Heads up to anyone on Android 12, they removed L2TP support, and this latest version of Unifi OS only supports L2TP (it does not support IKEv2, which is the only option provided by Android)

Amazing, finally a tutorial that I was able to follow and it actually worked first time exactly as you showed. 😀

Thank you so much Mac. You helped me diagnose and fix a connection problem we were having. Getting an error when connecting to the VPN. Had to enable the "Require Strong Authentication" as discussed in your video. Wahhoooo!

This video helped me configure mine, thank you! Some of Unifi's UI is a bit cryptic.

Trying to map a SMB drive from my Windows Server so I can access through my VPN. No one has a clear answer out there on how to accomplish this. I can’t see devices and mapped drives on the LAN when connected through VPN. It would be nice if Ubiquiti built in a simple function to turn on that would “bridge” the LAN and VPN subnets together!

How come the "Block VPN to networks" firewall rule was created as LAN Out and not as LAN In?

Thank you for the help. I have a TrueNAS server I am using to back up my pics daily from my ipad and phone and still wanted access to them after deleting them off my mobile devices.

This is a GREAT video! THANK YOU!!!

I can ping everything on my home network through my Open VPN connection, except for my Synology NAS. It seems to be a Synology issue. Would you happen to know off-hand what setting needs to be changed in the Synology so that I can connect to it from a different VLAN?

I'd appreciate a video on how to make a port use a vpn out (in my case nord) so I can plug the port from my pc into it and it would be covered by the vpn and no need for software on the pc to messup other settings like it has done before.

Very useful video. Thanks

Another issue I can't find solution for is restricting access to networks on per user (or user group) basis. Ubiquiti markets UDMP as a solution for small and medium business, and this is functionality which is crucial for proper implementation of remote work.

If I'm using DDNS to get a domain name that links back to my home's current external IP, do I just set up the iPhone VPN client to point to this domain? Just a home gamer here, not sure if FQDN = my DDNS domain. My hope is that when my ISP updates my external IP address it won't require me to go back into the iPhone and change the VPN settings to a new server/public IP address.

Are you supposed to be able to see active VPN client connections on the controllers client devices section?

Great vidéo which I used to secure my UID One-Click VPN users. Still trying to block gateways from VPN users, you mentioned that UniFi needed to fill the gap on that. As it been done ? How to block those gateways ?

Good video. One item that was not covered was how you allow multiple VPN connections at the same time. I have the exact same set up without the firewall restrictions and when the second VPN connection hits it will kick the first one off. Both Windows machines. This seems to be an open issue if you research the forums. How are you getting around this limitation?

Have you tried blocking the gateway addresses as destination and VPN as source on the IN interfaces?

Would love a tutorial on this without using a phone. Perhaps a Windows 10 or 11 laptop? I also cant ping anything on any of my other VLAN's, but I want to be able to connect to them. Any ideas?

Every VPN/Firewall tutorial (from everyone) always shows how to block the VPN network(s) from accessing resources on the LAN (using LAN Out). I cannot seem to find any information for blocking traffic from a local network *TO* a VPN network (other than blocking returning packets via LAN Out), and I've been unsuccessful in trying to get it to work.

Great video. What’s the name of the Ping app on your iPhone. Thanks

Any word on if the gateway issue has been solved?

I followed along your video while looking at my setup but I could only ping the router no matter what I did. I tried several firewall rules and nothing helped, but then I wondered if it was the address that caused my issue. So, most of the networks are 192.168.x.x but I set one network to 10.0.4.x because there was software that had things setup with that address, I did it to stop issues, but it seems like I created issues instead. Is there a firewall rule I can add to allow this crossing of IP addresses? I will definitely be using your donate button if I can get this resolved!

I have a sonicwall but I’m managing Unifi through the application on my server and using Unifi APs. What public IP address should I be using? The one for the sonicwall or should I be making my server host public through port forwarding? I tried the network’s public IP address but that didn’t work and I’m nervous to make the entire host available with a public IP address.

No changes for blocking gateway pinging?

Hi, great thanks for your shared video first, I follow all firewall rule setup in my new UDM SE and work fine. only after I setup the block VPN to network rule(RFC1918 to RFC1918) , it turns out default network cannot connect HP AIO printer on IoT VLAN, would it make sense to setup the block rule (VPN user to RFC1918)? I did it and HP AIO printer work fine now.

I'm a noob, but I hope I can get some advice. I locked down my vlans from each other and all the gateways and udm like you advised in the firewall vids, and locked all my lan and vlan traffic to specific ports and disabled the rest, so now you have to log in on the land port only to get into my udm pro. I still want to use my unifi android app though, and cant because its locked out of the lan. Is it advisable to set up a remote VPN so my phone can access the udm pro for remote administrator with the app? I'm guessing this is a security no no.

I have a problem. I can only connect with one vpn l2tp user at a time from the same remote ip. Does anyone know how to fix?

Thanks!

