Unifi policy based routing vpn This is accomplished by marking every packet of the forced clients with an iptables firewall mark (fwmark), adding the VPN routes to a custom routing table, and using a policy-based routing rule to direct May 21, 2025 · Static routes in UniFi Network allow you to manually configure how traffic should be routed through your gateway. The UDM supports destination or source for policy-based routing. The goal here is to have devices such as my Apple TV appear to be in a different country. xxx. Creating a Policy-Based Route In the UniFi Network App, navigate to Settings → Routing → Policy-Based Routes. Including how to connect clients and firewall rules Route-Based VPN (when using Manual settings) Note: When configuring a Site-to-Site VPN between two UniFi gateways, we recommend to use the Auto settings. This guide will show you how to integrate Unifi with pfSense and Tailscale using OSPF. Click Create Entry. 60. Ubiquiti UniFi Routers - Traffic Management, Policy Based Routing (UDR/USG-Pro/UDM-Pro/UXG-Pro) Technically, you could tell the DHCP client to ignore the default gateway, and add a static route for the IP of VPN server to be the default gateway you got and then add a default route to point at your VPN gateway. Why Configure Static Routes on a UniFi Controller? I want to set up policy based routing on my USG-3. What should I do if I am not able to communicate over the VPN? You need to set up an OpenVPN or Wireguard server to route traffic. trueI recently got my Unifi network setup in a very basic configuration. For me, I have a complicated setup that involves WireGuard & Tun2Socks (wiresocks), and a Socks client (v2ray) that allows me to use UDM policy based routing and tunnel it through a socks proxy for specific outbound properties I set up. Gateways/Tunnels Any policy can target either WAN or a VPN tunnel interface. UniFi and the USG models currently support Load Balancing or Failover when configuring Dual WAN setup in UniFi however if you want to configure a more advan Oct 11, 2021 · My home is powered by Ubiquiti’s UniFi product line. ) We want site A to return traffic based on which interface it arives on. Is there a way to create such an application based routing, or is this on some roadmap ? Apr 14, 2019 · Gateway is a USG Pro 4. 0/24 and 172. 54 is out. The PC i am trying to use qbittorrent and nordvpn is directly wired to UDM-SE I'm routing an entire network through an OpenVPN client connection on my UniFi router using Private Internet Access. Policy-based is like giving a specific person a ticket to enter a gate. 0. Have all outbound traffic on the docker host route over the VPN Good Reference Site: Policy-based routing over VPN with Ubiquiti EdgeRouter Has anyone ever established a site-to-site VPN tunnel and successfully routed all internet traffic through a singular primary gateway? With Netflix gearing up to "crack down" on password sharing, I'd like to get ahead of the issue and consolidate all of my internet traffic to a single public IP address. I moved to Unifi recently setup 3 AP's with UDM SE. Making the “Interface” the VPN you setup earlier. They are using a UDM pro and have setup a routing rule for all traffic to use the VPN interface that has been setup to work with NordVPN. This is a helper script for multiple VPN clients on Unifi routers that creates a split tunnel for the VPN connection, and forces configured clients through the VPN instead of the default WAN. Sep 6, 2024 · In UniFi community we have now a few choices in the case of establishing or utilizing VPN. 16. However, you can do it with a custom script in SSH. Initially, I used OpenVPN from NordVPN, however, I wanted something with better throughput performance. 4. I can use a policy route to route all of my traffic from one vlan over my wireguard vpn, however if the VPN is disabled all traffic goes over my primary wan. This is a place to discuss all of Ubiquiti's products, such as the EdgeRouter, UniFi, AirFiber, etc. Is it possible to use the same firewall modify rules for local traffic so I can force certain source/destination addresses to always use certain routes/links? (for example the current modify rule is: set interfaces ethernet eth2 How can I configure UniFi to chill out about some specific P2P activity while continuing to protect my network from similar behavior from other devices? How can I configure UniFi to make my intentional use of P2P systems safer? Archived post. All switches and Access points are Unifi. go to the policy-based routing. Frequently Asked Questions 1. Goto Routing Traffic Routes > Create Entry What to Route = Specific