This page includes AI-assisted insights. Want to be sure? Fact-check the details yourself using one of these tools:
ChatGPTClaudeGrokPerplexity
VPNs

Ubiquiti edgerouter x vpn site to site guide: complete setup, optimization, and troubleshooting for EdgeRouter X

Leave a Comment on Ubiquiti edgerouter x vpn site to site guide: complete setup, optimization, and troubleshooting for EdgeRouter X
nord-vpn-microsoft-edge
nord-vpn-microsoft-edge

VPN

Yes, you can set up a site-to-site VPN with the Ubiquiti EdgeRouter X. In this guide, you’ll get a clear, step-by-step plan to connect two sites securely using IPsec on EdgeOS, plus practical tips for real-world networks. Here’s what you’ll learn: how to plan subnets, how to configure IKEv2 for reliability, how to test the tunnel, how to handle dynamic IPs, and how to troubleshoot common issues. And if you want an extra layer of protection while you test things out, check out this deal: NordVPN 77% OFF + 3 Months Free

Useful URLs and Resources plain text, not clickable

  • Ubiquiti EdgeRouter X product page – ubnt.com
  • EdgeOS official documentation – help.ubiquity.com
  • IPSec VPN overview – en.wikipedia.org/wiki/IPsec
  • StrongSwan project IPsec implementation – strongswan.org
  • Ubiquiti Community forums – community.ui.com
  • Dynamic DNS options – dyn.com, no-ip.com
  • NordVPN official site – nordvpn.com

Introduction summary

  • Yes, you can set up a site-to-site VPN with Ubiquiti EdgeRouter X.
  • This guide covers: planning, GUI and CLI setup, firewall considerations, testing, dynamic IP handling, and troubleshooting.
  • Use cases include linking two offices, securing remote data paths, and protecting inter-site traffic without bending your existing firewall rules.
  • If you’re testing security while you learn, the included affiliate link can help you evaluate a VPN service on the side the NordVPN offer displayed above.
  • Format highlights: step-by-step setup, practical examples, quick-check lists, and tested commands you can copy-paste after adapting to your network.

Body

What is the Ubiquiti EdgeRouter X and why use it for site-to-site VPN

The EdgeRouter X is a compact, budget-friendly router that sits in the EdgeRouter family. It runs EdgeOS, which is a friendly yet powerful interface built on top of the robust Vyatta/EdgeOS stack. For small offices and remote branch connections, the ER-X is a popular choice because it combines:

  • Multiple Ethernet ports for easy network segmentation and site-to-site planning.
  • IPsec site-to-site VPN support, which provides encrypted tunnels between locations without needing cloud services.
  • A straightforward CLI and a usable GUI that lets you set up policies, tunnels, and firewall rules without into driver-level tinkering.
  • Flexibility to run at a low cost, while still handling typical office traffic and VPN traffic at reasonable speeds.

Why VPN site-to-site on ER-X? It’s a practical solution when you need permanent, encrypted connections between two or more sites. You don’t rely on a third-party VPN service. you maintain control over routing, subnets, and access. The VPN tunnel acts as a private “wire” between your networks, ideal for servers, backups, and inter-office communication.

Prerequisites and planning

Before you wire things up, check these essentials:

  • Public IPs or dynamic DNS for both sites: A fixed public IP makes setup easier. If either side uses a dynamic IP, set up a Dynamic DNS DDNS hostname so the tunnel can reconnect automatically when IPs change.
  • Non-overlapping LAN subnets: Ensure Site A and Site B subnets don’t overlap for example, Site A 192.168.1.0/24 and Site B 192.168.2.0/24. If you must overlap, you’ll need NAT tricks or different addressing schemes, which complicates routing.
  • EdgeRouter X on both sides: Each site should have its own ER-X or another device capable of IPsec with access to the EdgeOS UI or CLI.
  • Administrative access: You’ll need admin credentials for EdgeRouter X on both sites, plus SSH or console access if you plan to use the CLI.
  • PSK or certificate-based authentication: For site-to-site VPN, you typically start with a pre-shared key PSK or, in more advanced setups, certificate-based authentication.
  • Firewall considerations: You’ll need to allow IPsec traffic IKE, ISAKMP, ESP, NAT-T and permit the traffic from the VPN tunnel through your LAN firewall as required.
  • Subnet planning for remote access vs site-to-site: Distinguish traffic destined for the remote network from generic internet traffic so you don’t confuse default routes.