Excellent video. I followed all your steps and when I ping from my phone while connected to t-mobile, it works like a charm. However, when I ping from my phone (or home computer) while on my home network (also a UniFi dream machine set up), I get timeouts to all office networks even though I’m connected. Help? Anyone?

I assume you need to enable your radius server also? Mine isnt enabled by default.

Hi, stied to install following you guide, all is working however once is set up the rules on lan out i lost connectivity to the app under reverse proxy on my server , how can i solve

can connect from my iphone, cannot connect from my mac. If I connect to my iphone on cellular to simulate outside connection I can connect to the vpn but cannot ping anything on LAN

What if you don’t have a static public IP. What would be the best solution?

I'm trying to setup ddns for my VPN as I have a dynamic IP address but having issues.

I have not been able to get the USG3 to do VPN, I have followed the guides ... it just doesnt connect. Is this normal or should I try and get UDM pro for it to work?

Hello, I am trying to create a firewall rule on a UDM SE to prevent the remote network (Site-to-Site OpenVPN) from accessing the IP addresses of the gateway (UDM SE). Unfortunately I do not succeed.

When I access my noip account info, all I see is my basic info email address. I do not see my username and password. Do I have to upgrade my account to obtain a username and password?

Thanks

VPN Access, once connected I cant access my local network, only Unifi SE

Please can you show us how to do L2TP VPN from windows server 2022 RRAS server using Ubiquiti please

do you have to bridge the router?

Hi Guys, has someone tried to connect to the VPN with an android based phone, not working for me. I wonder whether the weak cyper option is not necessary for this.

Could you do an updated one?

How does this work on mobile networks that use ipv6 addresses?

In the first firewall rule to block, you used RFC1918 for both Source and Destination. Was that a mistake?

Just ran into this today, buddies UDMP VPN connected and you can ping AP's etc but RDP would not work. IPS was set to high and it blocked it. I had to put it on low before RDP could hit the computer. Also can't ping local computers but apparently thats a windows firewall thing?

Can you do split VNP on udm pro

Cody, I’m pretty sure you can block the gateways. I made a group including the IP address of the gateways, then blocked the network to those. I used it to block IOT devices from getting to my regular network. I’m almost positive that Chris from Crosstalk solutions did a video about it.

Thanks for this. Folks, what do Name server1 and 2 relate to?

I get the iphone to work with no issues, but my Macbook I have no luck with.

I get an error when I try to connect to my VPN on windows, this is my error: a connection to the remote computer cannot be established.you might need to change the setting for this connection

Everything makes sense, except your rushed over the IP Port Groups (what you call RFC1918). Where do those IP address come from?

There was an error deleting the VPN network. Object is referenced by User

Can you make a video with IPv6?

Is the massive issue of VPN users being able to access to the gateways being fixed? It seems not, right?

Can you just move the https port # for the UDM login page to some secret non-standard number? That would 'hide' that page from a regular user. Good video, thank you!

Would be great to have fixed ip address to VPN users.

Can't you drop ICMP on the gateways Cody ? Could you create a rule to block the PORT for the gateway ip's that direct to the log in page ?

Any good options to set this up for an android phone? Unfortunately android does not support L2TP anymore.

Do the firewall rules also apply when using the UID VPN option?

Android is not the same and seems to have issues for me.

what's that PING app?

It's frustrating that the firewall rules allow/block by network and not by user. What if I have a VPN user who want to give access to my NAS but another user who I don't. What if I have a user who I want to be able to rdp into a specific machine but another user who I don't want to. I think Ubiquiti needs to allow setting static IPs for VPN users so that the firewall can be configure for source and destination IPs rather then for the whole VPN Network.

I tried to set this up but for some reason my remote clients are ignoring the two simple lan out rules. Rules are Block RFC1918 and Allow VPN to 192.168.4.17. Allow VPN rule is above the RFC1918. VPN is on the 192.168.5.0/24 subnet. Firmware for UDM-Pro is 1.12.33

Anyone get OSX working. Can connect to VPN and get the WAN IP but unable to ping or connect to local devices.

I can connect with my iPhone but not with windows

the RFC1918 IP group is really unclear to me on what it is doing, is that every vlan you have on your UDM? I found the answer in another video kzbin.info/www/bejne/qoSXXnaihtqiack

This VPN LT2P or whatever is NOT working any longer on Win 11!

Netgate 7100 1u rack vs udm pro plz

I guess the modem should be on bridge mode....

Every time I create a user , it disappears after restarting the UDM.

I've noticed this issue few month ago. It is possible to ping GW and also access to the WEBUI of the GW ... ! I don't understand why Unifi don't patch this critical issue :/

The protocol is outdated and unifi needs to move with the times with there VPN protocol. They need to added lime Wireguard, I hate to day this even OpenVPN at the least but defo Wireguard.

why is this easier than nordlayer....

L2TP is an outdated and *insecure* VPN protocol!

I WISH I could see your screenshots clearly. Ruined an otherwise excellent video.

Make the rule to Lan Local destinations the gateway on every vland and the gateway for the vpn drop only port 80, 443,22