Journalist 
Ubiquiti Edge Router Site To Site VPN Setup Guide For Secure Site To Site Connections And VPN Best Practices: this quick fact is that a well‑configured site-to-site VPN keeps two remote networks talking privately over the public internet, with added security settings to prevent eavesdropping and tampering. Here’s a practical, friendly guide that walks you through steps, tips, and best practices so you can set up a reliable VPN between two or more sites using Ubiquiti EdgeRouter gear.
- Quick start overview
- Step-by-step setup checklist
- Common pitfalls and how to avoid them
- Troubleshooting and validation
- Best practices for security and performance
Useful URLs and Resources text only
https://ui.com/products/routeros/edge-router/
https://help.ui.com/hc/en-us/articles/204956584-EdgeRouter-Quick-Start-Guide
https://help.ui.com/hc/en-us/articles/204852924-EdgeRouter-VPN-Configuring-Auto-Discovery
https://help.ui.com/hc/en-us/articles/204852934-EdgeRouter-IPsec-VPN
https://wiki.openvpn.net/openvpn/howto/OpenVPN-Manual
https://en.wikipedia.org/wiki/Virtual_private_network
https://www.cloudflare.com/learning-security/
Why choose EdgeRouter for site-to-site VPN
- EdgeRouter devices are affordable, offer solid VPN features, and give you full control over routing and firewall rules.
- Site-to-site VPN lets two or more networks securely communicate as if they were on the same LAN.
- IPSec is the most common protocol for Site-to-Site VPNs on EdgeRouter, with strong encryption options like AES-256 and modern IKE modes.
Key concepts you’ll encounter
- IPsec: the protocol suite that secures traffic between sites
- IKE Internet Key Exchange: negotiates security associations
- ESP: encapsulates and encrypts the data
- Pre-Shared Key PSK or certificates: how peers authenticate
- Phase 1 IKEv1/IKev2 and Phase 2 IPsec SA
- Transport vs tunnel mode: tunnel is typical for site-to-site
- NAT traversal: handling networks behind NAT devices
What you’ll need before you start
- Two EdgeRouter devices one at each site with firmware that supports IPsec
- Publicly reachable WAN IPs or dynamic DNS setup if you’re behind carrier-grade NAT
- Shared authentication material PSK or certificates
- A rough network map: subnets at Site A and Site B e.g., 192.168.10.0/24 and 192.168.20.0/24
- Administrative access to both EdgeRouters
Topology and planning checklist quick map
- Identify which subnets will be reachable across the VPN e.g., Site A: 192.168.10.0/24, Site B: 192.168.20.0/24
- Decide on authentication method PSK is simplest; certificates are more scalable for large deployments
- Choose encryption and hash algorithms AES-256, SHA-256 or SHA-384, perfect forward secrecy
- Confirm firewall rules allow VPN traffic UDP 500, 4500 for NAT-T, and ESP if supported by your devices
- Plan DHCP/NAT considerations for remote sites do you want to NAT VPN traffic or route it through the remote networks?
Step-by-step: setting up IPsec site-to-site on EdgeRouter Site A to Site B
- Step 1: Access EdgeRouter administration
- Log in to the EdgeRouter web UI or use SSH for configuration.
- Update to the latest stable firmware if you haven’t recently for security and bug fixes.
- Step 2: Define the networks
- Site A LAN: 192.168.10.0/24
- Site B LAN: 192.168.20.0/24
- Step 3: Create IPsec P2 Phase 2 proposals on both devices
- Encryption: AES-256
- Hash: SHA-256
- DH Group: 14 2048-bit or higher
- PFS: enabled
- Perfect Forward Secrecy PFS: yes
- Step 4: Create IPsec IKE Phase 1 proposals
- Encryption: AES-256
- Hash: SHA-256
- DH Group: 14
- Authentication: pre-shared key or certificates
- Lifetime: 28800 seconds 8 hours or longer depending on policy
- Step 5: Configure the PSK or certificate
- If using PSK, pick a strong passphrase and share it securely between sites.
