Journalist 
Edgerouter site-to-site vpn is a method to securely connect two or more private networks over the internet using EdgeRouter devices. In this guide, you’ll get a practical, step-by-step approach to setting up a solid IPsec site-to-site connection between two EdgeRouter-based networks, plus real-world tips, common pitfalls, and troubleshooting steps. We’ll cover prerequisites, CLI and GUI configuration, firewall and NAT considerations, and how to test and monitor your tunnel. If you’re evaluating extra protection during testing or want a quick privacy boost for your admin work, you can check out NordVPN’s current deal here: . NordVPN is a popular companion for secure testing and remote access, and the banner above is a quick nudge to explore deals while you configure your network.
What you’ll learn in this guide
- How IPsec site-to-site works on EdgeRouter and why it’s a good fit for branch-to-branch connectivity
- The exact prerequisites you need before you start
- A ready-to-use CLI configuration example plus GUI steps
- How to design the network prefixes and security proposals for robust security
- How to test, verify, and monitor your tunnel post-setup
- Common mistakes and how to avoid them
Introduction: why EdgeRouter site-to-site VPN matters
If you’re running multiple offices or remote sites, a site-to-site VPN on EdgeRouter gives you a private tunnel across the public internet. It means your devices in one office can reach devices in another office as if they were on the same local network, but without exposing those devices to the internet directly. The EdgeRouter family from Ubiquiti is popular for small to mid-sized deployments because of its solid IPsec support, flexible CLI, and user-friendly GUI. You can mix and match EdgeRouter models from EdgeRouter X to EdgeRouter Infinity, and still get a robust tunnel as long as you’re consistent with your IP addressing, keys, and policies.
Key considerations before you start
- Public IPs: You’ll need a static public IP on each edge device or a reliable dynamic IP with dynamic DNS support on both sides.
- Subnets: Plan your local subnets to avoid overlapping ranges. Typical setups use 10.0.0.0/24 on one side and 192.168.0.0/24 on the other, but you can tailor this to your environment.
- Security: Use strong pre-shared keys PSK or, where possible, certificate-based authentication. AES-256 and SHA-256 or better are now standard.
- Performance: EdgeRouter devices handle IPsec well, but performance depends on CPU, VPN throughput, and the number of tunnels. If you’re running multiple tunnels or high traffic, consider a model with a stronger processor.
- NAT considerations: You’ll want to exempt VPN traffic from NAT so that packets retain their intended internal addresses. This reduces the chance of leaks and helps with routing accuracy.
- Monitoring: Plan on regular checks of tunnel status, uptime, and health. Simple pings across the tunnel and periodic traceroutes can save you debugging time later.
Prerequisites checklist
- Two EdgeRouter devices EdgeRouter X, 4, 6, or higher with EdgeOS up to date
- Each site’s local network range LAN and the remote LAN range clearly defined
- Public IP addresses for both sites or dynamic IP with a reliable dynamic DNS setup
- A strong pre-shared key or a certificate-based setup if you’re comfortable with PKI
- Administrative access to both EdgeRouter devices SSH/CLI or GUI
- Basic firewall rules allowing IPsec IKE and ESP traffic
- A plan for NAT exemption to avoid translating VPN traffic
Step-by-step setup CLI approach
Below is a practical, copy-paste friendly CLI example. Adapt IPs, PSK, and subnets to your environment. The example uses a typical AES-256, SHA-256, and group 14 2048-bit DH configuration. It also includes a basic NAT exemption approach by ensuring the VPN traffic does not get translated.
- Prepare your variables
- Local side: 10.1.0.0/24
- Remote side: 172.16.0.0/16
- Local public IP: 198.51.100.1
- Remote public IP: 203.0.113.2
- PSK: YourStrongPSK
- Enter the EdgeRouter CLI
configure
set vpn ipsec ike-group IKE-GROUP-1 proposal 1 encryption aes256
set vpn ipsec ike-group IKE-GROUP-1 proposal 1 hash sha256
set vpn ipsec ike-group IKE-GROUP-1 proposal 1 dh-group 14
set vpn ipsec ike-group IKE-GROUP-1 lifetime 28800
set vpn ipsec esp-group ESP-GROUP-1 proposal 1 encryption aes256
set vpn ipsec esp-group ESP-GROUP-1 proposal 1 hash sha256
set vpn ipsec options enable-esps 1
set vpn ipsec site-to-site peer 203.0.113.2 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret ‘YourStrongPSK’
set vpn ipsec site-to-site peer 203.0.113.2 ike-group IKE-GROUP-1
set vpn ipsec site-to-site peer 203.0.113.2 default-esp-group ESP-GROUP-1
set vpn ipsec site-to-site peer 203.0.113.2 local-address 198.51.100.1
set vpn ipsec site-to-site peer 203.0.113.2 tunnel 1 local-prefix 10.1.0.0/24
set vpn ipsec site-to-site peer 203.0.113.2 tunnel 1 remote-prefix 172.16.0.0/16
set vpn ipsec site-to-site peer 203.0.113.2 local-dns 198.51.100.1
commit
save
Notes:
- If you’re using a dynamic IP on either side, you’ll want to rely on a dynamic IP mechanism or a dynamic DNS service and adjust the configuration to reflect that setup.
