Hey everyone! I don’t do a lot of this so I’m still learning the nomenclature (remote network, tunnel IP, etc.,) and searching for simplified explanations has been somewhat limited…
I have three locations all running UI equipment. Two of which are under my UI account and at the third I’m a super admin. The goal is to have a NAS at each location be able to reach each other for backups, in addition for each NAS device to have local network and internet access (updates, downloads…). All other client traffic uses its local internet.
I understand I have multiple options here, but what is considered simple and best practice? …policy or route based? …stick with UI’s built-in offerings or look at third party such as Tailscale?
Thank you!
Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Ubiquiti makes a great tool to help with figuring out where to place your access points and other network design questions located at:
If you see people spreading misinformation or violating the “don’t be an asshole” general rule, please report it!
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
Two that you have ownership can be connected by site magic. Third can be connected by ipsec s2s or by wireguard/openvpn. Using ipsec will be slower but its config allows you to specify which subnets are exposed. The other methods (wireguard performs best) require static route or policy based route to designate which subnets/vlans and/or which clients to route over the tunnel. In many cases policy based vs. static is a matter of preference as they may accomplish same thing.
If you have other gear that can host tailscale or cloudflare tunnel endpoints, those are also options that are straightforward for nas-nas backup connectivity, ok for web based connectivity, sometimes cumbersome for arbitrary traffic other than http(s) (advantage tailscale).
I use a combination of all these, mainly site magic for inter-site and cloudflare or teleport from off site.
I don’t use UniFi for gateways. Is IPsec VPN an option?
Public IPs for WAN interfaces. I believe the tunnel IPs are needed if OSPF is used. I would keep it simple for this first run, use static routes and then look into OSPF later.
Define your local and remote subnets in phase 2 as open or tight as you like, set static routes to remote subnets to flow through tunnel, and finish it off with policy. Again, I don’t use UnIfi gateways so I’m speaking in general. For specific UnFi settings somebody else is probably better.
Thank you for the information and direction. If I’m understanding correctly Site Magic is recommended and pretty straight forward to configure. For the third connection, looking at the configuration panel for s2s (OpenVPN or IPsec) seems more configurable in the console over a WireGuard server/client setup. I am assuming if I went with one the s2s connections, I could provide a /32 or limited CIDR in the Remote Network field to keep traffic specific to the NAS at each site, correct?
So for a newbie here, if i understand this correctly i can run my cameras at my work site through my UDM pro and have it back the footage up to say a cloud key plus at home?
Thank you. I looked at this earlier… where I’m getting confused is what’s listed in that article isn’t directly translating to the VPN console page. E.g., the article mentions the server address being the IP assigned to the WAN port …does that mean internal or public? And which address is considered the ‘tunnel IP’? From my ignorant perspective, the guide tells you what you need but doesn’t really explain much else.
Yes, site magic is intended to be simple setup with few checkboxes to choose sites & networks. You can configure whatever scope of subnets you wish to expose over the s2s tunnel, and you could supplement with firewall rules for additional restrictions if needed e.g. block specific ports.
edit: clarify 2nd part for s2s tunnel; site magic is pretty much all or nothing