- If using certificates, ensure CA, certs, and private keys are properly installed on both sides.
- Step 6: Define the VPN peer remote gateway
- Remote WAN IP: the public IP of Site B
- Local networks to be tunneled: 192.168.10.0/24
- Remote networks allowed: 192.168.20.0/24
- Step 7: Set up the IPsec policy and tunnel
- Create a tunnel phase 1 + phase 2 with the chosen IKE and IPsec proposals
- Bind to the correct interface and ensure the tunnel uses the correct traffic selectors
- Step 8: Firewall and NAT rules
- Allow IPsec ESP and AH if needed
- Allow UDP 500 IKE and UDP 4500 NAT-T
- Add a rule to permit traffic between Site A LAN and Site B LAN through the VPN
- Step 9: Enable and test
- Enable the VPN tunnel and monitor status
- Use ping or traceroute to confirm reachability between the remote subnets
- Step 10: Validate failover and failback
- If you have multiple VPN tunnels or WAN links, test failover scenarios
- Verify route tables and ensure traffic prefers the VPN path when available
Example configuration snippets conceptual
- IPsec phase 1 IKE
- ike proposal-1:
- encryption aes-256
- hash sha-256
- dh-group 14
- lifetime 28800
- ike proposal-1:
- IPsec phase 2 ESP
- esp proposal-1:
- encryption aes-256
- hash sha-256
- pfs on
- lifetime 3600
- esp proposal-1:
- VPN peer Site A
- peer: site-b.example.com
- remote-subnet: 192.168.20.0/24
- local-subnet: 192.168.10.0/24
- authentication: pre-shared-key
- pre-shared-key: your-strong-psk
- VPN peer Site B
- mirror of Site A config
Note: Exact command syntax will vary slightly by EdgeOS version EdgeRouter vs EdgeOS. If you’re using the EdgeRouter X, X-series, or higher, the GUI layout is similar, but commands differ if you opt for SSH. Always cross-check with the latest UI or CLI references.
Managing multiple sites and a hub meshed vs hub-and-spoke
- Hub-and-spoke: One central site hub connects to multiple remote sites. Each spoke has a separate IPsec tunnel to the hub, and spokes do not need direct VPNs to each other.
- Full mesh: Every site connects to every other site. This works but can get complex as you add sites.
- Best practice: Start with a hub-and-spoke design for simplicity, then expand if needed.
NAT considerations and double NAT
- If sites are behind NAT, use NAT-T NAT Traversal to keep IPsec functioning through NAT devices.
- Ensure NAT rules on each edge router don’t double-NAT internal VPN traffic; if possible, maintain direct routing between VPN endpoints.
Routing and firewall rules for VPN traffic
- Ensure routes exist so that traffic destined for the other site goes through the VPN tunnel.
- On EdgeRouter, you may need static routes or policy-based routing to guide traffic into the tunnel.
- Keep firewall rules strict by default and only allow traffic between the specified subnets.
Security best practices for IPsec VPNs
- Use strong authentication: PSK should be long and random; certificates are preferable for larger deployments.
- Use AES-256 encryption with SHA-256 or SHA-384 for integrity.
- Enable Perfect Forward Secrecy PFS for Phase 2 negotiations.
- Regularly rotate keys or PSKs and monitor VPN logs for unusual activity.
- Disable weak ciphers and ensure the device firmware is up to date.
- Consider enabling dead peer detection DPD to quickly detect failed tunnels.
Performance considerations and optimization
- VPN overhead reduces raw throughput. Expect a drop of roughly 10–40% depending on the hardware and cipher suite.
- Enable hardware acceleration where available on EdgeRouter models that support it.
- If latency matters, prefer shorter path routes and minimize the number of hops between sites.
- For high‑throughput sites, consider splitting traffic or using multiple tunnels for load balancing.
Common issues and quick fixes
- Tunnel won’t come up: double-check IP addresses, PSK, and that you’re not using mismatched IKE/IKEv2 configurations.