Traffic Category = Domain or IP Can Batch Add with IP from a text file list too if you like. Configure Policy-Based Routing To send network traffic, a router usually examines the destination address in the packet and looks at the routing table to find the next-hop destination. UniFi Gateway support three types of VPNs: VPN Server, VPN Client, and Site-to-Site VPN. Find help and support for Ubiquiti products, view online documentation and get the latest downloads. unifi-policy1124×615 36. Whether or not you need to join from a distant community to your personal community, join a number of websites collectively, or need to use a privateness VPN like NordVPN. Internet Quality and Outage Reporting Policy-based WAN and VPN Routing Customizable DHCP Server We would like to show you a description here but the site won’t allow us. Learn how to route specific devices or VLANs through a VPN in your UniFi network using Policy‑Based Routing (PBR). Is this even possible with Unifi? Currently, there is no GUI support for policy-based routing in UnifiOS, but it can be set up in SSH by using ip route to create a custom routing table, and ip rule to select which clients to route through the custom table. This works well but also all traffic is being routed. Upon further investigation, it seems that it's the Domain based routing on the UDM-Pro that's bugged. In this article, I'll try to explain the concept of static routes within the UniFi environment. The Route based VPN uses routes to decide where to send the traffic, and Security rules for, well security decisions what to allow and what not to. When the new traffic rules system was initially rolled on with Unifi OS the What is PBR (Policy Based Routing)? It's not a beer! If your router supports it PBR allows you to send and receive traffic based on source, destination, protocol, and port, out of any interface UniFi Gateway - WireGuard VPN Server WireGuard is a high-performance VPN server found in your Network application's VPN section that allows you to connect to the UniFi network from a remote location. I’m pretty sure this is possible, but not certain where to start. I generated the file on the website and uploaded it to my Cloud Gateway Ultra. WireGuard VPN Client is found in the VPN section of your UniFi Network Application that allows you to connect the UniFi Gateway to a VPN provider and send internet traffic from devices over the VPN Site 2: Network: 192. add a VPN client via wireguard. I do find it a bit ludicrous, but UBNT do seem to be investing heavily is building out these features From my understanding, this will create the routing table 200, route all traffic coming from 10. 168. Are IPsec Site-to-Site VPNs secure? 2. Those cover a lot of the basics of VPNs and some advanced route-based or policy-based site-to-site setups. For a full Don’t have enough stuff to test, but I’d try: Main site, setup OpenVPN server Site 2, connect to site 1 using VPN client option Site 2, use traffic routes to direct traffic to Netflix to the vpn interface. Whether you're connecting remote Jun 27, 2025 · Learn how to set up a VPN on your UniFi router. Today, we are going to route one of my VLANs into the VPN, specifically, my IoT network. Static routing are a powerful tool for network admins to manage traffic properly. Yo, what's up! In this video, I walk you through setting up a secure site-to-site IPsec VPN using the UniFi Network application on a Unifi / Ubiquiti router. The “Policy-based Routes” (PBR) section can be found in Settings>Routing>Policy-Based Routes tab. While Jul 13, 2025 · Learn how to bypass Netflix household restrictions using UniFi policy-based routing and a VPN tunnel between two locations. L2TP tunnels Overview Readers will learn how to configure a Route-Based Site-to-Site IPsec VPN between two EdgeRouters. 30. This article gives some examples on policy based routing with the UniFi Security Gateway. Go to Main Page 5 days ago · Connect a Ubiquiti UniFi Gateway to Cloudflare's network using Magic WAN. I’ve not been able to successfully implement Domain based traffic management rules. 