Tip: If you’re new to EdgeOS, start with the GUI. It provides a step-by-step flow for IPsec, and you can switch to CLI later for more advanced tweaks. In real-world networks, take 20–40 minutes for a single tunnel as you learn the interface and test flows.

Topology and use cases

Common site-to-site configurations with EdgeRouter X look like this: Tunnelbear vpn rating

  • Two offices connected via IPsec tunnel: Site A: 192.168.1.0/24, Site B: 192.168.2.0/24. Each site uses its own public IP, with private networks behind the EdgeRouter X devices. Traffic between the subnets travels through the VPN tunnel, with routing policies ensuring inter-site reachability.
  • A branch office and a data center: Branch Site Site A uses 10.10.10.0/24, Data Center Site Site B uses 10.20.0.0/24. The tunnel handles servers, backups, and application traffic securely.
  • Multiple tunnels for a hub-and-spoke layout: The hub site connects to several remote sites via separate IPSec tunnels, each with its own local/remote subnet definitions.

Key benefits you’ll notice:

  • Privacy and security for inter-site traffic.
  • Centralized management of VPN settings IKE/IKEv2, encryption, and hashing.
  • Ability to route specific traffic through the tunnel while keeping internet-bound traffic separate.

Step-by-step setup GUI method — beginner-friendly

This approach uses the EdgeRouter X UI for a clean, guided experience. Replace the values in brackets with your own network details.

  1. Access each EdgeRouter X’s GUI
  • Open https:// in your browser.
  • Log in with admin credentials.
  1. Prepare subnets and firewall rules
  • Confirm LAN subnets don’t overlap with each other or with any VPN-related subnets you’ll use in the tunnel.
  • Create a basic firewall policy that allows VPN-related traffic IKE/ISAKMP, ESP from the WAN to the VPN interface. Then permit traffic from the VPN tunnel to your internal subnets.
  1. Create the IPsec site-to-site VPN on Site A
  • Navigate to VPN > IPsec > Site-to-Site.
  • Add New IPsec Site-to-Site:
    • Remote Peer IP: Public IP of Site B’s EdgeRouter X
    • Remote Subnet: 192.168.2.0/24
    • Local Subnet: 192.168.1.0/24
    • Authentication: Pre-shared Key PSK
    • PSK: YourStrongPresharedKey
    • IKE Proposal: Choose a strong set AES256, SHA256, DH group 14
    • ESP Proposal: AES256, SHA256
    • Enable Dead Peer Detection DPD
  • Apply/Save and start the tunnel.
  1. Mirror the configuration on Site B
  • Use the same steps, swapping local/remote subnets:
    • Remote Peer IP: Site A’s public IP
    • Remote Subnet: 192.168.1.0/24
    • Local Subnet: 192.168.2.0/24
    • PSK should be identical
    • Use matching IKE/ESP proposals
  1. Check tunnel status
  • In the GUI, look for VPN/IPsec status or “Tunnel” status indicators. You should see something like “IKEv2 SA established” and “IPsec SA established” after both sides are configured correctly.
  1. Routing and testing
  • Ensure routes inside each site know to reach the remote subnet via the VPN interface.
  • From a host in Site A for example, 192.168.1.50, ping a host in Site B 192.168.2.50. If ICMP is allowed through the firewall, you should see replies.
  • If you don’t see pings, check:
    • Firewall rules allowing VPN traffic
    • Correct remote/local subnets
    • PSK mismatch or IKE/ESP mismatches
    • NAT-T or NAT rules interfering with traffic
    • Internet path to the remote peer is NAT at the edge blocking IKE/ESP? Do you need to allow 500/4500 and ESP through?
  1. Optional: enable firewall and NAT adjustments for VPN traffic
  • Create a firewall rule that allows traffic from the VPN interface to your local networks.
  • If you’re using a typical home/office setup, you’ll often create a NAT exemption so that traffic between the local and remote subnets doesn’t get NATed twice.

