Journalist
Yes, the Ubiquiti EdgeRouter X supports site-to-site VPNs. In this guide, you’ll learn how to set up a reliable IPsec site-to-site VPN between two EdgeRouter X devices or EdgeRouter X and another IPsec gateway, with practical, step‑by‑step instructions for both GUI and CLI, plus troubleshooting, optimization tips, and security best practices. This is the kind of setup I wish someone had explained clearly when I first tackled multi‑site networks. We’ll break everything down, from planning and prerequisites to testing and ongoing maintenance. And if you’re looking for an extra layer of privacy while you test remote access, check out this limited-time VPN deal I’ve seen: . It’s not necessary for the VPN itself, but it can be a nice ancillary option for additional protection on devices outside the VPN tunnel.
Useful resources unlinked text only for quick reference
– Ubiquiti EdgeRouter X product page – ubiquiti.com
– EdgeRouter X data sheet – hub.ubnt.com
– IPsec site-to-site general guidelines – strongswan.org
– OpenVPN site-to-site concepts – openvpn.net
– Dynamic DNS basics for remote sites – dyndns.org
– Ubiquiti official community and tutorials – help.ubiquiti.com
What is a site-to-site VPN and why EdgeRouter X is a solid choice
A site-to-site VPN creates an encrypted tunnel between two networks over the public internet, so hosts on one LAN can reach hosts on the other LAN as if they were on the same private network. IPsec is the most common protocol for this use case, offering authentication, encryption, and integrity. The EdgeRouter X is a budget-friendly, fanless router with solid routing performance and native support for IPsec, which makes it a popular choice for small offices, remote branches, or home labs that need a dependable VPN backbone without adding a lot of hardware.
Key benefits:
– Secure traffic between sites without exposing internal subnets to the internet
– Centralized control over tunnel policies IKE, ESP
– Flexible subnet sizing for LANs at each site
– Works with many different remote gateways other EdgeRouters, SonicWall, pfSense, etc.
Common pitfalls to avoid:
– Mismatched subnet definitions local/subnet ranges that overlap or don’t cover the same hosts
– Inadequate firewall rules that block IPsec or tunnel traffic
– Not enabling NAT exemption for VPN traffic, causing needless double‑NAT
– Dynamic IPs without a reliable dynamic DNS strategy at one or both sites
Prerequisites and planning
Before you wire anything, gather this information:
– Public IP addresses or dynamic DNS names for both sites Site A public IP, Site B public IP
– LAN subnets for both sites e.g., Site A 192.168.1.0/24, Site B 192.168.2.0/24
– A shared pre-shared key PSK for IPsec
– Which interface on each EdgeRouter X is connected to the internet usually eth0
– Whether you’ll run any intermediate devices firewalls that could affect IPsec traffic
Recommended settings to plan:
– Phase 1 IKE settings: AES-256, SHA-256, DH group 14 2048-bit
– Phase 2 ESP settings: AES-256, SHA-256, PFS enabled DH group 14
– SA lifetimes: 28800 seconds 8 hours for IKE, 3600 seconds 1 hour or 7200 seconds for ESP depending on tunnel stability needs
– NAT traversal NAT-T enabled if either side sits behind NAT
– Firewall rules at both sites to permit IPsec UDP 500 and UDP 4500 if NAT-T is used and ESP protocol traffic
Note: If you’re new to IPsec, start with the simplest stable combo AES-256 for both IKE and ESP, SHA-256 for both, DH group 14 and adjust if you need to support older devices.
EdgeRouter X hardware and capabilities what to expect
– Solid routing performance for small offices and home offices
– Native IPsec VPN support, no extra modules required
– GUI EdgeOS plus CLI options for advanced users
– Typical VPN throughput varies with encryption, CPU usage, and traffic patterns. expect hundreds of Mbps in well‑tuned setups, with real-world results depending on the encryption suite and tunnel configuration
– Firewall rules are separate from VPN configuration, so you’ll want to craft clear rules to allow VPN traffic while protecting the rest of the network
Setting up a site-to-site VPN on EdgeRouter X using the GUI EdgeOS
This section walks you through a typical site‑to‑site IPsec setup using the EdgeOS web UI. The exact labels may vary slightly by firmware version, but the flow is the same.
1 Access the EdgeRouter Web UI
– Open your browser and navigate to the EdgeRouter’s IP often http://192.168.1.1.
– Log in with admin credentials.
2 Prepare the networking pieces
– Confirm your LAN subnets on both sites.
– Ensure your edge devices’ WAN interfaces have public IPs or properly functioning dynamic DNS if you’re behind a dynamic IP.
3 Create the IPsec tunnel Site-to-Site
– Go to VPN > IPsec > Tunnels or Site-to-Site name may vary by firmware.
– Add a new peer Remote Gateway.