188. Enter the traffic you want routed to the VPN. For example, you can route packets based on various criteria, such as the source address, packet metadata, and including protocol. It is possible use L3 Routing with a UniFi Gateway or third-party gateway. With the vpn client paused I was unable to navigate to any web page or resolve any dns requests. This will allow you to reach devices in your tailnet from your Unifi network and vice versa. Client Route Enforcement monitors the main routing table of the connected device and ensures that outbound network traffic goes to a VPN tunnel, according to network routes configured in the client VPN endpoint. Comparing Topologies Site Magic I just want to be able to route based on APP (just like I can add app-based security rules). These routes work perfectly when I'm at home but aren't working on my device when I connect to my network through the WireGuard VPN server. This tutorial walks you through configuring a UniFi VPN Client and On my UDM I currently run an openVPN client (Nord) that routes all traffic from one of my internal hosts over the vpn. At the time of writing, I’m at 6. Create a internet out rule where the source is the vlan that is connected to the vpn. We can also block out social media sites and put Aug 26, 2024 · If it doesn’t take you there go to the “Routing” then “Policy Based Routes” menu and click create entry. Nov 9, 2025 · Learn how to route specific domains like example. 1 NIC would be connected to the normal LAN and one NIC would be connected to the VLAN. 66. Jun 18, 2025 · When creating the VPN Tunnel, we will need to choose which VPN Method we want to use, Route-Based or Policy-Based. This allows us to block or accept certain traffic. Any pointers or recommendations would be great. Route-based is like opening a road and letting any approved vehicle drive based on GPS routing. Trying to figure out where I’m going wrong or why the domain based ones are not work. They are using a UDM pro and have setup a routing rule for all traffic to use the VPN interface… Shadow Mode (VRRP) Add a second UniFi Cloud Gateway in Shadow Mode for automatic failover and uninterrupted network uptime. Traffic & Policy Management in UniFi UniFi provides a unified Policy Engine for managing traffic shaping, routing, and security policies across your network. We will be tyring to connect site A with site B (below. Interface? Only appears WAN1 or Secondary WAN2 It is important to understand the differences between policy-based and route-based VPNs and why one might be preferable to the other. In this video I am going to show you how to use your UniFi Network controller and Private Internet Access to hide your real IP address thus allowing you to access blocked websites or restricted Sep 6, 2024 · Configure a WireGuard, OpenVPN or L2TP VPN Server in your own UniFi Cloud Gateway. 103, 10. Setting up a Policy-Based VPN The 192. Source? Any combination (all, network or a single device). Best of luck. The most common use case for static routes is to connect multiple sites together or to force traffic Oct 24, 2025 · The main difference between Policy-Based VPN and Route-Based VPN lies in how traffic is selected and routed through the VPN tunnel. On a native EdgeRouter this could be Oct 6, 2022 · EdgeRouters feature built-in support for OpenVPN, IPsec, GRE, L2TP, and some other VPN and tunneling protocols. Requirements There are already several guides on the internet that show you how to do this, but they all use a Linux system to generate the file. To route all Internet traffic, and not just the remote subnet, through the site-to-site tunnel, you would need policy-based routing which isn't supported through the GUI on the UDMP. 75 Remote User VPN is working Site to site VPN is working Cloud key is hosting controller I've managed to get this far through help from a friend but I'm stuck at routing/firewall. The inverse is also true if you have Starlink on Aug 16, 2022 · UniFi UCG Max with Granular Control over VPN with Policy-Based Routing I have the superb UniFi UCG Max for my home router, and it offers plenty of VPN options, including the ability to route traffic through third-party VPNs. Aka route one (or more, just add additional ip rules for each device or network that you want to policy route) of your LAN devices out to Starlink on WAN2 of your UDMP instead of just using it for failover only. Every VPN choice in UniFi has a distinct […] UniFi Remote Access: VPN and Port Forwarding To securely access a web server, locally hosted application, or other internal service from outside your network, you need either a VPN or port forwarding. With a USG you could fumble around with a custom gateway config file. Why Configure Static Routes on a UniFi Controller? Hi All, Need some help / input Setup: UDM Pro / Spectrum 1G (usually pull 1. This tutorial walks you through configuring a UniFi VPN Client and setting up I believe what you are describing is called policy-based routing, which the Unifi interface doesn't expose. How Does it Work? MAC Address Table Size 1,000 Policy-based WAN and VPN Routing Customizable DHCP Server 10G Cloud Gateway with 200+ UniFi device / 2,000+ client