Notes:

  • If your network uses dynamic IPs, set up a DDNS hostname on both sites and use the hostname as the Remote Peer IP. The tunnel will reconnect automatically when the IP changes.
  • For added reliability, enable Dead Peer Detection DPD and keep-alive checks so the tunnel resets more quickly after a disconnect.

Step-by-step setup CLI method — for advanced users

If you’re comfortable in the CLI, you’ll configure with a set of commands similar to this adjust IPs and subnets to your network:

configure
set vpn ipsec ike-group IKE-GROUP proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKE-GROUP proposal 1 hash ‘sha256’
set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group ‘modp2048’
set vpn ipsec ike-group IKE-GROUP lifetime 3600
set vpn ipsec esp-group ESP-GROUP proposal 1 encryption ‘aes256’
set vpn ipsec esp-group ESP-GROUP proposal 1 hash ‘sha256’
set vpn ipsec site-to-site peer 203.0.113.45 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 203.0.113.45 authentication pre-shared-secret ‘YourPSK’
set vpn ipsec site-to-site peer 203.0.113.45 ike-group IKE-GROUP
set vpn ipsec site-to-site peer 203.0.113.45 esp-group ESP-GROUP
set vpn ipsec site-to-site peer 203.0.113.45 tunnel 1 local prefix 192.168.1.0/24
set vpn ipsec site-to-site peer 203.0.113.45 tunnel 1 remote prefix 192.168.2.0/24
commit
save Unifi edgerouter-x vpn setup guide for secure remote access, IPsec, OpenVPN, and site-to-site configurations

On Site B you mirror the above, swapping local/remote definitions:

  • Local prefix 192.168.2.0/24
  • Remote prefix 192.168.1.0/24
  • Peer IP 203.0.113.45 Site A’s public IP

Testing:

  • Use ping, traceroute, or simple file transfers to confirm that traffic is flowing via the tunnel.
  • Check the VPN status: you should see “IKE SA established” and “IPsec SA established” on both sides.

Troubleshooting quick starts:

  • If the tunnel won’t establish: re-check PSK, IKE/ESP proposals, and ensure both sides use exact matching values.
  • If you see “no route to host” or unreachable subnets: verify routing tables and ensure the VPN-tunnel remote subnets are added to the routing rules.
  • If you have double NAT in play: silence unnecessary NAT between the subnets by using NAT exemption on both edges for traffic between the two VPN subnets.

NAT and overlapping subnets:

  • If your internal networks on different sites collide e.g., both sites use 192.168.1.0/24, you’ll need to adjust one side’s LAN subnet to a non-overlapping range e.g., 192.168.10.0/24 or 172.16.0.0/24. This makes routing unambiguous and reduces the chance of misrouting across the tunnel.
  • In some rare cases, you can handle overlaps by using route-based VPNs and specialized NAT rules, but this adds complexity. For a first pass, pick non-overlapping subnets.

Performance considerations and tips L2tp vpn edgerouter

  • ER-X is a budget device. expect solid performance for small to medium traffic. If you’re handling heavy inter-site traffic or many simultaneous tunnels, you may see CPU-bound limitations. Make sure you monitor CPU usage and adjust expectations accordingly.
  • Use AES-256 for encryption and SHA-256 for integrity in your IKE and ESP proposals to balance security with performance.
  • Keep firmware up to date. Ubiquiti regularly releases EdgeOS updates that include stability and security improvements for VPN features.
  • For reliability, enable DPDD Dead Peer Detection and periodic re-keying so you don’t stay stuck on a broken tunnel.
  • When you’re ready to scale beyond two sites, plan a hub-and-spoke architecture or look at dedicated VPN appliances for larger, multi-site deployments.

Security hardening and best practices

  • Use strong, unique PSKs for each tunnel avoid reuse across sites.
  • Consider certificate-based authentication if you’re comfortable with more complex management. it improves security and automation but adds complexity.
  • Limit VPN access to required subnets only. avoid broad access. only allow traffic from the VPN to necessary internal resources.
  • Regularly back up your EdgeRouter X configurations and document your VPN settings. A simple change log helps if you ever need to rebuild an environment.
  • Disable unnecessary services on EdgeRouter X and keep the device updated to minimize attack surfaces.

