote access VPN server on our UDM Pro or USG. The remote VPN doesn’t only offer you access to your home network but also allows you to safely browse the internet.

Tip

Make sure that you also check out this UniFi Teleport article, which allows you to create a VPN connection from your mobile device with one click.

In this article, I am going to explain how to set up UniFi VPN on the latest UniFi Network version (7.x) and we will take a look at some common issues.

Configure UniFi VPN

To configure the UniFi VPN you will need to have a UDM model or a USG. Also, make sure that you run the latest firmware on your console.

If you have a modem or router before your UDM or USG, then make sure that the modem/router is set into Bridge mode. This way all traffic will be forwarded directly to your Unifi Network. If that isn’t possible, then you will need to forward the following port numbers to your Unifi Network console:

– UDP port 500
– UDP port 4500

  1. Open the VPN Settings

    In the UniFi network app, go to Settings > VPN

    Unifi VPN

  2. Enable VPN Server

    Enable the VPN Server and note or change the Pre-shared Key
    Make sure that the Server Address is set to your Public IP Address

    udm pro vpn

  3. Create a new VPN user

    The next step is to create a new VPN user. Click on Create a new user and enter a username and password.

    Create VPN user

  4. Advanced Configuration

    Set the advanced configuration to Manual. Here you can change the subnet if you need. But more important is to set your internal DNS server and enable Require Strong Authentication.

    Strong Authentication is needed for the MS-Chap v2 protocol that is used by Windows 10 and 11.

    unifi vpn setup

Firewall rules are automatically created for the Remote access VPN, so we don’t need to look at them.

Connecting to UniFi VPN with Windows

To use the VPN connection on Windows you don’t need to install any clients. We can use the built-in VPN client. The steps below are the same on Windows 10 and 11.

  1. Open Start and type VPN and select VPN Settings
  2. Click Add VPN
  3. Select Windows (built-in) as VPN provider
  4. Enter a connection name, it can be anything you like
  5. Enter the public IP Address of your UniFi Console
  1. VPN Type > Select L2TP/IPSec with pre-shared key
  2. Enter the pre-shared key that we have set earlier in the UniFi Console
  3. Fill in the username and password that we created.
  1. Save the settings
  2. Next, we need to change the VPN Network adapter, to enable MS Chap v2.
    Press Windows key + R and type ncpa.cpl <enter>
  3. You will now see your VPN network adapter.
    Right-click on your adapter and select Properties
  4. On the Security tab:
    select Allow these protocols and enable Microsoft CHAP Version 2
  1. Click Ok to save the settings.
  2. You can now click on Connect to test the VPN Connection. It should immediately connect to your UniFi VPN server.

As you can see in the screenshot below we have connected the Lazy VPN connection and got an IP Address in the range as configured in the UDM:

Troubleshoot UniFi VPN connection issues

Setting up remote access VPN can sometimes be a bit challenging. When your UDM or USG is located behind a modem/router then L2TP VPN connections sometimes won’t work as easily as they should.

Besides potential modem/router issues also the client can cause issues with setting up a remote VPN connection. For example, at the beginning of 2022, a Windows 10 and 11 update (KB5009543, KB5009566) cause the following connection error:

The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer

It was fixed with a new update, but as you can see it can also be the client that is the issue.

So to help you debug connection issues you can monitor the VPN log on your UDM/USG. This will really help you with finding the cause of the connection issue:

How to Open VPN Log on UDM/USG

To view the VPN log you will need to have SSH access to your UDM or USG. Make sure the SSH access is enabled in the UniFi OS and that you know the password:

Open the Windows Terminal or any other CLI that you like to use and type:

# Replace the IP Address with the address of your USG/UDM
ssh [email protected]

# Enter the SSH Password

Next, we will open the L2TP VPN Log in the console. This will live stream the content from the log into the console:

sudo swanctl --log

It’s normal that you don’t see any results in the beginning. Just leave the console open and try to connect your VPN Client.

