Unifi USG VPN from Behind NAT Firewall



  • Have a USG behind another router. It's not a long term thing, but we need it until we switch ISPs. Need to make a site to site VPN with another site that has the USG on a public IP. Anyone know how to do this with the USG? Is it possible? Just need the double NAT'd site to reach out, rather than be reached.



  • lol - I did something similar - though I think it's Open VPN on the USG... in front of it is an ER-X, I opened the ports for OpenVPN and forwarded them to the USG, and it worked.



  • As @Dashrender mentions, we do need to dmz the usg or forward the required ports.

    We would also need to use the external site ip as authentication ID for the VPN, so something like this:

    set vpn ipsec site-to-site peer peer's-public-ip authentication id local-public-ip
    


  • Also add the changes to a config.gateway.json file in the controller to changes directly made on the USG don't get deleted on next provision.



  • @Romo said in Unifi USG VPN from Behind NAT Firewall:

    Also add the changes to a config.gateway.json file in the controller to changes directly made on the USG don't get deleted on next provision.

    One reason I hate these units.