Common pitfalls and how to avoid them

  • Mismatched subnets between sites: triple-check both local and remote subnets on every peer.
  • PSK mismatch: ensure you copy/paste the exact PSK without extra spaces or newline characters.
  • Firewalls blocking VPN traffic: verify both the WAN-side and LAN-side firewall rules allow IKE UDP 500, 4500 for NAT-T and ESP protocol 50 to pass.
  • Dynamic IP headaches: if you must use dynamic IPs, DDNS is a lifesaver. Keep the “Remote Peer IP” dynamic, if the UI supports it, or re-check the tunnel after IP changes.
  • NAT issues in tiny networks: in most cases with site-to-site, you don’t want to NAT between the two sites’ subnets. Use NAT exemptions to avoid double-NAT situations for VPN traffic.

Backup plan and maintenance

  • Regularly export and save your VPN configuration from EdgeRouter X. If you need to rebuild or replace a device, you can restore quickly.
  • Schedule periodic testing: once a month, verify tunnel health by restarting the tunnel, validating routing, and testing inter-site pings.
  • Keep logs reasonable: enable VPN-related logging when troubleshooting, then revert to normal levels to keep logs manageable.

Comparison to alternatives

  • OpenVPN on EdgeOS: If you need more customization or have devices that are difficult with IPsec, you can run OpenVPN on EdgeRouter X. It’s a solid alternative but may require more configuration and client management.
  • Dedicated VPN appliances: For large setups with many sites or high throughput requirements, a dedicated VPN appliance or a more powerful router might offer better performance and easier management at scale.
  • Cloud/VPN services: If you want to offload some of the VPN management, cloud SD-WAN or VPN services can provide centralized control with different performance characteristics. However, this introduces third-party dependencies.

Best practices for a clean, maintainable site-to-site VPN Best free vpn microsoft edge

  • Document everything: keep a one-page network map with the public IPs, remote subnets, PSK references, and a short description of the tunnel’s purpose.
  • Use consistent naming conventions in EdgeOS when you create IKE groups and ESP groups. It makes future changes and troubleshooting easier.
  • Consider a small test environment if you can: clone your network in a lab and test changes before applying them in production.
  • Avoid making too many changes at once. make a change, test, then proceed. It’s faster than trying to debug after a large config swap.

Frequently Asked Questions

Do I need a static IP at both sites to set up a site-to-site VPN with EdgeRouter X?

Not strictly. You can use dynamic IPs with Dynamic DNS DDNS on both sites, but you’ll want to configure DDNS so the peers can reliably locate each other. Static IPs simplify setup and reduces reconnection events.

Can I run more than one site-to-site VPN on EdgeRouter X?

Yes. You can establish multiple IPsec tunnels to different remote sites. Each tunnel will require its own local/remote subnet definitions and PSK or certificate settings. Ensure the device has enough CPU headroom to handle multiple tunnels, especially with encryption overhead.

What’s the easiest way to test a new site-to-site VPN tunnel?

Ping a host on the remote network from a host on the local network, then try a traceroute to verify traffic is routed through the VPN. Check the EdgeRouter X VPN status page to confirm IKE and IPsec SAs are established. Look for any packet loss and adjust firewall rules if needed.

Should I use IKEv1 or IKEv2 for site-to-site VPN on EdgeRouter X?

IKEv2 is generally preferred for reliability and faster reconnects, especially in environments with dynamic IPs. If your remote site doesn’t support IKEv2, you can fall back to IKEv1, but ensure you use strong ciphers and modern configurations to maintain security.

How do I handle dynamic IPs on a site-to-site VPN?

Use Dynamic DNS on both sides so the peers always know the current public IP. In EdgeRouter X, configure the remote peer as the DDNS hostname. The tunnel will renegotiate when the IP changes, typically within a short timeout. Free browser vpn edge: best free browser VPN extensions for Edge, Chrome, and Firefox in 2025

What subnets work best for site-to-site VPNs?

