Journalist
Edgerouter vpn site to site: the complete guide to IPsec site-to-site VPN on EdgeRouter devices, setup, best practices, and troubleshooting
Yes, you can set up a site-to-site VPN using an EdgeRouter. This guide walks you through the planning, configuration both CLI and GUI methods, testing, and ongoing maintenance you’ll need to keep two sites securely connected. You’ll find practical, step-by-step instructions, real-world tips, and common pitfalls to avoid. Whether you’re linking a home lab to a small office or connecting two regional offices, a well-tuned EdgeRouter IPsec site-to-site VPN is doable and reliable with the right approach. For additional privacy while you test or remote in, you might want a consumer VPN as an extra layer of protection—check out this NordVPN deal: . This post also includes a few handy resources you can refer to as you work.
Useful resources you’ll likely want to bookmark while you read:
– EdgeRouter IPsec site-to-site guide – https://help.ubnt.com/hc/en-us/articles/360012476078-EdgeRouter-IPsec-Site-to-Site-VPN
– EdgeRouter official help center – https://help.ubnt.com/hc/en-us
– Ubiquiti Community forums – https://community.ubnt.com
– RFC 4301: IP Security Architecture – https://tools.ietf.org/html/rfc4301
– NordVPN offer affiliate – http://get.affiliatescn.net/aff_c?offer_id=153&aff_id=132441&url_id=754&aff_sub=070326
Introduction: what you’ll learn in this guide short summary
– A clear plan for setting up an IPsec site-to-site VPN between two EdgeRouter devices CLI and GUI paths
– How to gather and prepare the key details you’ll need subnet design, PSK or certificates, peers, and NAT rules
– Step-by-step walkthroughs with concrete example configurations you can adapt
– How to test and verify the tunnel is up, plus common issues and fixes
– Security considerations, performance expectations, and best practices for ongoing maintenance
– FAQ answers that address the most common questions remote admins have about EdgeRouter site-to-site VPNs
What is a site-to-site VPN and why EdgeRouter handles it well
– A site-to-site VPN creates a secure tunnel between two networks, letting hosts in one site reach devices in the other as if they were on the same local network.
– EdgeRouter devices from Ubiquiti are popular for small businesses and tech-minded home labs because of their flexible EdgeOS CLI, robust IPsec support, and solid routing capabilities.
– The standard approach for two sites is IPsec with a strongSwan-like stack on EdgeOS, using a pre-shared key PSK or certificate-based authentication, depending on your security posture and scale.
Prerequisites and planning: what you should know before you start
– Identify the two sites and their subnets. For example:
– Site A: 192.168.10.0/24
– Site B: 192.168.20.0/24
– Determine public IPs: each EdgeRouter’s WAN IP or use dynamic DNS if you don’t have static addresses.
– Choose an authentication method: pre-shared key PSK is simplest. certificates are better for larger deployments or where you rotate keys frequently.
– Decide on IKE and ESP parameters. A common, solid starting point is:
– IKE Phase 1: AES-256, SHA-256, DH-group 14 2048-bit
– IPsec Phase 2: AES-256, SHA-256
– Perfect Forward Secrecy PFS: enabled
– Rekey intervals: 3600 seconds 1 hour or longer, depending on traffic and policy
– Plan firewall rules to permit traffic across the tunnel and block unwanted access. You’ll typically allow traffic from the VPN to the LAN subnets and vice versa, with NAT exemption where needed.
Two main routes: CLI EdgeOS and GUI setup
– EdgeRouter supports configuring IPsec VPNs via the CLI EdgeOS and via the GUI. The CLI is often preferred for repeatable deployments, while the GUI is friendlier for quick setups or troubleshooting.
Step-by-step: EdgeRouter CLI EdgeOS setup for IPsec site-to-site
Note: Replace placeholders with your actual values. The exact peer indexing is flexible. use 1, 2, or more depending on how many tunnels you configure.