- The local-address on the remote peer is the public IP of the local EdgeRouter. the local-prefix is your internal subnet.
- Exempt VPN traffic from NAT conceptual guidance
NAT can interfere with the tunnel if the VPN peers or internal subnets get translated. You’ll want to create a NAT exemption rule policy-based NAT so traffic between 10.1.0.0/24 and 172.16.0.0/16 doesn’t get translated. The exact commands depend on your firewall layout, but in practice you’ll:
- Define a firewall rule set for VPN traffic
- Add a NAT exemption rule that matches traffic from your local VPN subnet to the remote VPN subnet
- Apply the rule to the correct interface usually the WAN interface
If you’re unsure, check EdgeRouter documentation or your firewall ruleset reference for NAT exemption examples tailored to EdgeOS.
- Verify the tunnel
- In the CLI: run show vpn ipsec sa to view the IPsec Security Associations
- Check IKE status with show vpn ipsec ikev2 sa or equivalent depending on your EdgeOS version
- On the remote site, try pinging a host in the opposite LAN e.g., ping 10.1.x.x from 172.16.x.x
- If pings fail, ensure you’ve matched:
- Remote networks local-prefix vs remote-prefix
- PSK
- IKE and ESP proposals
- NAT exemption rules
- Firewall allowances for IPsec/IKE/ESP on both sides
Step-by-step setup GUI approach
If you prefer a UI-based workflow, here’s a high-level path you can follow in the EdgeOS GUI:
- Go to VPN > IPsec
- Add a new Site-to-Site VPN peer
- Enter the remote peer’s public IP address
- Choose the authentication method pre-shared key and enter the PSK
- Define the IKE group and the ESP group AES-256, SHA-256, DH group 14
- Set the local and remote networks local-prefix and remote-prefix
- Apply the changes and save
- Create a firewall rule to allow IPsec traffic and ensure you exclude VPN subnets from NAT
- Re-check the tunnel status from the VPN status page
GUI steps tend to be more visual and can be easier if you’re migrating from another firewall or router.
Testing and validation after setup
- Basic connectivity: From a host in the local LAN, ping a host in the remote LAN and vice versa
- Latency and jitter: Run a quick traceroute to remote hosts to verify path stability
- NAT behavior: Confirm that internal addresses are not being NAT’d over the tunnel
- Failover checks: If you have a second tunnel or a second path, test automatic failover
- Security checks: Confirm that data packets are encrypted look for ESP in the IPsec SA
Best practices for a robust EdgeRouter site-to-site VPN
- Use a strong PSK or, preferably, certificate-based authentication
- Prefer IKEv2 over IKEv1 where supported for better reliability and rekey efficiency
- Use AES-256 for encryption and SHA-256 or SHA-384 for integrity
- Enable Perfect Forward Secrecy PFS with a modern diffie-hellman group e.g., 14
- Keep both EdgeRouter devices updated to the latest EdgeOS version
- Regularly monitor tunnel health and set up alerts for tunnel down events
- Maintain clear network diagrams showing local/remote subnets and gateway IPs
- Document your exact EdgeRouter commands or GUI steps so you can reproduce changes quickly
Common pitfalls and how to avoid them
- Mismatched subnets: Double-check local-prefix and remote-prefix on both sides. A mismatch is the most common cause of tunnel failure.
- PSK mismatch: A small typo in the PSK will break authentication. Copy-paste when possible, and re-enter carefully.
- NAT or firewall blocks: If traffic is being NAT’d, or if ESP/IKE ports are blocked, the tunnel will fail. Confirm firewall and NAT rules on both sides.
- Dynamic IPs: If either side uses a dynamic IP, ensure you have a reliable dynamic DNS setup and that the remote side is updated accordingly.
- Overlapping addresses: Avoid overlapping subnets across sites. If you must overlap, consider NAT-based translation or redesigning subnets.
- Hardware limitations: Some EdgeRouter models struggle with multiple high-throughput tunnels. If you’re running a large or busy site-to-site VPN, consider a model with more CPU headroom.
Advanced topics and optimization
- Multiple tunnels: For redundancy, configure a second VPN peer with a different remote IP and separate IKE/ESP groups. This increases reliability if one path fails.
- Dynamic DNS: If static IPs aren’t possible, use a reliable dynamic DNS service and ensure both sides can update their peers when IPs change.