- Traffic not routing through VPN: verify route tables and firewall policy; ensure that the destination subnets are allowed.
- MTU issues and fragmentation: reduce MTU on tunnel interfaces if you see connectivity problems with large packets.
- NAT problems: confirm NAT-T is enabled and correct for both ends.
Quick troubleshooting checklist
- Validate tunnel status on both EdgeRouters
- Ping across sites from each LAN to verify connectivity
- Check IPsec logs for negotiation errors
- Confirm firewall rules permit VPN traffic
- Verify DNS resolution across sites if needed
Encryption and privacy considerations in practice
- Your IPsec tunnel encrypts traffic between sites, but remember that endpoints still see each other’s public IPs and internal subnets.
- If you’re concerned about metadata, you may layer additional protections such as TLS-based applications or additional network segmentation.
Real‑world tips from field experiences
- Keep a documented change log when you modify VPN settings; it helps during audits or when you troubleshoot.
- If you have dynamic IPs on either site, set up a DDNS service and keep IP updates aligned on both devices.
- Use a dedicated management VLAN for your EdgeRouters to isolate management traffic from VPN data traffic.
Advanced topics optional
- Certificate-based authentication: using a public or private CA to issue certs for IPsec peers
- Dual VPN paths: implementing two tunnels with different uplinks for redundancy
- IPv6 IPsec: if you’re running IPv6 in either site, ensure the IPsec setup supports IPv6 subnets
- IPv4-IPv6 translation needs: plan for mixed environments if one site uses IPv6 and the other doesn’t
Quick-start recap checklist printable
- Identify subnets at Site A and Site B
- Decide on authentication method PSK or certificates
- Choose encryption, hashing, and DH groups
- Enable NAT-T if NAT is involved
- Create IPsec Phase 1 and Phase 2 proposals
- Define VPN peers and local/remote subnets
- Configure firewall rules to allow VPN traffic
- Test tunnel up and reachability across sites
- Validate routing and NAT behavior
- Implement monitoring and logging alerts
Best practices for long-term maintenance
- Schedule regular firmware updates to EdgeRouter devices
- Review VPN configurations after any network topology change
- Maintain a secure backup of VPN configurations
- Document the PSK or certificate lifecycles and rotation schedules
- Periodically test failover and recovery procedures
Related topics you might search for next
- EdgeRouter firewall rules and NAT:
- IPsec with certificate authority:
- Hybrid WAN and VPN load balancing:
- Site-to-site VPN with OpenVPN as an alternative:
Frequently Asked Questions
What is a site-to-site VPN on Ubiquiti EdgeRouter?
A site-to-site VPN creates a secure, encrypted tunnel between two networks, allowing devices on each network to communicate as if they were on the same LAN, often using IPsec to protect traffic between sites.
Which EdgeRouter models support IPsec VPN natively?
Most EdgeRouter models support IPsec VPN, including popular models like EdgeRouter X, EdgeRouter 4, and EdgeRouter 6P. Check your firmware notes for IPsec feature support and any hardware limitations.
Do I need a static IP for VPNs?
Static IPs simplify setup because peers always know the remote endpoint. If you have a dynamic IP, you can use DDNS to keep the remote router updated with the current public IP. Tuxler vpn extension chrome: a comprehensive guide to setup, features, security, and tips for Chrome users in 2026
Should I use PSK or certificates for authentication?
PSK is simpler for small setups but less scalable and harder to rotate securely. Certificates are more scalable for larger deployments and easier to automate.
How do I test a site-to-site IPsec VPN?
After configuring both sides, verify the tunnel status, ping devices on the opposite LAN, and check routes to ensure traffic routes through the VPN.
What should I do if the tunnel keeps failing to establish?
Check the IKE/IPsec phase negotiation parameters on both ends, confirm the PSK or certificates match, verify that remote subnets are correct, and ensure the firewall allows VPN traffic.
How can I ensure VPN traffic is routed correctly?
