Ubiquiti edgerouter x site to site vpn: a practical, step-by-step guide to configuring IPsec site-to-site VPN on EdgeRouter X for small offices and home labs

Yes, you can set up a site-to-site VPN on the Ubiquiti EdgeRouter X. In this guide, I’m breaking down how to plan, configure, and validate an IPsec-based site-to-site VPN so two separate networks—your main office and a remote site—can talk securely as if they were on the same local network. You’ll get a clear, field-tested approach that covers GUI and CLI methods, firewall considerations, troubleshooting, and real-world tips to keep your tunnel reliable.

NordVPN promo you shouldn’t miss while you’re dialing in securely:

Useful Resources un-clickable for this intro:

• Official EdgeRouter X Documentation – ubiquiti.com
• EdgeOS CLI Guide – help.ubnt.com
• IPsec Site-to-Site VPN Basics – en.wikipedia.org/wiki/IPsec
• VPN Best Practices – resources.optiv.com
• EdgeRouter X Community Forums – community.ubnt.com

What is a site-to-site VPN and why EdgeRouter X is a good fit

A site-to-site VPN creates an encrypted tunnel between two distinct networks, letting hosts on one side reach hosts on the other without exposing traffic to the public internet. It’s ideal for linking a main office with a remote site, a data center, or a cloud-connected location. The EdgeRouter X is a budget-friendly, feature-rich router that runs EdgeOS Vyatta-derived and supports IPsec site-to-site VPNs, making it a popular choice for small offices and home labs. Key reasons people choose EdgeRouter X for site-to-site VPNs:

• Flexible firewall and NAT rules for traffic between subnets
• Robust IPsec support with IKE and ESP negotiation
• CLI and GUI options so you can choose your preferred workflow
• Reasonable performance for typical small business workloads
• Simple backup and replication workflow when you need to deploy to another site

In practice, most site-to-site VPN setups hinge on matching: public IPs, pre-shared keys, the right IKE/ESP proposals, and accurate subnet definitions. Once those pieces line up, you’ll see traffic between the two sites as if they were on the same LAN, with encryption protecting data in transit.

EdgeRouter X hardware and software basics you should know

EdgeRouter X sits at the edge of your network and acts as the gateway between your LAN and the internet. It’s capable of routing at high speeds for small to medium workloads and supports:

• IPsec site-to-site VPNs with pre-shared keys
• EdgeOS firewall rules and NAT configurations
• Both GUI EdgeOS Web UI and CLI SSH or console management
• Multiple VPN peers, but typically one tunnel per pair of sites

A practical note: plan at least two subnets one per site and ensure the local subnets don’t overlap. If you’re using private addressing like 192.168.1.0/24 on Site A and 192.168.2.0/24 on Site B, you’ll need to map the tunnels to those ranges in the VPN configuration and the firewall rules.

Prerequisites before you begin

• Two EdgeRouter X devices, each with a public IP address static or dynamic with DNS
• Administrative access to both EdgeRouter X units
• Determined internal subnets for Site A and Site B e.g., 192.168.1.0/24 and 192.168.2.0/24
• A shared pre-shared key PSK or a certificate-based setup if you’re feeling fancy
• Basic knowledge of your network topology and which interfaces face the WAN vs LAN
• Optional: a plan for firewall rules to permit VPN traffic and intra-site routing rules

Security note: use AES-256 or at least AES-128 with SHA-256 for integrity, and prefer IKEv2 if you’re able to configure it end-to-end. These choices balance security and performance for typical EdgeRouter X hardware. Hoxx vpn edge review 2025: features, performance, pricing, security, and setup tips for best VPN experience

Step-by-step: GUI method EdgeOS Web UI

The GUI approach is friendly if you’re more comfortable clicking around than typing lots of commands. The exact labels may vary slightly by firmware, but the flow is consistent.