No VPN Log Output

When you try to connect the client but don’t see any output in the console, then the VPN Client is unable to reach the console. Make sure that you use the correct public IP Address, port forwarding is set correctly, and rechecked the VPN configuration in the UniFi Console.

Wrong Preshared key

If the preshared key is wrong for example, you will see the following in the log:

02[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
02[NET] sending packet: from 80.90.100.110[500] to 192.168.1.22[60815] (372 bytes)
04[NET] received packet: from 192.168.1.22[60816] to 80.90.100.110[4500] (76 bytes)
04[ENC] invalid ID_V1 payload length, decryption failed?
04[ENC] could not decrypt payloads
04[IKE] message parsing failed

Wrong Username or Password

When the username or password is wrong, you will get a remote connection was denied error on the client. In the VPN log we can identify it by the following lines:

16[IKE] received DELETE for ESP CHILD_SA with SPI c707898e
16[IKE] closing CHILD_SA lns-l2tp-server{7} with SPIs c577f0d2_i (771 bytes) c707898e_o (494 bytes) and TS 87.214.43.90/32[udp/1701] === 192.168.1.22/32[udp/1701]
16[CHD] updown: ok
09[NET] received packet: from 192.168.1.22[54205] to 87.214.43.90[4500] (92 bytes)
09[ENC] parsed INFORMATIONAL_V1 request 2150840229 [ HASH D ]
09[IKE] received DELETE for IKE_SA lns-l2tp-server[7]

Wrapping UP

Setting up remote access VPN can sometimes be a bit challenging. Especially when your USG or UDM is behind another modem or router. But once connected you can securely access your home network or browse the internet safely by routing your internet traffic over the VPN.

I hope you found this article useful, if you have any questions just drop a comment below.

Get more stuff like this

IT, Office365, Smart Home, PowerShell and Blogging Tips

I hate spam to, so you can unsubscribe at any time.

17 thoughts on “How to setup UniFi VPN on UDM Pro”

  1. I want the UDM pro to connect to a VPN and rout all traffic over that. I have a UDM pro at the main office and branch office. I want one lan.

  2. Anyone have an idea what could be going wrong here? Using the standard VPN client on my iPhone and a USG at home. When I am connected to WiFi network (the same network where the USG and VPN is running: I cannot connect and get a timeout.

