Ubiquiti Unifi Configuration Guide


VPN Configuration Guide
Ubiquiti UniFI Security Gateway
© 2017 equinux AG and equinux USA, Inc. All rights reserved.
Under copyright law, this manual may not be copied, in whole or in
part, without the written consent of equinux AG or equinux USA, Inc.
Your rights to the software are governed by the accompanying software license agreement.
The equinux logo is a trademark of equinux AG and equinux USA,
Inc., registered in the U.S. and other countries. Other product and
company names mentioned herein may be trademarks and/or registered trademarks of their respective companies.
equinux shall have absolutely no liability for any direct or indirect,
special or other consequential damages in connection with the use of
this document or any change to the router in general, including without limitation, any lost profits, business, or data, even if equinux has
been advised of the possibility of such damages.
Every effort has been made to ensure that the information in this
manual is accurate. equinux is not responsible for printing or clerical
errors.
Revised 13. July 2017
Created using Apple Pages.
Apple, the Apple logo, Mac OS, MacBook are trademarks of Apple
Computer, Inc., registered in the U.S. and other countries.
www.vpntracker.com
2
Contents
Introduction .................................................................4
My VPN Gateway Configuration ................................5
Task 1 – UniFI Security Configuration ......................6
Task 2 – VPN Tracker Configuration .........................9
Task 3 – Test the VPN Connection ..........................11
Appendix ...................................................................13
Remote DNS Setup ...................................................13
Host to Everywhere ..................................................14
3
VPN Tracker Configuration
Introduction
In the second part of this guide, we’ll show you how to configure VPN
Tracker to easily connect to your newly created VPN.
This configuration guide will help you connect VPN
Tracker to your UniFI Security VPN Gateway.
Appendix
Prerequisites
The remainder of the guide covers advanced setups, such as Remote
DNS.
Your VPN Gateway
Conventions Used in This Document
‣ Make sure you have installed the latest firmware updates on your
UniFI Security gateway. You’ll need version 5.5 or later to configure a
local Radius server on your UniFI gateway.
‣ This guide is a supplement to the documentation included with your
UniFI Security device, so check the UniFI Security manual for additional setup information not covered here.
Links to External Websites
Sometimes you will be able to find more information on external websites. Clicking links to websites will open the website in your web
browser:
http://equinux.com
Your Mac
Links to Other Parts of this Guide
‣ The configuration described in this guide requires VPN Tracker 365.
Make sure you have installed all available updates. The latest VPN
Tracker updates can be downloaded from http://www.vpntracker.com
A → Link will take you to another place in the configuration guide. Simply click it if you are reading this guide on your computer.
Using the Configuration Guide
UniFI Security Configuration
This Guide will walk you through setting up a VPN tunnel on your UniFI
Security gateway.
If you are setting up VPN on your UniFI Security device for
the first time, we strongly recommend you keep to the
setup proposed in this guide, and make modifications only
after you have tested the basic setup.
4
My VPN Gateway
Configuration
Throughout this guide, there are certain pieces of information that are needed later on for configuring VPN
Tracker. This information is marked with red numbers to
make it easier to reference. You can print out this checklist to help keep track of the various settings of your
UniFI Security VPN gateway. Not all settings are required for all setups, so don’t worry if some stay empty.
IP Addresses
➊ UniFI Security WAN IP Address:
.
.
.
or host name
➋ LAN Network:
.
.
.
/
.
.
.
Authentication
➌ Pre-Shared Key:
➍ XAUTH Username:
➎ XAUTH Password:
5
Step 2 – Add Users
Task 1 – UniFI Security
Configuration
‣ Choose “Settings” > “Services” again.
This guide assumes that your UniFI Security has Internet access and that a LAN network is configured.
‣ Then choose “RADUS” > “Users.”
Configuration of the device is entirely done in the “UniFI
Controller” software. This guide applies to Unify Controller versions 5.5 or newer.
Step 1 – Enable the RADIUS server
‣Choose “Settings” > “Services.”
‣Then, choose “RADIUS” > “Server.”
‣ Enter a name ➍ and password ➎ and add them to your checklist
‣ Tunnel Type and Tunnel Medium Type are important and should be
set to “L2TP” and “IPv4”.
‣ Click “SAVE” when you are done.
‣ Enter a “Secret” (the password for your RADIUS server) and make a
note of it.
‣
6
Step 4 – Add a dedicated VPN Network
Step 3 – Create a RADIUS profile
‣ Choose “Settings” > “Networks”
‣ Go to “Settings” > “Profiles.”
‣ Select "Remote User VPN” as purpose
‣ The IP address is the (internal) LAN address of the Security Gateway
as the RADIUS server runs on this device.
‣ The type needs to be L2TP Server
‣ Shared Secret is the one we created in Step 1.
7
‣ Gateway/Subnet need to be set to a new address range (one that is
not already being used on the Security Gateway).
‣ IP Pool is autofilled after the gateway has been filled in.
‣ Name Server should be set to Auto.
‣ RADIUS profile should be the one we created in step 3
‣ Click ”Save”
8
Task 2 – VPN Tracker
Configuration
From Task 1, your → Configuration Checklist will have
all your UniFI Security settings. We will now create a
matching configuration in VPN Tracker.
Step 1 – Add a Connection
‣ Open VPN Tracker.
‣ Click “Create a Connection” (or click the + button in the lower
left corner).
‣ Select “UniFI Security” from the list.
‣ Select UniFI Security Gateway
‣ Click “Create”.