– Peer IP: the public IP address of the remote site or its DynDNS hostname
– Authentication: Pre-Shared Secret PSK
– PSK: enter your strong, shared key keep this secret
– Local subnet: the LAN at this site e.g., 192.168.1.0/24
– Remote subnet: the LAN at the remote site e.g., 192.168.2.0/24
– Phase 1 IKE settings
– Encryption: AES-256
– Hash: SHA-256
– DH Group: 14
– Lifetime: 28800 seconds
– Phase 2 ESP settings
– PFS: enabled group 14
– Lifetime: 3600 seconds or 7200 if you prefer longer SA lifetimes
– Save or Apply the tunnel
4 Allow VPN traffic through the firewall
– Create or adjust firewall rules to permit IPsec traffic:
– Allow UDP 500 IKE
– Allow UDP 4500 NAT-T if hops are behind NAT
– Allow ESP protocol 50
– Allow traffic between the two LAN subnets LAN-to-LAN
– If you use a DNS firewall or extra filtering, ensure those rules don’t inadvertently block VPN traffic
5 Route the traffic between sites
– Ensure static routes or policy-based routing directs traffic destined for the remote subnet through the VPN tunnel.
– In many setups, you’ll add a route on Site A for 192.168.2.0/24 via the tunnel interface, and vice versa on Site B.
6 Test the VPN
– From a host on Site A e.g., a PC with IP 192.168.1.x, ping a host on Site B 192.168.2.y.
– Check the VPN status in the UI: the tunnel should show as up. there should be a stable SA Security Association in both directions.
– If not, check:
– PSK matches on both sides
– Subnet definitions don’t overlap and are correct
– Firewall rules permit IPsec and related traffic
– NAT exemption is enabled so VPN traffic isn’t NATed on either side
7 Optional: add a static route for remote subnets
– If you’re using multiple interfaces or complex networks, you may need to add static routes so traffic to 192.168.2.0/24 goes through the VPN tunnel.
8 Security hardening tips
– Use a strong PSK long, random, unique
– Limit access to the EdgeRouter UI to trusted networks or use VPN-only admin access
– Regularly back up your EdgeRouter configuration
– Consider enabling logging for VPN events to monitor for unusual activity
9 Troubleshooting tips
– If the tunnel shows as down, verify the remote gateway is reachable and that there’s no intermediate firewall blocking traffic
– Check system logs for IPsec errors. common issues include PSK mismatch, mismatched phase 1/2 settings, or misconfigured subnets
– Verify that both sides’ local and remote subnets exactly match what you intended
– Confirm NAT exemption is configured if you’re behind a NAT device on either side
10 Performance considerations
– Encryption strength affects throughput. AES-256 provides strong security but uses more CPU cycles than AES-128
– EdgeRouter X hardware can handle typical small-office VPN loads, but actual speeds depend on traffic composition and concurrent connections
– If you’re not getting expected performance, consider adjusting phase 2 lifetimes, enabling PFS with a lower group, or reducing the encryption to a lighter option only if security policy allows
Setting up a site-to-site VPN on EdgeRouter X using the CLI advanced
If you’re comfortable with the CLI, you can configure IPsec site-to-site tunnels via EdgeOS commands. Replace example IPs and subnets with your actual values.
– Enter configuration mode:
configure
– Enable IPsec interfaces for VPN traffic:
set vpn ipsec ipsec-interfaces interface eth0
– Define the peer and PSK:
set vpn ipsec site-to-site peer 203.0.113.2 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret ‘YourStrongPSK’
– Local and remote subnets:
set vpn ipsec site-to-site peer 203.0.113.2 local-subnet 192.168.1.0/24
set vpn ipsec site-to-site peer 203.0.113.2 remote-subnet 192.168.2.0/24
– Phase 1 and Phase 2 crypto settings:
set vpn ipsec ike-group IKE-1 proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKE-1 proposal 1 hash ‘sha256′
set vpn ipsec ike-group IKE-1 proposal 1 dh-group ’14’
set vpn ipsec esp-group ESP-1 proposal 1 encryption ‘aes256’
set vpn ipsec esp-group ESP-1 proposal 1 hash ‘sha256’
set vpn ipsec esp-group ESP-1 pfs ‘enable’ # depending on firmware
– Apply and commit:
commit
save
– Exit:
exit
If you’re unsure about exact command naming in your firmware version, the GUI method is generally the most reliable starting point. You can always switch to CLI for fine-grained control once you’re comfortable.