1. Prepare your data

• Site A local network: e.g., 192.168.1.0/24
• Site B local network: e.g., 192.168.2.0/24
• WAN IPs: Site A public IP or dynamic DNS name, Site B public IP

2. Access EdgeRouter X UI on Site A

• Navigate to the EdgeRouter X’s IP in a browser
• Log in with admin credentials
• Go to the VPN section, then IPsec, then “Add Peer” or similar

3. Create the first VPN peer Site B

• Peer IP/Remote WAN: enter Site B’s public IP
• Local WAN IP: Site A’s public IP if you’re behind NAT, you’ll need to reflect that
• Authentication: Pre-Shared Key enter a strong PSK and note it down
• IKE Group: choose AES256, SHA256, DH Group 14 P-256 equivalent
• ESP Group: AES256, SHA256, PFS if available, enable Perfect Forward Secrecy
• Local subnet: Site A’s LAN 192.168.1.0/24
• Remote subnet: Site B’s LAN 192.168.2.0/24
• Enable NAT Exemption rule so traffic to Site B isn’t NATed to the public IP

4. Save and apply

• Save changes and apply. The GUI should show the tunnel attempting to establish
• Repeat the same steps on Site B, reversing local/remote subnets and using the PSK you set

5. Add firewall rules

• Allow VPN traffic IPsec on both sides
• Create NAT exemptions for traffic destined to the remote LAN
• Permit ICMP/Ping for testing between sites if you want quick verification

6. Test the tunnel

• Ping a host on Site B from Site A e.g., ping 192.168.2.10
• Verify that the traffic is traversing the tunnel, not the public internet

7. Verify the tunnel status

• In the EdgeOS UI, check the VPN/IPsec status tab or the log view for “ESTABLISHED” or similar
• If you don’t see it, recheck PSK, remote IP, and subnet definitions

Step-by-step: CLI method EdgeRouter X

If you’re comfortable with a bit of command-line audio, the CLI is fast and repeatable. Replace placeholders with your actual data.

1. Access the device

• Use SSH or the console to log in to Site A EdgeRouter X
• Enter configuration mode:
  configure

2. Define IKE and ESP groups

• set vpn ipsec ike-group IKE-256 proposal 1 encryption aes256
• set vpn ipsec ike-group IKE-256 proposal 1 hash sha256
• set vpn ipsec ike-group IKE-256 proposal 1 dh-group 14
• set vpn ipsec esp-group ESP-256 proposal 1 encryption aes256
• set vpn ipsec esp-group ESP-256 proposal 1 hash sha256

3. Create the site-to-site peer

• set vpn ipsec site-to-site peer 203.0.113.2 authentication mode pre-shared-secret
• set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret ‘YourStrongPSK’
• set vpn ipsec site-to-site peer 203.0.113.2 ike-group IKE-256
• set vpn ipsec site-to-site peer 203.0.113.2 esp-group ESP-256
• set vpn ipsec site-to-site peer 203.0.113.2 local-address
• set vpn ipsec site-to-site peer 203.0.113.2 remote-address
• set vpn ipsec site-to-site peer 203.0.113.2 tunnel 1 local-subnet 192.168.1.0/24
• set vpn ipsec site-to-site peer 203.0.113.2 tunnel 1 remote-subnet 192.168.2.0/24

4. Firewall/NAT rules

• Set appropriate firewall rules to allow IPsec traffic UDP 500, UDP 4500, ESP
• Exempt VPN traffic from NAT if you’re using private subnets across the tunnel

5. Commit and Save

• commit
• save
• exit

6. Repeat at Site B

• Mirror the configuration, swapping local/remote subnets and the public IPs

7. Test and troubleshoot

• From Site A, ping a host at Site B
• If it fails, check the status with:
  show vpn ipsec sa
  show vpn ipsec tunnel
  show log
• Ensure both sides match the IKE/ESP proposals and PSK

Note: If your EdgeRouter X is behind a NAT device typical in homes, you may need to enable NAT for VPN traffic or configure hairpin NAT depending on your setup. If both sites are behind NAT, consider using dynamic DNS on each side and ensure the tunnels use the public IPs associated with the NAT devices.