    05[IKE] 192.168.1.215 is initiating a Main Mode IKE_SA
    05[ENC] generating ID_PROT response 0 [ SA V V V ]
    05[NET] sending packet: from 10.20.30.40[500] to 192.168.1.215[500] (136 bytes)
    14[NET] received packet: from 192.168.1.215[500] to 10.20.30.40[500] (356 bytes)
    14[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    14[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    14[NET] sending packet: from 10.20.30.40[500] to 192.168.1.215[500] (372 bytes)
    03[NET] received packet: from 192.168.1.215[500] to 10.20.30.40[500] (108 bytes)
    03[ENC] invalid ID_V1 payload length, decryption failed?
    03[ENC] could not decrypt payloads
    03[IKE] message parsing failed
    03[ENC] generating INFORMATIONAL_V1 request 348789406 [ HASH N(PLD_MAL) ]
    03[NET] sending packet: from 10.20.30.40[500] to 192.168.1.215[500] (76 bytes)
    03[IKE] ID_PROT request with message ID 0 processing failed
    08[NET] received packet: from 192.168.1.215[500] to 10.20.30.40[500] (108 bytes)
    08[ENC] invalid ID_V1 payload length, decryption failed?
    08[ENC] could not decrypt payloads
    08[IKE] message parsing failed
    08[ENC] generating INFORMATIONAL_V1 request 2321790578 [ HASH N(PLD_MAL) ]
    08[NET] sending packet: from 10.20.30.40[500] to 192.168.1.215[500] (76 bytes)
    08[IKE] ID_PROT request with message ID 0 processing failed
    16[NET] received packet: from 192.168.1.215[500] to 10.20.30.40[500] (108 bytes)
    16[ENC] invalid ID_V1 payload length, decryption failed?
    16[ENC] could not decrypt payloads
    16[IKE] message parsing failed
    16[ENC] generating INFORMATIONAL_V1 request 2107681205 [ HASH N(PLD_MAL) ]
    16[NET] sending packet: from 10.20.30.40[500] to 192.168.1.215[500] (76 bytes)
    16[IKE] ID_PROT request with message ID 0 processing failed
    14[NET] received packet: from 192.168.1.215[500] to 10.20.30.40[500] (108 bytes)
    14[ENC] invalid ID_V1 payload length, decryption failed?
    14[ENC] could not decrypt payloads
    14[IKE] message parsing failed
    14[ENC] generating INFORMATIONAL_V1 request 3739752759 [ HASH N(PLD_MAL) ]
    14[NET] sending packet: from 10.20.30.40[500] to 192.168.1.215[500] (76 bytes)
    14[IKE] ID_PROT request with message ID 0 processing failed
    08[NET] received packet: from 192.168.1.215[500] to 10.20.30.40[500] (108 bytes)
    08[ENC] invalid ID_V1 payload length, decryption failed?
    08[ENC] could not decrypt payloads
    08[IKE] message parsing failed
    08[ENC] generating INFORMATIONAL_V1 request 2608692470 [ HASH N(PLD_MAL) ]
    08[NET] sending packet: from 10.20.30.40[500] to 192.168.1.215[500] (76 bytes)
    08[IKE] ID_PROT request with message ID 0 processing failed
    16[JOB] deleting half open IKE_SA after timeout

    But when I turn off WiFi on my iPhone and am connected to the cellular network of my provider the VPN works like a charm:

    02[IKE] 50.60.70.80 is initiating a Main Mode IKE_SA
    02[ENC] generating ID_PROT response 0 [ SA V V V ]
    02[NET] sending packet: from 10.20.30.40[500] to 50.60.70.80[18834] (136 bytes)
    08[NET] received packet: from 50.60.70.80[18834] to 10.20.30.40[500] (356 bytes)
    08[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    08[IKE] remote host is behind NAT
    08[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    08[NET] sending packet: from 10.20.30.40[500] to 50.60.70.80[18834] (372 bytes)
    15[NET] received packet: from 50.60.70.80[18835] to 10.20.30.40[4500] (108 bytes)
    15[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    15[CFG] looking for pre-shared key peer configs matching 10.20.30.40…50.60.70.80[10.63.235.195]
    15[CFG] selected peer config “remote-access”
    15[IKE] IKE_SA remote-access[3] established between 10.20.30.40[10.20.30.40]…50.60.70.80[10.63.235.195]
    15[ENC] generating ID_PROT response 0 [ ID HASH ]
    15[NET] sending packet: from 10.20.30.40[4500] to 50.60.70.80[18835] (76 bytes)
    01[NET] received packet: from 50.60.70.80[18835] to 10.20.30.40[4500] (396 bytes)
    01[ENC] parsed QUICK_MODE request 2210812780 [ HASH SA No ID ID NAT-OA NAT-OA ]
    01[IKE] received 3600s lifetime, configured 0s
    01[ENC] generating QUICK_MODE response 2210812780 [ HASH SA No ID ID NAT-OA NAT-OA ]
    01[NET] sending packet: from 10.20.30.40[4500] to 50.60.70.80[18835] (204 bytes)
    14[NET] received packet: from 50.60.70.80[18835] to 10.20.30.40[4500] (60 bytes)
    14[ENC] parsed QUICK_MODE request 2210812780 [ HASH ]
    14[IKE] CHILD_SA remote-access{1} established with SPIs c8c931a9_i 0ff690dc_o and TS 10.20.30.40/32[udp/l2f] === 50.60.70.80/32[udp/57885]
    06[KNL] 10.255.255.0 appeared on ppp1
    15[KNL] 10.255.255.0 disappeared from ppp1
    02[KNL] 10.255.255.0 appeared on ppp1
    16[KNL] interface l2tp0 activated

    Tested it with Samung TAB A8 tablet as well, same issue. When on WiFi the VPN is not connecting, when connected to other WiFi or cellular network the VPN works.