Add static routes or use policy-based routing to ensure traffic destined for the remote subnet goes through the VPN tunnel, and disable conflicting routes that cause leaks.
What are the common firewall rules needed for IPsec on EdgeRouter?
Allow: Ubiquiti edgerouter x site to site vpn 2026
- UDP 500 IKE
- UDP 4500 NAT-T
- ESP protocol 50
- AH protocol 51 if needed though ESP is typically enough
How can I optimize VPN performance on EdgeRouter?
Use AES-256 with SHA-256, enable PFS, select strong DH groups, enable hardware acceleration if available, and keep firmware up to date. Minimize the number of tunnels to reduce overhead and ensure the WAN links have adequate bandwidth.
Can I run IPv6 over IPsec on EdgeRouter?
Yes, IPsec can carry IPv6 traffic if both sites support IPv6 routing and IPsec configurations include IPv6 properties. Ensure alignment of IPv6 subnets and firewall rules.
Ubiquiti edge router site to site vpn is a feature that lets you securely connect two or more sites over the internet using IPsec. In this guide, I’ll walk you through what a site-to-site VPN is on Ubiquiti’s EdgeRouter, why it’s a smart move for growing networks, and how to set it up step-by-step. You’ll also find practical tips, troubleshooting steps, and real-world considerations so your remote offices can communicate as if they’re on the same LAN. If you’re looking to add extra privacy to your online sessions while you manage these connections, check out this current NordVPN deal:
Introduction: what you’ll learn
- A quick understanding of how EdgeRouter site-to-site VPN works and when to use it
- A practical, step-by-step configuration workflow for two sites
- How to plan network subnets, choose encryption, and handle dynamic vs. static IPs
- Firewall and NAT considerations to keep the tunnel stable
- Common gotchas, troubleshooting tips, and performance expectations
- A thorough FAQ to cover typical questions beginners and pros alike ask
- Useful resources and references to deepen your setup
What is a site-to-site VPN on a Ubiquiti EdgeRouter?
A site-to-site VPN creates a secure, encrypted tunnel between two or more remote networks so devices at one site can reach resources at another as if they were on the same local network. EdgeRouter devices use IPsec IKE/IPsec to negotiate the tunnel, manage encryption, and route traffic across the public internet. This is different from a client-to-site VPN, where a single user connects to a network. a site-to-site VPN is designed for continuous, automatic connectivity between entire networks. Secure service edge vs sase 2026
Why use a site-to-site VPN between EdgeRouters?
- Secure inter-site connectivity: All traffic between sites is encrypted, protecting sensitive data as it traverses the internet.
- Centralized resource access: Remote sites can access file servers, printers, application servers, and other resources without exposing them to the wider internet.
- Network segmentation and security: You can segment traffic with firewall rules so only specific subnets communicate across the tunnel.
- Scalability: Add more sites by configuring additional IPsec peers, without reworking the entire network design.
- Reduced exposure: By keeping the traffic within a controlled tunnel, you reduce the risk of direct exposure to the public internet.
Prerequisites: what you’ll need before you begin
- Two EdgeRouter devices or more for multiple sites running EdgeOS with IPsec support
- Public IP addresses for the WAN interfaces on both sides static or dynamic with a DDNS fallback
- Known internal subnets for each site LAN ranges you want to route across the tunnel
- Basic familiarity with EdgeOS CLI or the Web UI
- A shared pre-shared key PSK or, if you’re using certificates, a plan for certificate management
- Firewall rules that allow IPsec ESP, AH, IKE through the WAN and into the VPN interface
- A rough understanding of how you want to split traffic: full-tunnel all site traffic through VPN or split-tunnel only specific subnets
Step-by-step: configure IPsec site-to-site VPN on EdgeRouter
Note: The exact UI labels can vary slightly by firmware version, but the underlying concepts and commands remain the same. I’ll show a practical CLI example that you can adapt to your environment.
