Unifi best site-site alternative

bigbang

Now that OpenVPN has deprecated shared key mode, what's the best way to configure a site to site VPN between a pfSense router and a unifi UDM router?

JKnott

@bigbang

Any reason you can't use TLS? Seems to me that's all that's available now.

planedrop

IPSec? Any reason not to go with that, it's better for site to site in most cases than OpenVPN anyway.

Or maybe I'm misunderstanding your question.

michmoor

@planedrop
I came here to say IPsec

Is Unifi not capable of doing site2site using Wireguard?

planedrop

@michmoor That is correct, Site-to-Site is only for IPsec and OpenVPN right now. I imagine S2S WireGuard will come at some point since they just added the ability to be a "VPN client" to their Unifi devices and also their "site magic" stuff uses WG on the backend.

I still prefer S2S over IPsec myself though, WireGuard isn't always the most fun to set up for that use case IMO. End up with too many gateways pretty easily.

bigbang

@JKnott I don't believe TLS is available in site-to-site in the latest release of Unifi.

bigbang

@planedrop said in Unifi best site-site alternative:

IPSec? Any reason not to go with that, it's better for site to site in most cases than OpenVPN anyway.

Or maybe I'm misunderstanding your question.

@planedrop said in Unifi best site-site alternative:

@michmoor That is correct, Site-to-Site is only for IPsec and OpenVPN right now. I imagine S2S WireGuard will come at some point since they just added the ability to be a "VPN client" to their Unifi devices and also their "site magic" stuff uses WG on the backend.

I still prefer S2S over IPsec myself though, WireGuard isn't always the most fun to set up for that use case IMO. End up with too many gateways pretty easily.

Yeah I think I'm going to re-configure it as IPSEC.
@planedrop yeah I saw that Wireguard is coming to Unifi for client setup in the crosstalk sol video for Unifi 8.0.7

planedrop

@bigbang Yeah I would recommend just using IPsec for now, it's pretty straightforward once you read some documentation on how to use it, just make sure to use good DH groups for it (14 or 21) for example.

brians

Shared key mode still works for now, but who knows when it will actually be removed.

IPSec does not work if one site is behind NAT, or CGNAT. Unless there is a way that I am unware of... if anyone has a solution to this let me know.

I have a remote site that I use a UDMSE on with a Starlink, and want to connect to a main site that is on an SG6100 with static IP. I can do this currently no problem with OpenVPN shared key mode, but I do not wish to deploy it like this since it will one day fail. Not a huge deal since they can get away with using OpenVPN client on desktop PCs but i would like a solution to this in future.

Seems that if UDMSE supported WG S2S in future that this would solve the issue. Currently in 8.0.7 it still doesn't. Their site magic however is pretty nice, which requires all UDMs, and I think it uses WG as its protocol.

SteveITS

@brians It work behind NAT, I’ve done it at both ends actually. Forward the port (at “server” end), and pfSense has a NAT Traversal checkbox in advanced options.

brians

@SteveITS Since posting that I tried and got working and came back here and noticed your reply. I didn't forward a port since my pfsense is static but good to know that it can be done.

However it seems to go offline a couple times sometimes and needed "coaxing" to get it back connnected (but in all fairness I was messing around with it lots)... I found changing a setting like tunnel name on UniFi S2S VPN Page would make it work again (reset button in status column didn't do anything when in this state, nor did pausing/unpausing). Using hostname instead of IP does not appear to work even though it is a new feature, and unifi does not show any status that it is connected like OpenVPN, but that is support issues for UniFi, I suppose not here.