- Split tunneling: If you only want traffic destined for the remote network to go through the VPN, configure split tunneling to reduce bandwidth usage on the VPN link.
- Monitoring dashboards: Use SNMP or NetFlow, if supported, to monitor VPN performance alongside general router health.
- Certificate-based authentication: For larger deployments or higher security needs, switch to certificates to avoid PSK risks.
Data, statistics, and what to expect
- IPsec remains the most common protocol for site-to-site VPN deployments in small to medium businesses due to its maturity and broad device support.
- AES-256 with SHA-256 is the industry standard for new site-to-site VPNs, balancing security and performance on most EdgeRouter devices.
- IKEv2 is favored for its better resilience to network changes and faster rekeying, which helps with long-lived tunnels.
Frequently asked questions
How does an Edgerouter site-to-site vpn work?
It creates a private, encrypted tunnel between two EdgeRouter devices, allowing devices on each local network to reach the other network securely over the public internet. The tunnel is defined by a pair of networks local-prefix and remote-prefix, a shared key or certificates, and agreed-upon security proposals for IKE and ESP.
Can EdgeRouter support IKEv2 for site-to-site VPNs?
Yes, EdgeRouter devices support IKEv2 and are commonly configured to use IKEv2 for reliability and performance, though some older setups still use IKEv1. IKEv2 often works better with dynamic IPs and has faster rekeying.
What is the difference between site-to-site VPN and remote access VPN on EdgeRouter?
Site-to-site VPN connects entire networks at each site, enabling inter-site communication as if on a single LAN. Remote access VPN is for individual clients like laptops to connect to a single network, typically using VPN client software on the device.
What are the best encryption and hash options for IPsec on EdgeRouter?
AES-256 for encryption and SHA-256 or SHA-384 for integrity are standard. Pair these with a modern DH group like group 14 and enable PFS for stronger security.
How do I choose the remote network prefixes?
Use non-overlapping private subnets for each site. For example, 10.1.0.0/24 on Site A and 172.16.0.0/16 on Site B. Ensure both sides know exactly which subnets to route through the tunnel. Tunnelbear vpn es seguro
How do I test a new Edgerouter site-to-site VPN?
After configuration, verify IPsec SA status, ping remote LAN hosts, run traceroutes, and confirm that NAT is not translating traffic across the tunnel. If tests fail, recheck PSK, IPs, and subnet definitions.
What if my IP changes on one side?
Use a dynamic DNS service and configure the remote peer to reflect IP changes automatically, or use a VPN solution that supports dynamic updates. Some EdgeRouter setups handle dynamic IPs gracefully, but you must configure the dynamic endpoint properly.
Can I use WireGuard on EdgeRouter for site-to-site VPN?
EdgeRouter devices traditionally focus on IPsec. WireGuard support has been expanding in the EdgeOS ecosystem, but not all EdgeRouter models natively support WireGuard. If you need WireGuard, verify your exact model and EdgeOS version, or consider a device with built-in WireGuard support or a dedicated VPN gateway.
How do I secure my EdgeRouter beyond VPN setup?
Keep firmware updated, use strong admin passwords, disable unused services, enable two-factor authentication on management interfaces if available, and limit management to trusted IPs. Regular backups of your configuration are also essential.
Can I scale EdgeRouter site-to-site VPN to many sites?
Yes, but plan for management overhead. Use consistent addressing, centralized monitoring, and consider a dedicated VPN management strategy. For many sites, a robust routing protocol like OSPF or BGP in combination with IPsec can simplify route management across the network. Vpn gratis para edge: free VPN for Microsoft Edge, setup guides, best practices, and edge extension vs system VPN
What logs should I monitor for IPsec VPN health?
Look at IPsec SA status, tunnel uptime, IKE negotiation logs, and firewall/NAT logs that relate to VPN traffic. EdgeRouter’s GUI and CLI provide access to SA status, while syslog can help with deeper diagnostics.
Useful resources and references un clickable
- EdgeRouter official documentation – ubnt.com
- IPsec overview – en.wikipedia.org/wiki/IPsec
- EdgeOS VPN setup guides – docs.ubnt.com
- Understanding DH groups and encryption – ciphers.org.uk
- Dynamic DNS basics – wikipedia.org/wiki/Dynamic_DNS
- VPN performance best practices – blogs or whitepapers from network security teams
- Small business network design guides – industry whitepapers and vendor articles
- Router firewall best practices – firewall documentation for EdgeOS
- Network subnetting basics – subnetting101.com
- Troubleshooting IPsec VPNs – TechNet or Network Computing articles
If you’re ready to extend this setup, you can experiment with a second tunnel for redundancy, or you can explore complementary privacy and security tools to run alongside your VPN. EdgeRouter site-to-site VPNs are a solid foundation for reliable interoffice networks, and with careful planning, they can be remarkably stable and straightforward to manage.