9
Step 2 – Configure the VPN Connection
‣ Click “Configure” and switch to the “Basic” tab
‣ VPN Gateway: Enter your UniFI Security’s public IP address or its
host name ➊ from your → Configuration Checklist.
‣ Network Configuration: Choose Host to Everywhere
‣ Click “Done”
10
Task 3 – Test the VPN
Connection
‣ Depending on your setup, you will be prompted to enter your preshared key ➍ and Extended Authentication (XAUTH) user name ➎
and password ➏. Optionally, check the box “Store in Keychain” to
save the password in your keychain so you are not asked for it again
when connecting the next time.
It‘s time to go out!
You will not be able to test and use your VPN connection from within
the UniFI Security’s network. In order to test your connection, you
will need to connect from a different location.
For example, if you are setting up a VPN connection to your office,
try it out at home. If you are setting up a VPN connection to your
home network, try it from an Internet cafe, or go visit a friend.
Connected!
Connecting may take a couple of seconds. If the On/Off button turns
Connect to your VPN
‣ Make sure that your Internet connection is working – open your Internet browser and check that you can open http://www.equinux.com
‣ Open VPN Tracker.
‣ Click the On/Off slider for your connection.
blue that’s great – you’re connected!
Now is a great time to take a look at the VPN Tracker Manual. It shows
you how to use your newly established VPN and how to get the most
out of it.
VPN on – Internet off?
If your Internet connection seems to be offline whenever you connect the VPN, your UniFI Security might be configured to send all
your Internet traffic through the VPN, but you’re probably missing
the right remote DNS setup to make it work. Please refer to the
chapters about “Remote DNS” and “Host to Everywhere” connections for information how to configure remote DNS.
‣ If you are using VPN Tracker for the first time with your current Internet connection, it will test your connection. Wait for the test to complete.
11
Troubleshooting
In case there’s a problem connecting, a yellow warning triangle will
show up:
In most cases, the advice in the log should be sufficient to resolve the
issue. However, VPNs are a complex topic and there might be trickier
issues with which you need additional help.
VPN Tracker Manual
The VPN Tracker Manual contains detailed troubleshooting advice.
Frequently Asked Questions (FAQs)
Click the yellow warning triangle to be taken to the log. The log will explain exactly what the problem is. Follow the steps listed in the log.
Press Cmd-L to open the log in a new window. That way,
you can have the log side-by-side with your VPN
configuration while making changes to troubleshoot a
problem.
Answers to frequently asked questions can be found at
http://www.vpntracker.com/support
Technical Support
If you’re stuck, the technical support team at equinux is here to help.
Contact us via
http://www.vpntracker.com/support
Please include the following information with any request for support:
‣ A description of the problem and any troubleshooting steps that you
have already taken.
‣ A VPN Tracker Technical Support Report (Log > Technical Support
Report).
‣ UniFI Security model and the firmware version running on it.
‣ Screenshots of the Client VPN settings on your UniFI Security.
A Technical Support Report contains the settings and logs
necessary for resolving technical problems. Confidential
information (e.g. passwords, private keys for certificates) is
not included in a Technical Support Report.
12
Setup in VPN Tracker
Appendix
Remote DNS Setup
Remote DNS can be set up in VPN Tracker without making any changes to
your UniFI Security.
VPN Tracker can use DNS servers on the remote
network of the VPN to look up host names of resources
on the remote network of the VPN.
Prerequisites
If you or your organization operate a DNS server on your UniFI’s network, VPN Tracker can use it to look up the host names of internal resources (e.g. for turning intranet.ny.example.com into the IP address
192.168.13.94).
Remote DNS is entirely optional for Host to Network connections. You
can always use IP addresses instead of host names, that’s just less
convenient.
‣ Click “Configure” and go to the “Basic” tab in VPN Tracker.
‣ Check the box “Use Remote DNS Server”.
‣ Uncheck the box “Receive DNS Settings from VPN Gateway”.
‣ DNS Servers: Enter your DNS server. To enter additional DNS servers,
press the green plus button.
‣ Search Domains: Enter the domains that you want this DNS server to be
used for. Can be left empty to use the remote DNS server for all DNS
lookups.
‣ Use DNS Server for: Choose “Search Domains” to only use the DNS
server for the domains listed above. Choose “All Domains” to always use
this DNS server when the VPN is connected.
‣ Use for reverse lookup of IP addresses in remote networks: Should be
checked unless your DNS server is incapable of reverse lookups.
DNS Server
To set up remote DNS, you need to know the IP address(es) of the
DNS server(s) that you want to use.
My DNS Server:
.
.
.
Domain
VPN Tracker can use the remote DNS server for all DNS lookups (All
Domains) or just for some domains (Search Domains). If you want VPN
Tracker to use the remote DNS servers only for some domains (e.g.
everything ending in “ny.example.com”), write down these domains
here:
Search Domains:
Requests to a remote DNS server do not necessarily go
through the VPN. Which traffic is sent through the VPN is
determined solely by the VPN’s remote network(s) and
topology.
If the remote DNS server is located on the remote
network(s) of the VPN (or if a Host to Everywhere connection is used), requests to the remote DNS server will go
through the VPN.
13
Host to Everywhere
To send all Internet traffic through the VPN, you’ll need
a connection that uses a “Host to Everywhere” topology.
Switch to Host to Everywhere
VPN Tracker
In VPN Tracker , go to Basic > Network Configuration and switch the
Topology) to “Host to Everywhere”.
If you check the Status tab in VPN Tracker, it should now display “Internet” to the right of your VPN gateway, instead of the remote network.
14