How to setup UniFi VPN on UDM Pro

When you are away from home you might need to have access to your home network, to get files from your NAS for example. Or when you are on a public WiFi, you probably want to use a secure VPN connection before you access your bank account. With UniFi VPN we can arrange all this.

With UniFi network we can easily set up a remote access VPN server on our UDM Pro or USG. The remote VPN doesn’t only offer you access to your home network but also allows you to safely browse the internet.

Tip

Make sure that you also check out this UniFi Teleport article, which allows you to create a VPN connection from your mobile device with one click.

In this article, I am going to explain how to set up UniFi VPN on the latest UniFi Network version (7.x) and we will take a look at some common issues.

Configure UniFi VPN

To configure the UniFi VPN you will need to have a UDM model or a USG. Also, make sure that you run the latest firmware on your console.

If you have a modem or router before your UDM or USG, then make sure that the modem/router is set into Bridge mode. This way all traffic will be forwarded directly to your Unifi Network. If that isn’t possible, then you will need to forward the following port numbers to your Unifi Network console:

– UDP port 500
– UDP port 4500

  1. Open the VPN Settings

    In the UniFi network app, go to Settings > VPN

    Unifi VPN

  2. Enable VPN Server

    Enable the VPN Server and note or change the Pre-shared Key
    Make sure that the Server Address is set to your Public IP Address

    udm pro vpn

  3. Create a new VPN user

    The next step is to create a new VPN user. Click on Create a new user and enter a username and password.

    Create VPN user

  4. Advanced Configuration

    Set the advanced configuration to Manual. Here you can change the subnet if you need. But more important is to set your internal DNS server and enable Require Strong Authentication.

    Strong Authentication is needed for the MS-Chap v2 protocol that is used by Windows 10 and 11.

    unifi vpn setup

Firewall rules are automatically created for the Remote access VPN, so we don’t need to look at them.

Connecting to UniFi VPN with Windows

To use the VPN connection on Windows you don’t need to install any clients. We can use the built-in VPN client. The steps below are the same on Windows 10 and 11.

  1. Open Start and type VPN and select VPN Settings
  2. Click Add VPN
  3. Select Windows (built-in) as VPN provider
  4. Enter a connection name, it can be anything you like
  5. Enter the public IP Address of your UniFi Console
  1. VPN Type > Select L2TP/IPSec with pre-shared key
  2. Enter the pre-shared key that we have set earlier in the UniFi Console
  3. Fill in the username and password that we created.
  1. Save the settings
  2. Next, we need to change the VPN Network adapter, to enable MS Chap v2.
    Press Windows key + R and type ncpa.cpl <enter>
  3. You will now see your VPN network adapter.
    Right-click on your adapter and select Properties
  4. On the Security tab:
    select Allow these protocols and enable Microsoft CHAP Version 2
  1. Click Ok to save the settings.
  2. You can now click on Connect to test the VPN Connection. It should immediately connect to your UniFi VPN server.

As you can see in the screenshot below we have connected the Lazy VPN connection and got an IP Address in the range as configured in the UDM:

Troubleshoot UniFi VPN connection issues

Setting up remote access VPN can sometimes be a bit challenging. When your UDM or USG is located behind a modem/router then L2TP VPN connections sometimes won’t work as easily as they should.

Besides potential modem/router issues also the client can cause issues with setting up a remote VPN connection. For example, at the beginning of 2022, a Windows 10 and 11 update (KB5009543, KB5009566) cause the following connection error:

The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer

It was fixed with a new update, but as you can see it can also be the client that is the issue.

So to help you debug connection issues you can monitor the VPN log on your UDM/USG. This will really help you with finding the cause of the connection issue:

How to Open VPN Log on UDM/USG

To view the VPN log you will need to have SSH access to your UDM or USG. Make sure the SSH access is enabled in the UniFi OS and that you know the password:

Open the Windows Terminal or any other CLI that you like to use and type:

# Replace the IP Address with the address of your USG/UDM
ssh [email protected]

# Enter the SSH Password

Next, we will open the L2TP VPN Log in the console. This will live stream the content from the log into the console:

sudo swanctl --log

It’s normal that you don’t see any results in the beginning. Just leave the console open and try to connect your VPN Client.

