New Member
Posts: 16
Registered: ‎12-20-2014
Kudos: 1
Accepted Solution

NOOB Q: Site-to-site VPN

Hi!

 

I am at a loss - it feels like I am missing something vital.

 

My situation: using my desktop, I created a nice network using only Unifi-products and 10.0.1.1-254. Then I moved the computer, set up a second network with only Unifi and 10.0.2.1-254. Then I added a site-to-site VPN without an error message. Yet - nothing.

 

Do I need to tell my Mac about the VPN? Do I need to carry back the computer to the first site to "activate" the tunnel?

 

Help!

 

Thanks,

David


Accepted Solutions
Established Member
Posts: 1,558
Registered: ‎07-18-2015
Kudos: 747
Solutions: 121

Re: NOOB Q: Site-to-site VPN

Yep, you can have a cloud controller that both sites can contact and use. This is probably your safest bet if you have the means of hosting a controller somewhere that is not in either site.

 

You can do a backup of the config on your current controller, and then import this backup into your cloud controller so you don't have to start from scratch. Once you've done that, you simply point all your devices to the new controller URL (Can use IP) and Bob's your uncle.

If pasting output, please use the code tags button ({i})!
Please help the community find useful posts and solutions by hitting the "Kudos" and "Accept as Solution" buttons!

View solution in original post


All Replies
Established Member
Posts: 1,558
Registered: ‎07-18-2015
Kudos: 747
Solutions: 121

Re: NOOB Q: Site-to-site VPN

Ok, are both sites registered with the same (L3) controller?

If pasting output, please use the code tags button ({i})!
Please help the community find useful posts and solutions by hitting the "Kudos" and "Accept as Solution" buttons!
New Member
Posts: 16
Registered: ‎12-20-2014
Kudos: 1

Re: NOOB Q: Site-to-site VPN

[ Edited ]

Hi!

 

I am unsure - mainly because I don't fully understand. Both networks are "sites" on my local host. I can see the green dashboard on the site my computer is currently at and when I switch to the other site it is, naturally, all red. It feels more and more like I am missing something.

 

Thanks!

David

 

Edit: I added 3 pictures. One showing my two sites, and one each of the settings/networks pages on the two sites.

Screen Shot 2015-08-05 at 17.43.50.png
Screen Shot 2015-08-05 at 17.43.15.png
Screen Shot 2015-08-05 at 17.42.46.png
Emerging Member
Posts: 97
Registered: ‎05-29-2015
Kudos: 32

Re: NOOB Q: Site-to-site VPN

Sounds like the same issue as

http://community.ubnt.com/t5/UniFi-Routing-Switching/USG-to-USG-VPN-setup-need-help/m-p/1317549#U131...

Need to make sure the inform address is correct. I would also check that the address under Settings->Controller->Controller Hostname/IP
Established Member
Posts: 1,558
Registered: ‎07-18-2015
Kudos: 747
Solutions: 121

Re: NOOB Q: Site-to-site VPN

[ Edited ]

One of the problems with your setup is that you do not have both USGs connected to the controller at the same time. I presume you are running the controller on your laptop and have simply taken it from one physical site to the other.

 

Once you have the tunnel up you can have one USG connecting to the controller directly over the LAN and the other connecting to it through the tunnel.

 

On the subject of the tunnel itself, could you please dump out the config from both USGs? You will have to SSH to and dump the config on each separately. Then we can have a look why the tunnel may not be connecting as it should.

 

Could you also describe the networking setup you have at each site, specifically any port forwarding you have configured?

If pasting output, please use the code tags button ({i})!
Please help the community find useful posts and solutions by hitting the "Kudos" and "Accept as Solution" buttons!
New Member
Posts: 16
Registered: ‎12-20-2014
Kudos: 1

Re: NOOB Q: Site-to-site VPN

Hi!

 

Sorry for delayed response. Tomorrow I will visit the first site and get all info requested. But, at the risk of sounding like a moron, you describe my setup (perfectly BTW - laptop controller) as if I have a choice. Do I? Is there a cloud-based controller that can see two routers at the same time (without a tunnel between them)?

 

David

Established Member
Posts: 1,558
Registered: ‎07-18-2015
Kudos: 747
Solutions: 121

Re: NOOB Q: Site-to-site VPN

Yep, you can have a cloud controller that both sites can contact and use. This is probably your safest bet if you have the means of hosting a controller somewhere that is not in either site.

 

You can do a backup of the config on your current controller, and then import this backup into your cloud controller so you don't have to start from scratch. Once you've done that, you simply point all your devices to the new controller URL (Can use IP) and Bob's your uncle.