1 Define IKE and IPsec proposals
– set vpn ipsec ike-group IKE-1 proposal 1 encryption aes256
– set vpn ipsec ike-group IKE-1 proposal 1 hash sha256
– set vpn ipsec ike-group IKE-1 proposal 1 dh-group 14
– set vpn ipsec ike-group IKE-1 lifetime 3600
– set vpn ipsec esp-group ESP-1 proposal 1 encryption aes256
– set vpn ipsec esp-group ESP-1 proposal 1 hash sha256
– set vpn ipsec esp-group ESP-1 lifetime 3600
2 Configure the peer remote site
– set vpn ipsec site-to-site peer 1 address REMOTE_PUBLIC_IP
– set vpn ipsec site-to-site peer 1 local-address LOCAL_PUBLIC_IP
– set vpn ipsec site-to-site peer 1 authentication mode pre-shared-secret
– set vpn ipsec site-to-site peer 1 authentication pre-shared-secret YOUR_PRESHARED_KEY
– set vpn ipsec site-to-site peer 1 ike-group IKE-1
– set vpn ipsec site-to-site peer 1 esp-group ESP-1
– set vpn ipsec site-to-site peer 1 tunnel 1 local-subnet 192.168.10.0/24
– set vpn ipsec site-to-site peer 1 tunnel 1 remote-subnet 192.168.20.0/24
3 Optional Add a second tunnel for redundancy
– set vpn ipsec site-to-site peer 2 address SECOND_REMOTE_IP
– set vpn ipsec site-to-site peer 2 local-address LOCAL_PUBLIC_IP
– set vpn ipsec site-to-site peer 2 authentication mode pre-shared-secret
– set vpn ipsec site-to-site peer 2 authentication pre-shared-secret YOUR_PRESHARED_KEY
– set vpn ipsec site-to-site peer 2 ike-group IKE-1
– set vpn ipsec site-to-site peer 2 esp-group ESP-1
– set vpn ipsec site-to-site peer 2 tunnel 1 local-subnet 192.168.10.0/24
– set vpn ipsec site-to-site peer 2 tunnel 1 remote-subnet 192.168.20.0/24
4 Ensure routing and NAT rules forward traffic across the VPN
– set interfaces ethernet eth0 mss 1350
– set firewall group protocol VPN-TO-LAN protocol tcp_udp
– set firewall name VPN-IN default-action drop
– set firewall name VPN-IN rule 10 action accept
– set vpn ipsec auto-negotiate enable
– set protocols static route 192.168.20.0/24 next-hop 192.168.10.1
– Note: The next-hop depends on your tunnel’s internal IPs after it’s up. you might instead rely on policy-based routing or use a dynamic routing protocol if your environment requires it.
5 Commit and save
– commit
– save
6 Verify and test
– Show the IPsec status: get vpn ipsec sa
– Test the tunnel by pinging a host in the remote subnet from a host on the local subnet: ping 192.168.20.2
– If the tunnel doesn’t come up, check:
– Peer IPs and PSK match on both ends
– Subnet definitions don’t overlap
– IKE/ESP proposals are identical on both sides
– Firewall rules allow traffic from VPN to LAN
Step-by-step: EdgeRouter GUI setup for IPsec site-to-site VPN
1 Open EdgeRouter – go to the Advanced tab and select VPN or IPsec Site-to-Site varies by firmware version.
2 Add a new VPN peer Site A -> Site B.
– Peer IP address: REMOTE_PUBLIC_IP
– Local WAN IP: LOCAL_PUBLIC_IP
– Authentication: Pre-Shared Key
– PSK: YOUR_PRESHARED_KEY
– IKE Group: AES256-SHA256-DH14
– ESP Group: AES256-SHA256
– Local Subnet: 192.168.10.0/24
– Remote Subnet: 192.168.20.0/24
3 Apply and save changes.
4 Add firewall rules to permit VPN traffic:
– Allow VPN traffic from VPN zone to LAN and vice versa
5 Add a static route if needed:
– Static route to remote subnet via the VPN tunnel
6 Test the connection:
– Use the ping tool from a host in one subnet to a host in the other subnet
– Check the VPN status in the GUI for tunnel up/down events
Testing and troubleshooting: how to confirm the tunnel is healthy
– Basic checks:
– The tunnel status should show “up” or “connected” in the EdgeRouter IPsec status screen.
– pings across subnets should succeed e.g., from 192.168.10.x to 192.168.20.x.
– Common issues and fixes:
– Mismatched PSK: double-check both ends’ pre-shared key and re-enter if needed.
– Subnet overlap: ensure that 192.168.10.0/24 and 192.168.20.0/24 don’t overlap with any other local networks.
– NAT traversal: if one side is behind a double NAT, ensure NAT-T is enabled and ports UDP 500 and UDP 4500 are allowed.
– Firewall: verify that VPN traffic is allowed in both directions for the tunnel.
– MTU issues: adjust MSS via “set interfaces ethernet eth0 mss 1350” or test with higher/lower MTU values.
Security best practices for EdgeRouter IPsec site-to-site
– Use strong authentication:
– Prefer certificates for larger deployments. PSK is fine for small setups but rotate it regularly.
– Harden proposals:
– IKE: AES-256, SHA-256, DH Group 14 or higher if supported
– ESP: AES-256 with SHA-256
– Enable PFS Perfect Forward Secrecy for each tunnel if possible.
– Limit tunnel access:
– Only allow traffic between the intended subnets, avoid broad permissive rules.
– Regularly update EdgeRouter firmware to benefit from security fixes and improvements.
– Consider separate zones for VPN traffic and LAN, with strict firewall policies to minimize exposure.
– Monitor tunnels and set up alerts for tunnel down/up events so you can respond quickly.
Performance considerations: what to expect
– Throughput depends on the EdgeRouter model and the encryption profile you’re using.
– In practice, you’ll see lower effective throughput than the WAN speed when IPsec is enabled due to CPU overhead. EdgeRouter models with multi-core CPUs typically handle tens to hundreds of Mbps for IPsec depending on the exact hardware and configuration.
– Disable unnecessary features when testing a tunnel to maximize stability during initial setup. re-enable as you finalize the deployment.
– If you need higher throughput, consider a higher-end EdgeRouter model or offload performance-sensitive traffic with a hardware-accelerated device, and ensure the tunnel is hardware-accelerated if your platform supports it.
