New Member
Posts: 21
Registered: ‎11-30-2015
Kudos: 7

Using a USG as a VPN Gatway

Hi All,


I thought I'd share a setup that I've got operational now after not a small amount of stuffing around.


So let me paint the picture of the problems I was facing that led me down this path.


I've got a Fortigate VM01 at my Head Office and I'm looking to change all the routers at my Retail stores, get a quote on fortigate and the project gets rejected as being too expensive, so I fall back on old faithful Ubiquiti to save the day, loose countless hours of sleep pondering if I should go for USG or ER, end up going USG purefuly for the extra green dot in my Controller dashboard.


Now I've got all my USGs at my remote sites, happily VPNed into my Fortigate, everyone is talking to each other, project is a success. But then along comes another site, in a remote location, they can't get any ADSL, VDSL or NBN. They only have 4G with a Big ol Yagi on the roof to get some signal.


Now I get my self a Netgear LB2120, put it in bridge mode, connect it to my USG ask Telstra for a propper routable IP address for my 4G service. VPN now connected to Head Office Fortigate. But then, one fateful night, the IP address on the 4G service changes, so I have a chat to my ISP about getting a static address, no bingo. Well this is all pretty far from ideal, do I have to just change this VPN tunnel every week and live with that for the rest of my life? Unacceptable.


Having seen the "auto IPsec VTI" option in the Network Settings, I started investigating this.


So I purchased a USG-Pro4 for Head Office, and successfully connected a VPN Tunnel using the Auto IPsec VTI between Head Office and this remote site with a dynamic IP address. Now I've just got to get it talking to the rest of the sites.


So I put the USG's LAN port in my Head Office LAN giving it a new IP address. So now I've got two routers in the one LAN.

Add a Static Route in the Fortigate to say "all traffic for that remote site go via the USGs LAN interface" Then I had to put in all the other remote sites connecting through the fortigate in the USG to route via the Fortigate.


Job's done. IP changes are automatically accomodated for in the Unifi Controller, my intervention is no longer required when the IP address changes.




So yes I do now have two internet connections in at Head Office, I just fortunately got another one for free with my new phone system from that ISP.


If you wanted to run all your VPNs through your USG and have no VPNs running to your Fortigate you could set up your USG to behave like a "VPN Gateway" very easily like this:



So I've had this setup in the Lab and it worked in testing, I haven't set this up in production, so do your own testing before you sell this solution to a client\yourself Man Tongue


Hopefully this will help someone, if anyone has any questions or comments on this setup, I'd be glad to start a conversation with you.


Open to critique on this setup too.