Ubiquiti Security Gateway VPN Help

Hello folks,

Does anyone here have any experiance with the Ubiquiti Security Gateways?

I have followed the guides on how to create a VPN tunnel although I am not able to connect at all.

The Ubiquity Security Gateway is behind a ADSL router. I have forwarded the relevant ports, but I’m not getting anything from it. From the guide it says that the Ubiquity Security Gateway sets up it’s own allow ports. Do I need to add them somewhere else on the Security Gateway?

The network is setup like this:

PUBLIC IP (router) >< (Static IP WAN port Security Gateway) >< (DHCP LAN Port on the Security Gateway) >< Ubiquity UniFi Switch

I have attached screen shots of the current confirguration.

Ports that are opened

VPN Settings

RADIUS Settings

Windows VPN Connection Settings

Connection being refused

My immediate thoughts drift to the “WAN” connection on the Unifi Box. As it is using a LAN IP on WAN it maybe trying to block private networks (a kinda counter measure to quick and dirty MITM attacks).

Just to eliminate some variables, I’d remove the RADIUS authentication for now. Just so you can test connectivity and see if the problem lies with the WAN->Unifi or within the Unifi setup.

PS: You may want to blank your clients information as well.

Make sure you can see those ports open from the outside, it is probably that ADSL router blocking you. Some of those things have a setting that lets you forward all ports to an IP behind it or just disable it’s firewall if everything else is behind your USG

I think you are correct in saying it is a LAN private networks thing. I turned the main internet router into modem mode and changed the WAN port to reflect that. Now the VPN is working fine :confused:

The other possibility for why this is due to the addressing involved.

As you’re requesting an L2TP connection on x.x.x.x address (the WAN address) and the unifi box maybe responding to the request, but reporting that it’s WAN address is actually y.y.y.y (the fake WAN address). Hence confusing the client and making it halt the connection.
If you don’t want the unifi to run as the primary firewall (although IMO it would be better to leave it as such) you may want to dive into how the Unifi box reports what it is to something trying to connect, although off the top of my head I don’t recall seeing anything that would allow you to do so.

1 Like

I also have this issue (with Windows clients). It used to work on Windows 10 for me until 1903 (I believe). It broke on my notebook first, then I tried it on my desktop and it still worked, then I imidiately updated my desktop to find out wether or not its going to break too. And sure enough, it did.

I tried to fix it for a few hours. But ultimately just settled with having a working VPN only on Android and Linux. Figured they are gonna patch it some day. Its been quite some time since then.

Try it on a phone, so you can rule out firewalls on your router. My bet is, it is going to work. Then you can try to fix Windows, maybe you are more successful at that, than I was. :sweat_smile:

did you enable nat-t in windows?

We had a gpo do this for our systems that needed VPN access.
Also, check event viewer for a more detailed error code.