support, 5 Gbps IPS routing, and redundant NVR storage. On my home network, I also have some policy-based routes setup, that route certain traffic through VPN clients. This would allow for example to easily change whether my TV uses a VPN or not for Netflix or other apps. I have an UDM-SE and was playing around with the routing through the VPN with no luck and it's weird it's not working. Something is overriding the system routing table and the way policy-based routing should work. For a script that makes it easy to set-up policy-based routing rules on UnifiOS, see the split-vpn project. These steps use the Cloud Gateway Max (UCG-Max) but work with other UniFi gateways supporting route-based IPsec VPNs, like the Dream Machine series. It works great unless the VPN drops then it defaults back to the general WAN connection. We would like to show you a description here but the site won’t allow us. 2gig down / 45 up with overprovisioning and using the SPF+ WAN port connected to 2. If I have two sites (A and B) and each sites have subnets (X and Y). 113, 10. Apr 8, 2024 · Sorry but never mind. Mar 24, 2018 · With the Ubiquiti Edgerouter, you can use policy-based routing to send specific devices’ traffic over a VPN. add a new one. xxx/32 set interfaces wireguard wg0 listen-port 51820set interfaces wireguard wg0 route-allowed-ips false set interfaces wireguard wg0 Apr 16, 2022 · Currently, there is no GUI support for policy-based routing in UnifiOS, but it can be set up in SSH by using ip route to create a custom routing table, and ip rule to select which clients to route through the custom table. Device/Network - can select specific clients or the network entirely. It would be great if we could switch these rules on and off from HA. Dec 23, 2022 · The main difference is that Policy based VPN uses Security Rules to determine where to send encrypted packet, and what traffic to encrypt. I’m not sure a commercial VPN service will work very long, however as Netflix and stream to block them so I have mine and my parents routing through my office. A UniFi Gateway or UniFi Cloud Gateway is required. Low Overhead: Static routing uses minimal resources compared to dynamic routing protocols like OSPF or BGP. I’d now like to try to route the traffic for some of my network clients through a VPN. Dec 18, 2023 · There are many possible options when it comes to routing traffic via the VPN, however for this post I will be routing the entire traffic from a network via the VPN. For example set-up a Wireguard Server on the UDR/UXG/etc where you want to route the traffic through, then configure the Wireguard Client on the UDR/UXG where you are routing from. The client side of the VPN is where you want to access Netflix from whithout purchasing an additional "Home Location Feb 12, 2025 · Improved Security: Restrict network traffic to specific paths, reducing exposure to vulnerabilities. It's not supported via the GUI at all. Is this even possible? Thank you for the help. Policy Based Routing Help Needed! I have my network setup with a WAN and a VPN connection to the outside world. (You can set it up from the command line—see the split-vpn script instructions —but it's pretty hairy. I still need to "bind" my new routing table to the interface, to do this, I've tried to do : interfaces { ethernet { eth1 { firewall { in { modify VPN } } } } } and/or interfaces { ethernet { eth1 { firewall { out { Get your VPN working properly with a mostly stock configuration, then start stacking on the additional routing, first the static route to reach the VPN endpoint, then the default route for the traffic. 20 on the UDM Pro, you can now setup OpenVPN and with traffic management Site Magic SD-WAN simplifies the setup of Site-to-Site VPN tunnels between UniFi Gateways, enabling seamless resource and application sharing across multiple sites. In our last tutorial, we set up a privacy VPN in the VPN Clients section of our UniFi console. Dec 17, 2024 · These routes ensure traffic for each network is directed through the correct WireGuard VPN interface, allowing seamless but distinct access to home and work resources. 