    Anyone any idea?

    • Hi Marcel

      This behaviour is by design, you cannot connect to the VPN as you are already part of the network the VPN will join you to.

      Stewart

  3. How do I run my network traffic through a separate vlan that connects to an outside vpn service link nordvpn or vpnunlimited on udmp?

  4. Following up on my question about using Intune/Endpoint Manager to distribute the setup: not possible, but it is relatively easy to do using PowerShell, e.g.:

    Install-Module -Name VPNCredentialsHelper -Confirm:$False -Force
    Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent” -Name “AssumeUDPEncapsulationContextOnSendRule” -Value 2

    Add-VpnConnection -Name “VPN Name” -ServerAddress “AAA.BBB.CCC.DDD” -EncryptionLevel “Required” -L2tpPsk “pskkey” -Force -RememberCredential -IdleDisconnectSeconds 0 -TunnelType “L2tp” -AuthenticationMethod “MSChapv2”

    Set-VpnConnectionUsernamePassword -connectionname “VPN Name” -username “XXXX” -password “XXXXX”

    Where:

    VPN Name = Name of the connection as it should appear in Windows
    AAA.BBB.CCC.DDD = Public IP address of the UDM
    pskkey = VPN’s shared key as defined in UDM
    XXXX = VPN username as defined in UDM (case sensitive!)
    XXXXX = VPN password as defined in UDM (case sensitive!)

    The Set-ItemProperty registry setting step may or may not be required, depending on your local internet connection setup: https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/configure-l2tp-ipsec-server-behind-nat-t-device

  5. Very useful article – it works! I have quite a few users to roll out the VPN connection to…is there a way to do this in Intune/Microsoft Endpoint Manager? Intune requires the use of the EAP XML method

  6. hi there. how can I setup VPN so the remote computer can have the same ip address subnet as a computer on my local network? for example 192.168.1.10 (remote host ) and 192.168.1.20 (lan computer) the reado is that I got a client-server software that only allows connections for computers on the same ip range/subnet. can I have the lan computer on the VPN subnet?

    • In step 4, use the same subnet as your local LAN. But make sure that you split the range. So use 192.168.1.10 – 199 for your local LAN DHCP and 192.168.1.200 – 192.168.1.220 for your VPN clients for example.

  7. After completing this setup, I’m able to connect no problem and I’m routing out the remote gateway per default setup however I am unable to access any LAN devices. I’ve used these instructions on a couple of different UDM Pro devices with the same results.

  8. I just got this working, connecting to my network from a laptop tethered to a phone.
    In step 2, enable VPN, the server address now shows “Auto Defined (WAN1)” in my case, it wouldnt work. The trick is to “Enter IP Address Manually”. Clicking this populated the public IP address. Save.

    Connects great now.

  9. Thank you Rudy. Nice article by the way.

    I desire to use my PC to connect to my UDM-Pro configured with DDNS through the internet. I definitely desire to access the UDM-Pro management GUI, but also be able to access devices (such as sysnology NAS, security camera controller,…) configured on different VLANs.

    I am hoping to gain access to my entire network with this 1 VLAN connection. How would I allow access through the management function.. or what settings are you referring to? Thanks,

  10. If your network has VLANs, does the Unifi VPN server allow access to all of them? If yes, are there any configurations needed to do this?

Leave a Comment

0 Shares
Tweet
Pin
Share
Share