Step 1 – Plan your network and gather details
- Document each site’s LAN subnet e.g., Site A: 192.168.1.0/24, Site B: 10.1.0.0/24
- Record each site’s public IP or dynamic hostname with a DDNS service
- Decide on the tunnel direction and routing: Should Site A’s 192.168.1.0/24 reach Site B’s 10.1.0.0/24? Should Site A also reach other networks behind Site B?
- Choose your IPsec parameters: IKE group DH group, encryption AES-256, integrity SHA-256, and the tunnel lifetime
- Decide PSK or certificate-based authentication
Step 2 – Configure IPsec on Router A left side
Below is a representative example you can adapt. Replace PEER1 with a friendly name, addresses with your real ones, and PSK with something strong. Setup vpn extension for edge how to install, configure, and optimize a VPN extension in Microsoft Edge 2026
# Define IKE and ESP groups
set vpn ipsec ike-group IKE-GROUP1 proposal 1 encryption aes256
set vpn ipsec ike-group IKE-GROUP1 proposal 1 hash sha256
set vpn ipsec ike-group IKE-GROUP1 lifetime 3600
set vpn ipsec esp-group ESP-GROUP1 proposal 1 encryption aes256
set vpn ipsec esp-group ESP-GROUP1 proposal 1 hash sha256
set vpn ipsec esp-group ESP-GROUP1 lifetime 3600
# Configure the remote peer Router B
set vpn ipsec site-to-site peer PEER1 address 198.51.100.5 # public IP of Router B
set vpn ipsec site-to-site peer PEER1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer PEER1 authentication pre-shared-secret 'YOUR_STRONG_PSK'
set vpn ipsec site-to-site peer PEER1 ike-group IKE-GROUP1
set vpn ipsec site-to-site peer PEER1 esp-group ESP-GROUP1
set vpn ipsec site-to-site peer PEER1 local-subnet 192.168.1.0/24
set vpn ipsec site-to-site peer PEER1 remote-subnet 10.1.0.0/24
# WAN interface and global enable
set interfaces ethernet eth0 description 'WAN'
set vpn ipsec options yet-to-be-set # optional advanced options
Commit and save:
commit
save
Step 3 – Configure IPsec on Router B right side
Use the mirror configuration from Router A. The local-subnet becomes Site B’s LAN, and the remote-subnet becomes Site A’s LAN. The address is the public IP of Router A.
set vpn ipsec site-to-site peer PEER1 address 203.0.113.1 # public IP of Router A
set vpn ipsec site-to-site peer PEER1 local-subnet 10.1.0.0/24
set vpn ipsec site-to-site peer PEER1 remote-subnet 192.168.1.0/24
Step 4 – Ensure NAT and firewall rules permit VPN traffic
- Allow IPsec IKE/ISAKMP, ESP through the WAN on both sides
- Exclude VPN traffic from NAT where appropriate, or create a dedicated VPN firewall rule
Example firewall concept:
- Allow: ipsec-ESP, ipsec-managment, udp/500 IKE, udp/4500 NAT-T
- Create a firewall rule to drop all other inbound VPN traffic from WAN to LAN unless it’s part of the VPN
Step 5 – Verify the tunnel status and functionality
- On both routers, verify the tunnel state and IPsec SA status
- Check for children routes or dynamic routing if you’re using routing protocols
- Test connectivity: ping from Site A to Site B and vice versa
- Validate that traffic bound for the remote subnet flows through the tunnel full-tunnel or only specific subnets if you implemented split-tunnel
Common verification commands conceptual
- show vpn ipsec sa
- show vpn ike sa
- show interfaces
- show firewall all
Step 6 – Fine-tuning and maintenance
- If you have dynamic IPs, add a Dynamic DNS DDNS entry on each site and configure the VPN to reference the updated IP when needed
- Consider enabling Dead Peer Detection DPD to quickly recover from a temporarily broken tunnel
- Schedule regular PSK rotation or, if you’re using certificates, manage certificate lifecycles
- Document changes so your team can troubleshoot quickly in the future
Alternative approaches and considerations
- OpenVPN and WireGuard: EdgeRouter devices can run IPsec natively and are widely used for site-to-site VPNs. OpenVPN can be used as an alternative, but IPsec tends to be more robust for site-to-site, with better integration into routing. WireGuard is popular for remote-access VPNs and newer hardware. however, EdgeRouter support for WireGuard is not as universal as IPsec, so verify firmware capabilities if you’re considering it for a new site-to-site deployment.