106 to 10. If I create a rule to force all traffic from a given client through the VPN then it works regardless of whether the client is configured to use pihole/unbound or hardcoded to another DNS resolver. I’m trying to figure out how to setup my UDM-Pro so that any domain I “allow” goes through the WAN and anything else goes through the VPN. EDIT: ended up changing the binding in qbittorrent settings to the normal ethernet instead of nordvpn that was the only change i did. Perfect for families with multiple homes or remote users. Using the UDM Pro and a connected access point, is it possible for the traffic from only specific clients (wifi and wired) to be routed through such a tunnel where all the other Mar 22, 2025 · Step by step with illustrations on how to configure Ubiquiti Unifi Dream Machine to host services in the lan over VPN connection with port forwarding. Not sure what protocols it supports, I've seen proof of L2TP but assume others are supported too. ) As a workaround, if you set up a VLAN specifically for Wireguard clients, you can have a traffic rule route all traffic from devices on that VLAN out through WAN2. For a full overview of UniFi’s Traffic and Policy Management capabilities, see here. I’ve been using the kit for, oh, probably 3 or 4 years now, and it’s been fine (there’s much to be said for things that just work). Almost everyone has heard it by now, Netflix has changed their policy regarding sharing accounts. Controller hosted on AWS. com to the rule and having the rule redirect traffic through a VPN. Interface - select your PIA VPN interface. 7 Setup - Covering Windows, Mac, & Mobile + DuckDNS & Firewall 2024 May 13, 2021 · This is a task for 'policy based routing' Policy based routing allows you to configure complex routing scenarios. Nov 17, 2023 · Unifi now supports policy based routing to send specified traffic via a VPN. For those of you using Starlink with a UDM Pro you can use the two lines below to create a policy route based on source IP address. I setup the new site magic sd-wan (really site to site vpn). Sep 10, 2024 · In this article, I will show you how to create your own WireGuard configuration file to use NordVPN as the VPN provider for your UniFi network. At this point it should just work, so long as you figure out how to grab all the Netflix traffic. When Junos OS looks up a route to find the interface to use to send traffic to the I was able to add a kill switch using the firewall rules. Follow the steps below to configure the Policy-Based Site-to-Site IPsec VPN on both EdgeRouters: Dec 12, 2024 · A first look at the new UniFi Zone-based Firewall. For example in Unraid you can create a VPN network and assign dockers to go through it. Oct 14, 2017 · After some period of time, all traffic from the tablet goes out over the VPN, totally ignoring the firewall rule and policy-based routing. Policy-Based VPN is best for simple set up and Route-Based VPN is for complex topologies. Set the rule to drop and set applied to after. I used this Ubiquiti article . Configure a headless docker host with 2 NIC cards. 5 KB Page Not Found or Access Denied Sorry, the page you're looking for either doesn't exist or you don't have permission to view it. So, with Route based VPN you have to create tunnels specifying all IPSec-related settings, add routes for Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN between an Edgerouter and a USG. This UniFi VPN setup guide covers L2TP, WireGuard & OpenVPN for UDM, Dream Router & more. We are going to use Windows instead, to make it a little bit easier. Situation: Edgerouter is in switch mode, eth0 = uplink, client = eth4 with manual IP address 192. This includes modifying routing tables on a device if routes conflicting with VPN tunnel are detected. Hi , Can someone kindly explain the difference between Route based VPNs and Policy based VPNs (Ex:IPSec)? What I read is "Policy based VPN (No virtual tunnel interface) has a security policy that triggers tunnel where as in Route based VPNs traffic (Virtual tunnel is present) on the Virtual Tunnel interface triggers the VPN. My VPN provider prefers WireGuard. Yeah you can - you can route by domain name or IP or Region. ) on the service is available in the README. and its working fine now. On or off I’m Find help and support for Ubiquiti products, view online documentation and get the latest downloads. In some cases, you want to send traffic to a different path than the default route specified in the routing table. Custom routing allows the configured IP addresses or subnets to still go through the One-Click VPN tunnel when the client is set to the Intranet mode. This allows you to make networks accessible that are out of sight of your current router, or force traffic through a specific interface based on their destination IP address. Go to Main Page I believe the UDM Pro can do outbound VPN connections to a commercial VPN provider. 16 votes, 22 comments. More information (requirements, full features list, etc. All traffic from Apple TV and Roku devices goes over my VPN. This tutorial walks you through configuring a UniFi VPN Client and setting up traffic