Ubiquiti edge router site to site vpn: comprehensive guide to setting up IPsec site-to-site VPN with EdgeRouter across networks and best practices

Yes, you can set up a site-to-site VPN on a Ubiquiti EdgeRouter. In this guide, you’ll get a practical, no-fluff walkthrough that covers planning, configuration GUI and CLI, testing, and maintenance. I’ll walk you through how to create a reliable IPsec site-to-site VPN between two EdgeRouter devices or between an EdgeRouter and another vendor’s VPN gateway. You’ll learn what to consider before you start, how to configure everything step by step, and how to troubleshoot common issues. Along the way, you’ll see real-world tips to keep traffic flowing securely between your networks.

If you want an extra layer of protection while you test your VPN or to safeguard your traffic on the open internet, consider NordVPN with this deal 77% OFF + 3 Months Free.

Useful URLs and Resources un clickable text

• Ubiquiti EdgeRouter official documentation – ubiquiti.com
• EdgeOS user guide – help.ubiquiti.com
• IPsec basics overview – en.wikipedia.org/wiki/Virtual_private_network
• EdgeRouter performance benchmarks – smallnetbuilder.com
• Networking best practices for VPNs – arstechnica.com/security or similar reputable sources

What you’ll learn in this guide:

• How IPsec site-to-site VPN works on Ubiquiti EdgeRouter EdgeOS
• Prerequisites you should check before starting
• GUI-based EdgeOS Web UI setup steps you can copy-paste into your browser
• CLI-based setup steps for advanced users and for situations where the GUI isn’t available
• How to route traffic through the VPN tunnel and verify it’s working
• Common pitfalls and how to fix them quickly
• How to maintain and back up VPN configuration for disaster recovery
• A detailed FAQ with practical answers you can apply today

Why choose a Ubiquiti EdgeRouter for site-to-site VPN

• EdgeRouter devices EdgeRouter X, EdgeRouter Lite, EdgeRouter 4/6, and newer models are purpose-built for small to medium businesses and tech-savvy homes. They strike a balance between price, performance, and control.
• EdgeOS gives you granular control over VPN parameters, which is a big plus if you’re dealing with multiple subnets or complex routing rules.
• IPsec site-to-site VPN is a widely supported standard, so you can link an EdgeRouter to a Cisco, Fortinet, FortiGate, or another EdgeRouter with relatively predictable results.
• You can combine IPsec with static routes, policy-based routing, and firewall rules to ensure only the right traffic traverses the VPN.

What to plan before you start

• Map your networks: list all LAN subnets on both sides for example, 192.168.10.0/24 on Site A and 192.168.20.0/24 on Site B.
• Decide on the VPN topology: one IPsec tunnel per site, or multiple tunnels for redundancy.
• Pick your encryption and hashing algorithms AES-256, AES-128, SHA-256, etc. and the DH group to use.
• Understand NAT considerations: NAT-T is commonly used when devices sit behind NAT on either side.
• Prepare pre-shared keys or consider certificate-based authentication if you have the setup and know-how.
• Plan firewall rules to allow IPsec traffic UDP 500, UDP 4500 for NAT-T, IPsec ESP protocol, etc..
• Confirm uptime expectations: remote organizations might require triggers like DPD dead peer detection and rekeying intervals.

IPsec site-to-site VPN on EdgeRouter: how it works

IPsec site-to-site VPN creates a secure tunnel between two endpoints. Traffic between the two local networks is encapsulated, encrypted, and sent through the public internet. The tunnel is kept up through a combination of:

• IKE Internet Key Exchange phase for initial key negotiation IKEv1 or IKEv2, depending on device compatibility and remote peer support
• IPsec phase 2 ESP for data encapsulation and encryption
• NAT-T if either side sits behind a NAT device
• Phase 1 and Phase 2 lifetimes, rekey intervals, and PFS perfect forward secrecy settings

EdgeRouter supports configuring IPsec tunnels via the EdgeOS GUI and the CLI. You’ll typically specify:

• Local and remote endpoints WAN IPs
• Local and remote subnets
• Pre-shared key PSK or certificate details
• Phase 1 settings IKE version, encryption, hash, DH group
• Phase 2 settings ESP encryption, ESP hash, PFS
• NAT-T and MTU considerations
• Traffic selectors or tunnel interfaces to route traffic through the VPN

Prerequisites and planning

• Hardware: Make sure you’re using an EdgeRouter model that can handle your target throughput. EdgeRouter X and Lite are capable for small setups. EdgeRouter 4/6 are better for higher throughput scenarios but still depend on the encryption settings you choose.
• Firmware: Update EdgeOS to a recent stable release so you have the latest IPsec features and bug fixes.
• Network plan: Confirm IP ranges for both sides’ LANs and ensure there are no overlapping subnets.
• Remote peer details: Collect the remote site’s public IP, the remote LAN subnets, and the authentication method PSK vs certificate that the other device supports.
• NAT and firewall readiness: If either side sits behind NAT, enable NAT-T on both ends and ensure firewall policies allow IPsec traffic.
• Security posture: Use a strong PSK or certificate approach. If you do use PSK, avoid short, easily guessable keys. Consider rotating keys on a regular basis.
• Redundancy: If uptime is critical, plan for a second tunnel or alternate paths, and ensure both ends have proper failover logic.