No VPN Log Output

When you try to connect the client but don’t see any output in the console, then the VPN Client is unable to reach the console. Make sure that you use the correct public IP Address, port forwarding is set correctly, and rechecked the VPN configuration in the UniFi Console.

Wrong Preshared key

If the preshared key is wrong for example, you will see the following in the log:

02[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
02[NET] sending packet: from 80.90.100.110[500] to 192.168.1.22[60815] (372 bytes)
04[NET] received packet: from 192.168.1.22[60816] to 80.90.100.110[4500] (76 bytes)
04[ENC] invalid ID_V1 payload length, decryption failed?
04[ENC] could not decrypt payloads
04[IKE] message parsing failed

Wrong Username or Password

When the username or password is wrong, you will get a remote connection was denied error on the client. In the VPN log we can identify it by the following lines:

16[IKE] received DELETE for ESP CHILD_SA with SPI c707898e
16[IKE] closing CHILD_SA lns-l2tp-server{7} with SPIs c577f0d2_i (771 bytes) c707898e_o (494 bytes) and TS 87.214.43.90/32[udp/1701] === 192.168.1.22/32[udp/1701]
16[CHD] updown: ok
09[NET] received packet: from 192.168.1.22[54205] to 87.214.43.90[4500] (92 bytes)
09[ENC] parsed INFORMATIONAL_V1 request 2150840229 [ HASH D ]
09[IKE] received DELETE for IKE_SA lns-l2tp-server[7]

Wrapping UP

Setting up remote access VPN can sometimes be a bit challenging. Especially when your USG or UDM is behind another modem or router. But once connected you can securely access your home network or browse the internet safely by routing your internet traffic over the VPN.

I hope you found this article useful, if you have any questions just drop a comment below.

Get more stuff like this

IT, Office365, Smart Home, PowerShell and Blogging Tips

I hate spam to, so you can unsubscribe at any time.

8 thoughts on “How to setup UniFi VPN on UDM Pro”

  1. Following up on my question about using Intune/Endpoint Manager to distribute the setup: not possible, but it is relatively easy to do using PowerShell, e.g.:

    Install-Module -Name VPNCredentialsHelper -Confirm:$False -Force
    Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent” -Name “AssumeUDPEncapsulationContextOnSendRule” -Value 2

    Add-VpnConnection -Name “VPN Name” -ServerAddress “AAA.BBB.CCC.DDD” -EncryptionLevel “Required” -L2tpPsk “pskkey” -Force -RememberCredential -IdleDisconnectSeconds 0 -TunnelType “L2tp” -AuthenticationMethod “MSChapv2”

    Set-VpnConnectionUsernamePassword -connectionname “VPN Name” -username “XXXX” -password “XXXXX”

    Where:

    VPN Name = Name of the connection as it should appear in Windows
    AAA.BBB.CCC.DDD = Public IP address of the UDM
    pskkey = VPN’s shared key as defined in UDM
    XXXX = VPN username as defined in UDM (case sensitive!)
    XXXXX = VPN password as defined in UDM (case sensitive!)

    The Set-ItemProperty registry setting step may or may not be required, depending on your local internet connection setup: https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/configure-l2tp-ipsec-server-behind-nat-t-device

  2. Very useful article – it works! I have quite a few users to roll out the VPN connection to…is there a way to do this in Intune/Microsoft Endpoint Manager? Intune requires the use of the EAP XML method

  3. I just got this working, connecting to my network from a laptop tethered to a phone.
    In step 2, enable VPN, the server address now shows “Auto Defined (WAN1)” in my case, it wouldnt work. The trick is to “Enter IP Address Manually”. Clicking this populated the public IP address. Save.

    Connects great now.

  4. Thank you Rudy. Nice article by the way.

    I desire to use my PC to connect to my UDM-Pro configured with DDNS through the internet. I definitely desire to access the UDM-Pro management GUI, but also be able to access devices (such as sysnology NAS, security camera controller,…) configured on different VLANs.

    I am hoping to gain access to my entire network with this 1 VLAN connection. How would I allow access through the management function.. or what settings are you referring to? Thanks,

  5. If your network has VLANs, does the Unifi VPN server allow access to all of them? If yes, are there any configurations needed to do this?

Leave a Comment

0 Shares
Tweet
Pin
Share
Share