Firewall and NAT considerations for a reliable tunnel

• NAT exemptions: You want traffic destined to the remote LAN to bypass NAT on both ends. This prevents double NAT from breaking IPsec.
• Firewall zoning: Keep security strict on LAN interfaces but permit VPN traffic on the WAN and VPN interfaces. A typical rule is to allow IPsec ESP, AH, and UDP 500/4500 between the VPN endpoints.
• Traffic selectors: The subnets you define in the tunnel must precisely match the internal networks you want to connect. Mismatched subnets are a common source of tunnel failure.
• Dead peer detection and re-key timing: Set reasonable IKE and IPsec re-key intervals to balance security and stability. Too-short re-key intervals can cause flapping. too-long intervals can increase risk if a PSK is compromised.

Testing, monitoring, and verification

• Basic tests:
  • Ping tests: from a host on Site A to a host on Site B
  • SSH or RDP tests if you’ve opened those management paths through the tunnel
• Verification commands:
  • show vpn ipsec sa to see active SAs
  • show vpn ipsec tunnel for tunnel status
• show log | include IPSec check for negotiation messages and errors
• Performance checks:
  • Measure latency and jitter with continuous pings
  • Check throughput with file transfers to see if you’re hitting bottlenecks or packet loss
• Common issues:
  • Mismatched PSK or IKE/ESP proposals
  • Overlapping subnets
  • Incorrect remote peer IP or NAT translation
  • Firewall rules blocking IPsec/IKE

Common issues and practical fixes

• Issue: Tunnel won’t establish
  • Fix: Double-check PSK, ensure both sides use the same IKE/ESP proposals, verify that public IPs are reachable, and confirm the local/remote subnets don’t overlap.
• Issue: Traffic non-routable across the tunnel
  • Fix: Confirm routing is in place on both sides and that the firewall allows inter-site routing. Ensure NAT exemptions are properly configured.
• Issue: Tunnel drops after a few minutes
  • Fix: Inspect IKE re-key settings. adjust lifetimes if needed and verify the remote peer’s stability.
• Issue: VPN performance degradation
  • Fix: Check device performance CPU load, memory usage, adjust MTU, and ensure encryption settings aren’t overly burdensome for the hardware.

Performance tips and security best practices

• Use AES-256 + SHA-256 for strong encryption and integrity
• Prefer IKEv2 over IKEv1 where possible for efficiency and stability
• Keep firmware up to date on EdgeRouter X to benefit from security patches and bug fixes
• Maintain a clean network diagram: label each site’s LAN, WAN, and VPN endpoints
• Preserve a backup of your EdgeRouter X configurations before making changes
• If you have multiple remote sites, consider grouping them under a single hub-and-spoke topology to simplify management
• Consider integrating a separate next-hop firewall or IDS if you’re running a more complex network

EdgeRouter X vs other routers for site-to-site VPNs

• EdgeRouter X is a cost-effective option that supports IPsec site-to-site VPNs with reasonable performance for a small office or home-lab environment.
• It’s typically easier to manage for users comfortable with CLI and EdgeOS but might require more hands-on configuration than consumer-grade VPN routers.
• When you need to scale to more sites or higher throughput, you may want to evaluate higher-end Ubiquiti devices like EdgeRouter 4/6 or UniFi Dream machines or specialized VPN appliances.

Real-world use cases

• Small office to remote branch: Two sites with 192.168.1.0/24 and 192.168.2.0/24
• Home lab with a remote lab partner: Securely share resources, test services, and access both networks without exposing internal addresses to the internet
• Temporary sites: Quick-on boarding for pop-up offices or event venues with a simple IPsec tunnel

Frequently asked questions

What is a site-to-site VPN?

A site-to-site VPN creates a secure tunnel between two networks over the internet, allowing hosts on one site to reach hosts on the other as if they were on the same local network.

Can EdgeRouter X support IPsec site-to-site VPNs?