Non-overlapping subnets are the simplest and most robust choice. For example:

  • Site A: 192.168.1.0/24
  • Site B: 192.168.2.0/24
    If you have a business need for a private address range, 10.10.1.0/24 and 10.10.2.0/24 are common alternatives.

How do I troubleshoot a tunnel that won’t come up?

  • Double-check the PSK on both sides.
  • Confirm the IKE/ESP proposals match exactly on both sides encryption, hash, DH group.
  • Verify public IPs and ensure firewalls are not blocking IKE/ESP.
  • Confirm subnets are correctly defined on both sides.
  • Review logs on EdgeRouter X for clues about the failure.

Can I use NAT with a site-to-site VPN on EdgeRouter X?

Avoid NAT between the two VPN subnets. Use NAT exemptions to prevent traffic between the VPN subnets from being translated, which can break routing. NAT rules should only apply to traffic going to the internet, not across the tunnel.

How can I verify VPN performance and throughput?

  • Monitor VPN throughput by running throughput tests between hosts on opposite subnets.
  • Check CPU usage on the EdgeRouter X during peak VPN traffic. if CPU is maxed out, consider upgrading to a more capable router for higher traffic volumes.
  • Use real-world traffic patterns to understand latency and jitter across the tunnel.

Is there a risk of leaking LAN traffic if the VPN drops?

If the VPN tunnel drops, you may see traffic attempt to route via the default gateway. To minimize this risk, enable DPD Dead Peer Detection and consider defining a failover strategy or route policy that prevents traffic from leaking if the tunnel is down.

Should I enable split tunneling for site-to-site VPNs?

Split tunneling is less common or necessary for site-to-site VPNs because you typically want all inter-site traffic to traverse the encrypted tunnel. If you’re concerned about corporate WAN usage or bandwidth, you can apply routing rules so that only specific inter-site subnets use the VPN while other traffic remains on the internet.

Can I configure site-to-site VPN to support multiple remote networks behind the same site?

Yes. You can create multiple tunnels with different remote subnets or a single tunnel configured to handle multiple remote subnets. Just keep each remote subnet’s routing distinct on the local site and ensure there’s no overlap with your primary LAN. Vpn for edge reddit best practices for using a VPN with Edge browser and edge devices in 2025

How do I back up and restore VPN configurations on EdgeRouter X?

In EdgeOS, go to System > Backup/Restore to export your current configuration, including VPN settings. To restore, use the same path to import the backup file. Regular backups reduce downtime if you replace hardware or need to recover from a misconfiguration.

Are there performance considerations when using EdgeRouter X for VPNs with many devices?

Yes. The ER-X is a budget device, so performance depends on traffic volume, encryption ciphers, and the number of concurrent VPN tunnels. For many devices or heavy inter-site traffic, you may want a more powerful router or a dedicated VPN appliance to maintain consistent performance.

Can I run OpenVPN alongside IPsec site-to-site on EdgeRouter X?

Yes, you can run OpenVPN on EdgeRouter X in addition to IPsec, but you’ll need to allocate resources carefully and manage separate tunnels and firewall rules. OpenVPN generally provides more granular client access control, but IPsec is typically easier for site-to-site connections.

What are the best resources to learn EdgeOS VPN settings?

  • EdgeOS documentation help.ubiquiti.com
  • Ubiquiti Community forums community.ui.com
  • StrongSwan documentation for deeper IPsec concepts
  • Technical blogs and YouTube channels focusing on small-business networking

Conclusion

  • This guide provides a practical, step-by-step approach to setting up a site-to-site VPN on the Ubiquiti EdgeRouter X.
  • It covers GUI and CLI methods, real-world topology considerations, and essential troubleshooting steps, all while keeping security and maintainability in focus.
  • If you’re ready to explore additional protection or testing environments, the NordVPN offer linked above can be a handy resource for safeguarding endpoints or validating security configurations during development and testing.

Ultrasurf vpn extension edge Microsoft edge vpn settings: a complete guide to configuring, optimizing, and troubleshooting for secure browsing in 2025

Recommended Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

×

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by