- Certificates vs. PSK: For stronger security and easier key management across multiple sites, consider certificate-based authentication instead of pre-shared keys. This involves setting up a PKI Public Key Infrastructure and issuing certificates to each EdgeRouter.
- Dynamic IPs: If your WAN IP can change, DDNS is your friend. You’ll configure a hostname on each side and reference it in the VPN peer settings so the tunnel can re-establish even if the public IP shifts.
- Redundancy: For mission-critical sites, add a secondary VPN peer or leverage a failover WAN link to keep traffic flowing if one WAN path goes down.
Performance considerations and real-world expectations
- Hardware matters: EdgeRouter models range from small, budget-friendly devices to more capable units. Performance for IPsec is closely tied to CPU power and memory. Higher-end models for example, ER-4 and above in some lineups typically deliver better IPsec throughput and smoother tunnel handling than entry-level models.
- Encryption choice: AES-256 is strong and widely supported, but you’ll want to test your specific devices. In practice, AES-256 with SHA-256 tends to provide a good balance of security and performance. If latency is a concern, consider testing AES-128 as a baseline for performance comparisons, though you should maintain a strong security posture.
- Network design: If you’re routing all traffic between sites through the VPN, expect higher CPU usage on both routers. Consider optimizing routing or using dedicated links for heavy inter-site traffic if you see bottlenecks.
- Monitoring: Set up basic monitoring for tunnel uptime, MTU issues, and path stability. Small hiccups in WAN connectivity can cause VPN flaps. DPD and keep-alive settings can help mitigate this.
Security best practices
- Use a strong pre-shared key minimum 20+ characters or, better, authentication via certificates
- Enforce strong IKE and ESP proposals AES-256, SHA-256, modern DH groups
- Regularly rotate credentials and keep firmware up to date
- Limit remote access and enforce strict firewall rules to minimize exposure
- Log and monitor VPN activity to detect anomalies early
- Consider network segmentation so only necessary subnets cross the VPN
Common issues and quick fixes
- VPN tunnel not establishing: double-check the PSK, ensure the remote subnet is correct, confirm that both sides’ local-subnet and remote-subnet definitions align, and verify that the public IPs are reachable.
- Tunnel drops after a few minutes: verify WAN stability, enable DPD, and consider increasing IKE/ESP lifetimes if your environment is unstable but reliable.
- Traffic not flowing to the remote subnet: confirm routing tables on both sides and ensure firewall rules are not inadvertently blocking traffic between the subnets.
- NAT traversal issues: ensure NAT-T is enabled for NAT-heavy environments. check MTU settings to prevent fragmentation.
Real-world deployment examples
- Small branch office to main office: two EdgeRouter devices with a single IPsec tunnel, monitoring via simple pings and a LAN-to-LAN route. This is common for SMBs needing quick, secure inter-site connectivity.
- Multi-site organization: hub-and-spoke topology. You can extend the IPsec tunnels to multiple branch sites, with central monitoring and consistent security policies across all links.
- Data center interconnect: use IPsec to extend a protected subnet across campuses, with firewall rules tightly controlling what traffic traverses the tunnel.
What to know about EdgeRouter models and IPsec capabilities
- EdgeRouter devices are popular for their balance of price and performance in small to medium networks.
- IPsec is a core feature, with built-in support for site-to-site connections. The exact throughput you get depends on your model, firmware version, and how heavily you’re NAT-ing or inspecting traffic.