Real-world deployment scenarios you might encounter
– Small office to remote office: Subnets 10.1.0.0/24 and 10.2.0.0/24, PSK-based IPsec with AES-256-SHA256, a single tunnel, and a basic failover if you add a second peer later.
– Home lab bridging to a coworker’s office: Non-overlapping test subnets like 192.168.50.0/24 and 192.168.60.0/24, frequent PSK rotations, and frequent checks to ensure the tunnel remains stable under dynamic IP conditions.
– Multi-site SMB: Two EdgeRouters with a second redundant tunnel across different ISPs, using IKEv2 and ESP with PFS, plus static routes or a small dynamic routing setup to ensure reliable failover.
Tips to keep your Edgerouter VPN site-to-site running smoothly
– Document every tunnel: keep a quick-reference sheet with local/remote subnets, PSK, and IPs so you don’t get tripped up during maintenance.
– Automate key rotation if possible: rotate PSKs on a schedule or implement a certificate-based approach when you scale beyond two sites.
– Monitor latency and jitter: VPN performance is sensitive to latency. keep an eye on routing latency to avoid suboptimal paths.
– Keep firmware current: EdgeOS updates can fix security issues and improve VPN stability.
– Test after any network change: firewall changes, new subnets, or ISP changes can affect the VPN.
Case studies and deployment tips
– Case study: A two-office setup with 192.168.10.0/24 and 192.168.20.0/24 worked well after aligning on a single PSK, ensuring both ends used AES-256/SHA-256, and enabling the tunnel’s local and remote subnets correctly. A minor mistake often is misconfiguring the local vs remote subnet or the wrong remote IP, which will prevent the tunnel from bringing up.
– Case study: A home lab connected to a small business site. The user started with a single tunnel and later added a second for redundancy. They used a GUI setup for the second tunnel to simplify the process and created firewall rules that allowed VPN traffic to reach only the intended subnets.
– Case study: A multi-site deployment with dynamic IPs used a DDNS service for the remote edge. PSK was chosen for simplicity, but certificates are recommended for larger deployments or where you want to avoid shared secrets.
Frequently asked questions
Frequently Asked Questions
# Can EdgeRouter handle IPsec site-to-site VPNs between two offices?
Yes. EdgeRouter devices support IPsec site-to-site VPNs via EdgeOS, with both CLI and GUI options. You can connect two sites using PSK or certificates for authentication.
# Does EdgeRouter support OpenVPN for site-to-site VPNs?
EdgeRouter supports IPsec as its primary site-to-site VPN protocol. OpenVPN is typically used for client-to-site connections rather than site-to-site on EdgeRouter devices.
# Can I use a dynamic IP on one side?
Yes, but you’ll want to pair the dynamic IP with a dynamic DNS DDNS service on the EdgeRouter. Then use the DDNS hostname as the peer address in your IPsec configuration.
# What authentication should I use for IPsec?
PSK is the simplest approach and works well for small deployments. For larger deployments or higher security, consider certificate-based authentication. If you rotate keys often, certificates are easier to manage at scale.
# How do I know which subnet to configure on each end?
Plan your subnets so they don’t overlap with your local networks or with each other. The local-subnet on Site A should be the network behind EdgeRouter A, and remote-subnet should be the network behind EdgeRouter B and vice versa.
# What should I do if the tunnel won’t come up?
Double-check PSK, peer IPs, and the exact subnets on both sides. Ensure your firewall rules allow VPN traffic and that the IKE/ESP proposals match on both ends. Check DNS and DDNS settings if you’re relying on dynamic addresses.
# How can I test the VPN tunnel quickly?
From a host inside Site A, ping a host inside Site B and vice versa. Use the EdgeRouter’s IPsec status report to verify the tunnel state. If the ping fails, check firewall rules and route tables.
# Can I use two VPN tunnels for redundancy?
Yes. You can configure multiple IPsec site-to-site peers for redundancy. Make sure each tunnel has unique local/remote subnets and distinct peer configurations. In some setups, you can run two tunnels in parallel and rely on failover logic.
# How do I secure EdgeRouter after setup?
Keep firmware updated, rotate PSKs or certificates as part of a security routine, enable firewall rules that limit traffic to only the necessary subnets, and monitor tunnel health with alerts. Disable unused services and ensure secure management access SSH/HTTPS with proper authentication and firewall rules.
# Should I use IKEv2 for better reliability?
IKEv2 tends to offer better stability and faster rekeying in many environments. If your EdgeRouter firmware supports it and you can align both ends, IKEv2 is a solid choice. For newer deployments, consider IKEv2 with strong cryptographic suites and certificates for best results.
If you’re new to Edgerouter vpn site to site, start with a simple two-site lab using PSK, AES-256, and SHA-256, then expand to a redundant setup with a second tunnel and dynamic IPs if needed. Remember to document every field you configure and test after each change. EdgeRouter’s flexibility is a big advantage, so don’t be afraid to adjust topology as your network grows. And if you want a consumer VPN option for personal privacy while testing, the NordVPN deal linked in the introduction can be a helpful companion, though it’s not a substitute for a proper site-to-site business VPN.