Verification, monitoring, and ongoing maintenance
– Regular checks:
– Tunnel status up/down
– SA lifetime counters
– Traffic stats per tunnel
– Quick test routine:
– Ping a host on the remote site from a local host
– Try a file copy or a small transfer to ensure application traffic traverses correctly
– Monitoring tips:
– Keep an eye on error messages in the EdgeRouter logs
– Watch for MTU issues that cause fragmentation and degrade performance
– Backup plan:
– Export and save a current configuration after each successful change
– Keep multiple restore points, especially before major network changes
Security best practices for site-to-site VPNs
– Use long, random pre-shared keys and rotate them periodically
– Prefer strong encryption AES-256 and robust integrity SHA-256 or better
– Enable NAT exemption for VPN traffic and monitor for any NAT-related anomalies
– Restrict tunnel management access to trusted networks
– Keep EdgeRouter firmware up to date with the latest security patches
– If you have multiple sites, consider segmenting VPN tunnels per site pair rather than a single mesh
– Document your topology, IP ranges, and tunnel configurations for future maintenance
Common scenarios and variants
– Site-to-site between two EdgeRouter X devices
– Straightforward IPsec tunnel with identical settings on both sides
– Site-to-site between EdgeRouter X and another IPsec gateway e.g., pfSense, Cisco ASA
– Ensure your peer’s crypto profile aligns IKE/IKEv2, encryption, and MTU
– Multi-site with hub-and-spoke topology
– Each spoke site can have its own IPsec tunnel to the hub. you may need additional routing rules to prevent hairpinning
– Remote access VPN vs site-to-site VPN
– Site-to-site VPN is for LAN-to-LAN connectivity. remote access VPN e.g., OpenVPN or IPsec users serves individual devices
Performance and real-world expectations
– EdgeRouter X is capable of robust site-to-site VPN for typical small offices
– VPN throughput is influenced by cipher choice, tunnel count, and CPU load
– Real-world results vary. plan for lower throughput under heavy load and adjust parameters accordingly
– For heavy, high-throughput sites, upgrading to a higher‑end EdgeRouter model or a dedicated VPN gateway may be worth considering
Frequently Asked Questions
# What is the simplest way to set up a site-to-site VPN on EdgeRouter X?
The simplest path is to use the EdgeOS GUI, configure IPsec with a single tunnel, use AES‑256/SHA‑256, DH group 14 for both IKE and ESP, and ensure firewall rules allow IPsec traffic and traffic between the two subnets.
# Do I need a static IP on both sites?
Static IPs simplify the connection because the remote gateway address won’t change. If you don’t have static IPs, you can use a dynamic DNS service on each side and keep the peer IP updated in EdgeRouter.
# Can I use OpenVPN for site-to-site on EdgeRouter X?
EdgeRouter X primarily uses IPsec for site-to-site tunnels. OpenVPN is better suited for remote access or specific gateway-to-gateway scenarios, but IPsec is more common for LAN-to-LAN tunnels between sites.
# How do I test if the VPN tunnel is up?
From a host on Site A, ping a host on Site B’s LAN. You can also check the EdgeRouter’s VPN status page or CLI output to confirm the tunnel is active and SA is established.
# What if the VPN tunnel drops frequently?
Check for PSK mismatches, mismatched IKE/ESP parameters, or subnet overlaps. Verify firewall rules allow ESP and IPsec traffic and that NAT-T is enabled if either side sits behind NAT.
# Do I need NAT on EdgeRouter X for VPN?
No. You typically want NAT exemption for VPN traffic so that the traffic between subnets is not translated. This avoids double NAT issues.
# Can I run multiple site-to-site VPNs on EdgeRouter X?
Yes, you can run multiple IPsec tunnels to different remote subnets. Each tunnel is defined as a separate peer, with its own local/remote subnets and PSK.
# How do I secure my EdgeRouter X beyond the VPN?
Limit UI access to trusted networks, enable automatic backups, keep firmware updated, monitor logs for VPN activity, and consider additional security measures like VLANs and strict firewall zoning.
# Is it better to use AES-128 or AES-256 for VPNs?
AES-256 is more secure but slightly more CPU-intensive. For a small network on EdgeRouter X, AES-256 provides strong security with modern hardware. if you’re chasing performance and your threat model allows, AES-128 can be a compromise.
# What if the remote site has a dynamic IP and no DynDNS?
Use a dynamic DNS service on the remote site to keep its public address updated, and configure the EdgeRouter to point to that dynamic address for the peer.
If you found this guide helpful and you’re looking to extend your network’s safety net, consider checking out the NordVPN deal linked in the intro. It’s a handy add-on for devices that aren’t always on the VPN tunnel, or for securing remote admin connections when you’re away from the office. The NordVPN offer image in the introduction links to an affiliate page and helps support more content like this.
Would you like me to tailor this guide to a specific EdgeRouter X firmware version you’re running or to your exact subnets and PSK preferences? I can adapt the GUI steps or CLI commands to fit your setup precisely.
Unifi edgerouter-x vpn setup guide for OpenVPN IPsec site-to-site and remote access on UniFi EdgeRouter X