Using VPNs

Overview

We often set our customers up to use a VPN to connect to their office computers from outside the office. This article details how to connect to those VPNs, and how to find information regarding the VPN.

VPNs we use

L2TP VPN

The L2TP VPN is the "default" Unifi VPN. You will mostly find this VPN in use for older network installations that use a USG or USG-Pro. It is mostly reliable, but occasionally has an odd issue that requires manual SSH-level intervention to fix a stuck client.

This VPN type is supported by all major devices (Windows, macOS, Android, iPhone) by default and doesn't require any special software installed.

This VPN is almost always hosted on the Unifi router directly.

WireGuard

The WireGuard VPN is a newer VPN type enabled on Unifi routers such as the Dream Machine Pro and UXG. It is our preferred VPN due to its ease of use, ease of setup, and reliability.

The only downside to this VPN is that you have to install a program or app to handle it, but installation and configuration is very easy.

This VPN is always hosted on the Unifi router directly.

OpenVPN

The OpenVPN VPN is the "old guard" of additional VPN types in the Unifi world - it's been supported by Unifi for almost as long as the L2TP VPN and shares a lot in common with the WireGuard VPN regarding ease of use and setup.

This VPN requires the OpenVPN software to be installed on most devices.

This VPN will typically be found either on the router or on a NAS device on the network.

Locating VPN information

If the VPN information isn't already explicitly listed in documentation for the customer, you need to be able to find the information in order to support the customer.

Look for documentation

Estimated time: 2-5 minutes

Start by checking in PCRT to find any documentation regarding the VPN. This will typically be on the customer's group page.

  • Look at the credentials tab to find any potential VPN user credentials
  • Look at the group attachments for any documentation or configuration files for the VPN
  • Look at previous work orders for the group, skimming the Problem Description column to find mentions of VPN

Where is the VPN hosted?

Estimated time: 5-10 minutes

If you weren't able to find all the information you need by looking at documentation, then begin searching for where the VPN is hosted. In almost every case, you will find it in one of two spots:

  • On the router: The customer will typically be found as a site in our Netcare Controller or they will have their own Controller (usually via a clients.mynet.care address) that should be located in the Customer Credentials section of Bitwarden. Login to their controller, go to Settings, and look at the VPN section.

  • On a NAS: If the VPN isn't on the router, then they probably have a NAS on their office network. Find the NAS IP, open a web browser, navigate to the IP, and login to the NAS.

    • The NAS IP can be located by looking at clients in their Unifi controller if they have one, a client or DHCP list on their non-Unifi router if you have a login, or by simply looking at any workstation that is on their network and looking for either a mapped drive or looking at the devices visible on the network. In the worst case where you still can't find it, you can use something like Zenmap to scan IPs on the network to find it. This is a last resort though
    • Synology NAS: Open the "Start" menu on the Synology web interface and find the VPN Server app
    • Other NAS devices: Good luck! Hopefully there's documentation
  • Other: In the dozens of VPN setups we've handled for customers, there may be 1 or 2 that don't fall into one of the above categories. Hopefully someone documented those for you, but if they did you probably wouldn't be here.

Who can access the VPN?

Once you've located where the VPN is hosted, you should be able to find the list of VPN users on the same page or nearby.

  • Unifi router, L2TP VPN and OpenVPN: VPN users are in the RADIUS users list

    • New Interface: Users should be listed in the same VPN tab
    • Old Interface: Users are listed in Services -> RADIUS
  • Unifi router, WireGuard VPN: VPN users are listed under the WireGuard VPN in Settings (use the new interface)
  • Synology NAS, any VPN: VPN users are populated from the list of actual users on the NAS, and access to the VPN is granted from the VPN Server app on the Synology

Connecting to the VPN

Once you've established all the information about the VPN, you can test for connectivity. Test from your work computer first, to rule out any environmental or other issues that may block VPN connectivity for the customer. If you can connect from the your work computer, then they should be able to connect from their device.

L2TP VPN

Use the built-in VPN settings for your device:

  • Windows
  • Mac
  • Android (someone write a doc, please)
  • iOS (someone write a doc, please)

WireGuard

Follow the WireGuard VPN Setup guide starting at the "Connect clients" step

OpenVPN

  1. Download the OpenVPN Client for the customer's system: https://openvpn.net/client/

  2. Download the VPN configuration file (either the .ovpn or a .zip that has the .ovpn file in it) either directly from the VPN host or from Group attachments in PCRT.

    1. If you download a fresh copy from the VPN host, you may need to open the .ovpn file with a text editor and edit the "Remote IP" placeholder to be either the DNS, DDNS, or IP for this customer. See the DNS/DDNS setup for more information
  3. Install the OpenVPN client
  4. Import the .ovpn file
  5. Sign in with the customer's username and password
  6. For older OpenVPN instances you may have to change the security protocol to Legacy in OpenVPN Client settings in order to connect.
Discard
Save
Draft
Was this article helpful?
Edit Page New Page Revisions Page Settings

Previous Page

Left

Next Page

Right

On this page

Review Changes ← Back to Content
Message Status Space Raised By Last update on