- If you’re planning multiple tunnels or advanced routing, confirm your chosen model’s CPU performance and memory. For enterprises or high-traffic sites, you may look at higher-end EdgeRouter variants or consider a dedicated firewall appliance.
Useful tips to maximize your VPN setup
- Always test with a pilot site before rolling out to multiple sites
- Document every change. when you’ve got 3 or 4 sites, a quick reference sheet saves headaches later
- Maintain a rollback plan in case you need to revert configurations quickly
- Use monitoring to detect failing tunnels early, not after users start complaining
- Schedule periodic reviews of encryption settings to keep pace with security standards
URLs and resources unclickable text
- Ubiquiti EdgeRouter official documentation
- Ubiquiti community forums for EdgeRouter IPsec setup
- IPsec and VPN best practices from major security guides
- NordVPN deal for extra privacy and security when working remotely
Frequently Asked Questions
What is a site-to-site VPN in simple terms?
A site-to-site VPN is a secure tunnel that links two networks so devices on one network can talk to devices on the other as if they were on the same LAN, with traffic encrypted as it travels over the internet.
Do I need static or dynamic IPs for site-to-site VPNs?
Static IPs are the simplest to configure for site-to-site VPNs, but you can use dynamic IPs with DDNS services. The key is having reliable IP address updates on both sides so the peers can locate each other.
Can I use certificates instead of a pre-shared key?
Yes. Certificates provide stronger authentication and easier key management when you’re dealing with multiple sites. It requires setting up a PKI and issuing certificates to each edge router.
Is IPsec the only option for EdgeRouter site-to-site VPNs?
IPsec is the most common and widely supported option for site-to-site VPNs on EdgeRouter devices. OpenVPN and, in some environments, WireGuard can be considered, but IPsec remains the standard for site-to-site interconnects.
How do I know if my VPN is up and healthy?
Check the VPN status on both routers IKE/SAs and IPsec SAs, test connectivity with pings across the tunnels, and verify that traffic routes through the tunnel as intended.
What are split-tunneling and full-tunneling in a site-to-site VPN?
Split-tunneling sends only specific traffic across the VPN e.g., certain subnets, while full-tunneling routes all traffic aimed at the remote site across the VPN. Your choice affects performance and security.
How do I handle dynamic WAN IPs?
Use DDNS on each site so the VPN peers can resolve updated IPs automatically. Update your VPN peer configuration to reference the DDNS hostname rather than a static IP.
What encryption should I choose for IPsec?
AES-256 with SHA-256 is a strong default choice. Depending on hardware and performance needs, you can test AES-128 for speed, but prioritize security with SHA-256 and a solid DH group.
How can I improve VPN reliability?
Enable DPD Dead Peer Detection, use stable WAN links, and consider failover or backup tunnels. Regular maintenance and firmware updates also boost reliability.
What should I monitor after deployment?
Tunnel uptime, latency between sites, packet loss, MTU fragmentation, firewall hits, and the health of all routing paths. Set up alerts for any tunnel down events.
Can I have more than two sites in a single IPsec tunnel?
You can interconnect multiple sites by creating separate IPsec peers for each site. In some architectures, you might use a hub-and-spoke model with centralized routing.
How often should I rotate my authentication credentials?
Rotate PSKs periodically or refresh certificates before they expire. Establish a schedule e.g., every 6–12 months for PSKs, as recommended by your security policy.
What are common mistakes to avoid with EdgeRouter IPsec?
Mismatched remote-subnet definitions, wrong PSK, firewall rules that inadvertently block VPN traffic, and inconsistent IKE/ESP parameters across peers. Double-check subnet scopes and peer addresses.
By following this guide, you’ll be well on your way to a reliable, secure site-to-site VPN between Ubiquiti EdgeRouter devices. Whether you’re linking a small office to your central site or expanding to multiple branches, the combination of IPsec customization, careful planning, and smart firewall rules will help you maintain fast, private intersite communication. If you want additional privacy while you manage these connections, consider the NordVPN deal linked above.
Cyberghost vpn microsoft edge