Step-by-step setup: GUI method EdgeOS Web UI

This is the most approachable way for most users. The steps below assume you’re configuring a VPN on Site A your EdgeRouter connecting to Site B the remote VPN gateway.

1. Access EdgeOS Web UI

• Open your browser and log into the EdgeRouter’s web interface.
• Authenticate with admin credentials.

2. Create the VPN tunnel IPsec

• Go to the VPN section, then IPsec.
• Add a new tunnel or new peer, depending on the UI version.

3. Configure Phase 1 IKE

• IKE version: IKEv1 or IKEv2 choose based on what the remote peer supports. IKEv2 is generally preferred for better security and performance.
• Encryption: AES-256 or AES-128.
• Hash: SHA-256.
• DH Group: 14 2048-bit or 19 3072-bit or recommended group your remote peer supports.
• Authentication: Pre-shared key PSK or certificate-based if you’ve set up a PKI.
• Local address: Your EdgeRouter’s WAN IP or a wildcard if dynamic.
• Remote address: Remote peer’s WAN IP.

4. Configure Phase 2 ESP

• Local subnet: Your LAN subnet e.g., 192.168.10.0/24.
• Remote subnet: Remote LAN subnet e.g., 192.168.20.0/24.
• PFS: Enable use a DH group that matches what the other side supports.

5. Security and NAT

• Enable NAT-T if either side sits behind NAT.
• Add firewall rules to permit IPsec traffic:
  • Allow UDP 500 IKE
  • Allow UDP 4500 NAT-T
  • Allow ESP protocol 50 if your firewall requires explicit rule
• Ensure the VPN tunnel interface is set to start automatically and is allowed to pass main traffic.

6. Pre-shared key

• Enter the PSK on both sides. Use a long, random passphrase at least 32 characters recommended.

7. Static routes

• Add static routes or policy-based routing so traffic destined for the remote LAN is sent through the VPN tunnel:
  • Destination network: 192.168.20.0/24 remote LAN
  • Next hop: VPN tunnel interface or the correct tunnel-specific route

8. Save and apply

• Save the configuration and apply changes.
• The tunnel should establish automatically.

9. Verification

• From a host in Site A, ping a host in Site B e.g., 192.168.20.10.
• Check the EdgeRouter’s VPN status page for tunnel state up/down.
• Use traceroute to verify the path goes through the VPN.

Notes: J edgar review: the ultimate guide to evaluating VPNs for privacy, streaming, security, and price in 2025

• If the tunnel doesn’t come up, verify that the remote device has matching Phase 1/Phase 2 settings, PSK, and LAN prefixes.
• If you’re behind NAT or the remote site is behind a NAT, NAT-T must be enabled on both sides.
• Some ISPs alter traffic in ways that affect VPNs. if you suspect this, test with a different ISP or use a backup uplink.

Step-by-step setup: CLI method for advanced users

If you’re more comfortable with the command line or you’re automating deployments, you can configure IPsec tunnels via the EdgeRouter CLI. The exact commands can vary slightly based on firmware, so treat the following as a template to adapt.

1. Enter configuration mode
   configure

2. Define IKE Phase 1 and ESP Phase 2 settings
   set vpn ipsec group IKE-GROUP-1 proposal 1 encryption ‘aes256’
   set vpn ipsec group IKE-GROUP-1 proposal 1 hash ‘sha256′
   set vpn ipsec group IKE-GROUP-1 proposal 1 dh-group ’14’
   set vpn ipsec ipsec-0 ike-group IKE-GROUP-1
   set vpn ipsec ipsec-0 esp-group ESP-GROUP-1
   set vpn ipsec ipsec-0 local-address
   set vpn ipsec ipsec-0 remote-address
   set vpn ipsec ipsec-0 keylife 3600
   set vpn ipsec ipsec-0 interface eth0 # or your WAN interface

3. Local/remote subnets tunnel definitions
   set vpn ipsec ipsec-0 tunnel 0 local-prefix 192.168.10.0/24
   set vpn ipsec ipsec-0 tunnel 0 remote-prefix 192.168.20.0/24

