How to set up a VPN server for iOS on UniFi USG
There are countless tutorials on how to do all sorts of funky things with the UniFi USG, many of which involve command line sorcery and an engineering degree. What I wasn’t able to find was a simple walkthrough of how to set up a VPN server that would allow me to connect remotely from my iPhone or iPad to my home network, providing an extra layer of security when using public wifi, and allowing me to access local resources while out and about.
After some reading and lots of experimenting, this is what worked for me:
Set up a RADIUS authentication server and user account
The RADIUS functionality basically centralizes remote access to your USG for a variety of things, For now, we just need it for VPN.
- In the UniFi Controller, navigate to Settings, Services
Select RADIUS from the horizontal menu across the top, then Server
Toggle Enable RADIUS Server ON
- Populate a strong password in the Secret field. Note: iOS really doesn’t like it when you get fancy here, so stick to lowercase letters and/or numbers, but you can use something fairly long. For clarity, we are going to refer to this as PASSWORD 1
- Leave the other fields as they are, and apply changes
Select Users from the horizontal menu at the top
Choose a user name
- Choose a strong password. iOS seems to be ok with more options, so go ahead and try some special characters here. We are going to refer to this as PASSWORD 2
Set up a VPN server
- In the UniFi Controller, navigate to Settings, Networks
Create New Network
Give your VPN a name
- Select ‘Remote User VPN’ as purpose
- Select L2TP as the VPN Type (iOS supports this natively, so it will be easy to set up)
- In ‘Pre-Shared Key’, paste the password you chose as the Secret for the RADIUS server above (aka PASSWORD 1)
- In Gateway/Subnet, specify the IP address range that will be provided to VPN clients. This should not conflict with your existing IPs, so – for example, if your existing internal IPs look like 192.168.1.114, you could choose something like 192.168.2.111 by populating 192.168.2.1/24. The ‘/24’ simply provides for up to 254 VPN IPs to be assigned.
- Leave the remaining fields at their defaults
You’ve now set up your VPN server. Next, you need to make sure you’ll be able to easily reach it from the Internet. You can use your WAN IP for this, but for most people, this will change frequently and it’s hard to keep track of. Instead, we’re going to set up a dynamic dns service so that we have a constant host address to connect to.
Dynamic DNS setup
There are countless dynamic DNS providers out there (DynDNS, No-IP…). You’re free to use whichever best suits your needs – note that the exact configuration may differ from service to service.
I’m going to use Duck DNS here, because basic service is free and it’s worked well for me so far.
- Go to Duck DNS and sign in using one of the supported authentication services
Select a subdomain, and click the ‘add domain’ button
In the UniFi Dashboard, navigate to services, and select Dynamic DNS from the horizontal menu at the top
Create new Dynamic DNS
- Select ‘dyndns’ as the service
- Enter the Duck DNS subdomain you chose as the hostname – only the subdomain you chose (e.g. ‘bob’)
- Enter ‘nouser’ as the username
- Enter the token shown on your Duck DNS page as your password
- Enter ‘www.duckdns.org’ as the server
Set up VPN connectivity on iPhone or iPad
Now that your server is up and running and has a fixed hostname for access, let’s set up an iPhone to connect to it.
- Go to Settings, VPN
Add VPN Configuration…
Change the Type to L2TP
- Give it a Description
- Server: Your Dynamic DNS hostname
- Account: The user name of the RADIUS account you set up above
- RSA SecurID: leave this off
- Password: The password for the RADIUS user account you set up above
- Secret: The password you used for both the RADIUS server and the VPN
- Toggle Send All Traffic on
- Tap ‘Done’ in the top right
That’s it – you’re all set.
In iPhone Settings, VPN, select your new VPN configuration and toggle the Status switch to connected. In a few moments, you should see the VPN icon appear in the menubar of your iPhone. Whenever you need an added layer of security or access to home network resources, just toggle the connection on from here.
Note that this will not connect from inside your home network. You have to be on cellular or connected to an outside network to connect to your home via VPN.
Set up VPN connectivity on Mac
You can benefit from the same security perks on your Mac.
- Open System Preferences (from the Apple Logo menu at the top left of the screen)
- Click the Network icon
Click the ‘+’ at the bottom left of the window
Select ‘VPN’ as the interface
- VPN Type should be ‘L2TP over IPsec’
- Give your VPN a recognizable name
Configuration can stay as ‘default’
- Server Address is your Duck DNS domain name set up earlier
- Account Name is your RADIUS user name set up earlier
Click ‘Authentication Settings’
Under ‘User Authentication’, select the Password option and fill in PASSWORD 2
- Under ‘Machine Authentication’, select the Shared Secret option and fill in PASSWORD 1
When you click ‘Connect’, your Mac should log you in to your VPN server.
Note: as with the iOS setup, this will not work from inside your home network.