Yes. EdgeRouter X supports IPsec site-to-site VPNs via EdgeOS, using pre-shared keys or certificates and common IKE/ESP proposals. Windscribe edge VPN extension for Microsoft Edge review 2025: features, speed, privacy, setup, streaming, pricing

Do I need static IPs for both sites?

Static public IPs are easiest, but you can work with dynamic IPs using dynamic DNS on each site. The important part is that the remote endpoints can reliably reach each other.

What encryption should I choose for the VPN?

AES-256 is a solid default, paired with SHA-256 for integrity. IKEv2 is generally preferred over IKEv1 for stability and efficiency.

How do I configure the VPN in GUI vs CLI?

GUI steps are user-friendly and guided, while CLI offers speed and repeatability. Both workflows require matching PSK, subnets, and IKE/ESP policy settings on both ends.

How do I verify the VPN tunnel is up?

Check the EdgeRouter X VPN/IPsec status using the GUI’s status tab or run show vpn ipsec sa / show vpn ipsec tunnel in CLI. A tunnel marked as ESTABLISHED indicates a healthy connection.

How do I set up NAT exemptions for VPN traffic?

Create NAT rules that exclude traffic between the two remote subnets, ensuring that traffic destined for the other site doesn’t get translated to a public IP. Browsec vpn microsoft edge

How can I test inter-site connectivity?

Ping devices across the tunnel, attempt to access a shared resource like a file server or printer on the remote LAN, and verify routing paths with traceroute.

What are common misconfigurations to avoid?

• Subnet overlaps between sites
• Mismatched PSK or IKE/ESP proposals
• Incorrect remote IP addresses or WAN-side NAT behavior
• Missing NAT exemptions for VPN traffic

What’s the best way to monitor VPN health long-term?

Regularly check the VPN status in EdgeOS, monitor logs for negotiation errors, and implement periodic ping tests between sites. If you’re growing, consider a centralized monitoring plan for multiple tunnels.

Can I run more than one site-to-site VPN on EdgeRouter X?

Yes. You can configure multiple IPsec peers, each with its own local/remote subnets and PSK, but you’ll want to manage them cleanly to avoid conflicts and ensure performance remains solid.

Is OpenVPN supported on EdgeRouter X?

IPsec is the standard for EdgeRouter X site-to-site VPNs. OpenVPN can be used in some EdgeOS setups but is not as commonly used for site-to-site tunnels as IPsec and may require additional packages or workarounds.

How do I secure dynamic environments varying IPs, changing subnets?

If IPs change, dynamic DNS on the WAN side helps keep the tunnel endpoints resolvable. Reconfigure or rebind the tunnel as needed, and keep a quick-change checklist handy. Is edge vpn good reddit: The Comprehensive Guide to Edge VPNs, Reddit Opinions, Pros and Cons, and Best Practices for You

Can I replicate this in a cloud environment or support a mixed setup?

Yes, with proper planning. You can connect EdgeRouter X to cloud VPN gateways or other VPN appliances, as long as the IPsec parameters PSK, ISAKMP/IKE groups, ESP settings align on both ends.

Final notes

Setting up a site-to-site VPN with EdgeRouter X is approachable, especially if you plan the subnet layout and security settings ahead of time. The GUI route gives you a gentle entry, while the CLI route gives power users quick repeatability. As you implement, keep monitoring simple: verify tunnel status after configuration, test inter-site reachability with practical tests, and ensure firewall rules are not inadvertently blocking legitimate traffic.

If you’re ready to add that extra layer of security when your VPNs are up, don’t forget to explore NordVPN for an additional shield across your devices and networks. The promo banner above is a convenient quick-access option to secure your browsing beyond just the tunnel, and the banner link will take you to their current offer.

Useful Resources un-clickable for this section:

• Ubiquiti EdgeRouter X Documentation – ubiquiti.com

七天vpn 使用全指南：7 天试用、选购要点、隐藏风险与实用技巧 Planet vpn edge extension: comprehensive guide to browser VPNs, security, setup, performance, and comparisons