4. Pre-shared key
   set vpn ipsec ipsec-0 tunnel 0 authentication mode pre-shared-secret
   set vpn ipsec ipsec-0 tunnel 0 authentication pre-shared-secret ‘‘ Browsec vpn google chrome

5. NAT and firewall
   set firewall group address-group VPN_PORTS network 203.0.113.0/24
   set vpn ipsec ipsec-0 tunnel 0 pfsgroup ‘PFS-Group-14’ # if you want PFS
   set vpn ipsec ipsec-0 tunnel 0 nat-networks ‘enable’ # if you use NAT

6. Commit and save
   commit
   save
   exit

7. Bring up the tunnel
   set vpn ipsec ipsec-0 auto-start ‘enable’ # optional depending on your setup
   reload

8. Verification

• Check tunnel status with show vpn ipsec sa or equivalent
• Ping across the VPN from Site A to Site B

Important tip: The exact syntax for groups, proposals, and tunnel numbers can differ by firmware. Always cross-check with the official EdgeRouter CLI reference for your specific EdgeOS version. Edge client vpn: choosing, setting up, and optimizing a secure Edge client VPN for personal and business use

Testing, troubleshooting, and common issues

• Tunnel not coming up: Double-check the remote peer IP, PSK, and Phase 1/Phase 2 settings. Mismatches are the most common cause of failed VPN handshakes.
• Traffic isn’t routing through VPN: Ensure static routes or policy-based routing are correctly configured to direct cross-site traffic via the VPN tunnel.
• NAT-T issues: If you’re behind NAT, confirm NAT-T is enabled on both sides and that the firewall allows UDP 4500.
• Phase 2 mismatches: If you get “no matching SA” or similar errors, review ESP proposal settings encryption and hash, and ensure the same PFS setting is used if you require it.
• MTU issues: VPNs can run into fragmentation. If you see intermittent connectivity or dropped connections, lower your MTU slightly e.g., to 1400 on the VPN peers.
• Remote access vs site-to-site: Ensure you’re not conflating client VPN settings with site-to-site VPN settings. They use different phases and policies.
• Dynamic IP on remote side: If the remote peer has a dynamic public IP, you’ll want to use a dynamic DNS service on that side and update the remote-address as needed or use a dynamic peer setting if the EdgeRouter supports it.
• Firewall rules: VPN traffic must be allowed by both sides’ firewalls. A missing rule often looks like “no route to host” or “destination unreachable” when testing from inside the network.

Performance and tuning tips

• Encryption choices matter: AES-256 with SHA-256 is strong, but may introduce a bit more load than AES-128. If you’re hitting throughput limits, you can try AES-128 and test to see if your throughput improves.
• Hardware acceleration: EdgeRouter devices use CPU-based crypto. For higher throughput requirements, ensure you’re not over-engaging the CPU with too many VPN tunnels or overly aggressive firewall rules.
• Jump-start with a single tunnel: Start with one tunnel to validate connectivity before adding additional tunnels for redundancy.
• Regular backups: After a successful setup, export or back up your EdgeRouter configuration so you can recover quickly if something goes wrong.
• Monitoring: Use the EdgeRouter dashboard to monitor VPN throughput and tunnel status. Logs can help identify negotiation issues and misconfigurations.

Security considerations and best practices

• Use long, random pre-shared keys. Rotate PSKs on a schedule.
• Prefer IKEv2 when supported, as it tends to be more reliable and faster in negotiation than IKEv1.
• If you can implement certificates, consider a PKI-based approach for stronger authentication and easier key management across multiple sites.
• Keep EdgeOS up to date with security patches and feature improvements.
• Limit the VPN to only the necessary subnets. Avoid broad allow-all rules that might expose more than intended.
• Document all tunnel configurations and keep them centralized in a maintenance notebook or a config management tool to simplify future changes or audits.

Use cases and real-world scenarios

• Small business with two office locations: A reliable IPsec site-to-site VPN between EdgeRouter devices ensures secure inter-office communication and access to centralized resources.
• Remote work with multiple sites: If you have a hub-and-spoke model, you can connect multiple remote sites to the main site via separate tunnels, using centralized firewall rules and route policies.
• Branch office to data center: EdgeRouter’s IPsec VPN can link a small office to a data center with predictable performance and straightforward management.

Maintenance and backups

• Regularly export configuration: Always keep a current backup of your EdgeRouter configuration so you can recover quickly after a failure or a firmware upgrade.
• Document changes: Note the PSK changes, tunnel IPs, and subnet changes. This helps future admins understand the network quickly.
• Schedule tests: Periodically test tunnel failover and verify that traffic routes correctly across VPN when a primary link fails.
• Update firmware carefully: Test new firmware in a staging environment if possible, then roll out to production devices to minimize downtime.