If pasting output, please use the code tags button ({i})!
Please help the community find useful posts and solutions by hitting the "Kudos" and "Accept as Solution" buttons!
New Member
Posts: 16
Registered: ‎12-20-2014
Kudos: 1

Re: NOOB Q: Site-to-site VPN

Hi!

 

Wow - it seems like this would solve many challenges! Is it an AWS-only deal, or should I get a virtual server? I see no Ubiquiti-hosted service, is there one?

 

Bob is actually an uncle!

 

David

Established Member
Posts: 1,558
Registered: ‎07-18-2015
Kudos: 747
Solutions: 121

Re: NOOB Q: Site-to-site VPN

You can run it on any VPS, physical server or VM you like!

 

I have several DigitalOcean VPS' running Ubuntu for the controllers for different groups of clients without any issues, as well as on my home Ubuntu server for my home UniFi system.

 


@davidthulin wrote:

 

Bob is actually an uncle!

 

David


Awesome! Rofl

If pasting output, please use the code tags button ({i})!
Please help the community find useful posts and solutions by hitting the "Kudos" and "Accept as Solution" buttons!
New Member
Posts: 16
Registered: ‎12-20-2014
Kudos: 1

Re: NOOB Q: Site-to-site VPN

Hi!

 

Just to triple verify - a Windows VPS would be ok? I am guessing I just need a static IP and the ability to install the controller? (Linux scares me...)

 

D

Established Member
Posts: 1,558
Registered: ‎07-18-2015
Kudos: 747
Solutions: 121

Re: NOOB Q: Site-to-site VPN

A Windows VPS would work fine too, you just need a slightly higher specced one to run everything Windows needs.

If pasting output, please use the code tags button ({i})!
Please help the community find useful posts and solutions by hitting the "Kudos" and "Accept as Solution" buttons!
New Member
Posts: 16
Registered: ‎12-20-2014
Kudos: 1

Re: NOOB Q: Site-to-site VPN

Hi!

With my new VPS, I gather I need to SSH to all devices in both sites and set the new inform address. I know I saw the format and un/pw, but I can't seem to find it again. Help!

Also, is the controller setup in Ubuntu easy? Or will it involve command line hacking?

Thanks,
D

Established Member
Posts: 1,558
Registered: ‎07-18-2015
Kudos: 747
Solutions: 121

Re: NOOB Q: Site-to-site VPN

For the syntax just search for L3 Adoption, I believe it starts with set-inform but I can't remember it off the top of my head.

 

For the controller on Ubuntu, just download the .deb from the website (https://www.ubnt.com/download/unifi/unifi-ap#) and copy it to the server. You then just run

sudo dpkg -i <name-of-file>.deb

If there are dependency problems it will tell you. To fix these, run

sudo apt-get -f install

Once it's installed, you're good to go with the web browser. 

If pasting output, please use the code tags button ({i})!
Please help the community find useful posts and solutions by hitting the "Kudos" and "Accept as Solution" buttons!
New Member
Posts: 16
Registered: ‎12-20-2014
Kudos: 1

Re: NOOB Q: Site-to-site VPN

[ Edited ]

Hi!

 

This is such a dumb problem. I can't access he APs/switch/router via SSH. Wrong password - I tried on different computers using different tools. Both my controller un/pw and ubnt/ubnt. Then I found something in the forum about fwupdate.real. But how? Are there any instructions anywhere?

 

D

 

Edit: I found it! it was not the controller un/pw - it was another set of credentials under "Settings"

New Member
Posts: 16
Registered: ‎12-20-2014
Kudos: 1

Re: NOOB Q: Site-to-site VPN

OK - write up time. First the tl;dr: have both routers active on the same controller at the same time then my problem disappeared.

So the situation can not have been unique. I have the controller on a laptop set up a site, then bring the laptop to a second site and I want them to have a tunnel.

The solution, as stated above, was a "cloud" server that could see both sites at the same time. Being scared of Linux, I selected a Windows VPS. After the controller was installed (using a backup file with both sites) I opened port 8080.

The next step was to tell all Unifi devices that they should "speak" to this cloud controller using the SSH format

Set-inform http://x.x.x.x:8080/inform

The un/pw are to be found under "settings".

After much ado it works. I can think of seven ways this can be improved, including a test for tunnels.

Anyways - with patience and SSH this works like a charm.

D
Highlighted
Established Member
Posts: 1,558
Registered: ‎07-18-2015
Kudos: 747
Solutions: 121

Re: NOOB Q: Site-to-site VPN

Care to share what you would improve? They might be things raised previously and which you could support in Feature Request posts, or alternatively you could raise your own Feature Requests.

If pasting output, please use the code tags button ({i})!
Please help the community find useful posts and solutions by hitting the "Kudos" and "Accept as Solution" buttons!