Frequently Asked Questions

What is a site-to-site VPN?

A site-to-site VPN creates a secure, encrypted tunnel between two networks over the public internet, allowing devices on one network to communicate with devices on the other as if they were on the same LAN.

Can EdgeRouter handle IPsec site-to-site VPN?

Yes. EdgeRouter devices run EdgeOS, which supports IPsec-based site-to-site VPNs with both GUI and CLI configurations.

Which EdgeRouter models are best for site-to-site VPN?

All current EdgeRouter models support IPsec site-to-site VPN, but higher-end models like EdgeRouter 4/6 and newer offer higher throughput and better headroom for multiple tunnels and high traffic volumes.

Should I use IKEv1 or IKEv2 for IPsec?

IKEv2 is generally recommended for better security, stability, and performance. Check compatibility with the remote peer. if both sides support IKEv2, use it.

How do I configure IPsec site-to-site VPN on EdgeRouter using GUI?

Use EdgeOS Web UI > VPN > IPsec. Add a tunnel, enter local and remote endpoints, choose IKE/IKEv2 settings, specify local/remote subnets, configure PSK, enable NAT-T if needed, and apply. Does microsoft edge have a firewall and how it relates to Windows Defender Firewall, VPNs, and online security

How do I configure IPsec site-to-site VPN on EdgeRouter using CLI?

Enter configuration mode, define IKE and ESP groups, set local/remote addresses, set local/remote subnets, provide PSK, and enable the tunnel. Commit and save, then verify with show commands.

How can I verify the VPN tunnel is up?

Check the EdgeRouter’s VPN status page in the GUI or use CLI commands to inspect the SA Security Association. Test connectivity by pinging remote LAN hosts and tracing routes.

How do I route traffic through the VPN tunnel?

Configure static routes or policy-based routing so traffic destined for the remote LAN goes through the VPN tunnel interface. Ensure firewall rules allow VPN traffic.

Can I connect a site-to-site VPN to a remote endpoint behind NAT?

Yes. NAT-T NAT Traversal is designed for this scenario. Ensure NAT-T is enabled on both sides and that UDP 4500 is allowed through the firewall.

Can I use a dynamic IP on the remote site?

Yes, with dynamic DNS on the remote side. The VPN will use the remote’s dynamic address as the endpoint, and you’ll update or resolve the remote endpoint as needed. Change vpn edge: how to configure and optimize a VPN on Microsoft Edge for safe browsing and speed

Should I use certificate-based authentication instead of a pre-shared key?

If you have a PKI in place and want scalable, centralized authentication for multiple sites, certificate-based authentication is a solid option. It’s more complex to manage but can be worth it for larger deployments.

How often should I rotate VPN keys?

A good practice is to rotate PSKs every 6–12 months, or sooner if you suspect a compromise. If you use certificates, rotate certificates per your PKI policy.

Are there any caveats when mixing EdgeRouter with other vendors’ VPN devices?

Most IPsec configurations are compatible, but you’ll need to align Phase 1/Phase 2 parameters encryption, hash, DH groups and confirm NAT-T support. Always test the tunnel with the exact models you’re connecting.

What if I need more than one VPN tunnel to the same remote site?

EdgeRouter supports multiple tunnels. You can configure separate tunnels for redundancy or traffic segmentation, ensuring each tunnel has its own local/remote subnet definitions and policies.

How do I back up and restore VPN configurations when upgrading firmware?

Export the current configuration from EdgeRouter, store it in a safe place, and re-import after upgrading. Validate that the VPN tunnels come back up after the upgrade and adjust any settings if needed. Browser vpn edge: the ultimate guide to browser-based VPNs, edge networks, and private browsing in 2025

Are there performance tips for large VPN deployments?

• Use stronger hardware or specialized models if you anticipate high traffic across multiple tunnels.
• Optimize encryption settings and avoid over-allocating CPU cycles to encryption when possible.
• Use multiple tunnels and staggered rekey intervals to reduce the risk of a single point of failure.

Final tips for success

• Start simple: configure one reliable tunnel first, test thoroughly, then add more tunnels or branches.
• Keep your documentation up to date so anyone on your team can manage the VPN without guessing.
• Practice security hygiene: strong PSKs, regular updates, and careful firewall rules.
• If you’re deploying multiple sites, consider a centralized monitoring or logging approach to quickly spot VPN issues.

This guide gives you a solid, practical path to building a reliable IPsec site-to-site VPN with Ubiquiti EdgeRouter devices. With careful planning, correct configuration, and proactive maintenance, you’ll have a robust network link that keeps your data safe while you focus on what matters most—your business or home network.

台大 医院 vpn 申请 全流程指南：台大校园网远程访问、医院资源安全接入、VPN 设置要点及注意事项