Ubiquiti Dream Machine Pro VPN

I use a Ubiquiti Dream Machine Pro (UDM) as the firewall/router on my home LAN. It’s a very powerful machine1. With a very good web-based UI2 and an active support community3.

One of the challenges I ran into setting up the UDM, though, was that I like to able to access my home LAN remotely. That involves not only accessing the LAN but being able to send wake-on-LAN packets to the machines I want to interact with, since they tend to be asleep when I’m not at home :). I’d previously done that via a VPN provided by OpenVPN…but the UDM doesn’t support OpenVPN4. It does, however, make it pretty easy to configure a VPN within the Ubiquiti software.

This is a summary of the steps needed to get remote access through a UDM.

  • Set up a VPN on the UDM. There are instructions online on how to do this.
    • Choose L2TP as the VPN protocol. Others may work, but I haven’t tried them…because getting all the pieces of a VPN to play nicely with each other is a PITA.
    • You’ll want to put the VPN on a different subnet than the one the UDM uses. For example, my LAN is on the 192.168.1.0/24 subnet, so I put my VPN on 192.168.5.0/24 and made its gateway (the IP address visible to the remote clients after they authenticate into the VPN) 192.168.5.1.
    • Note the username, password and pre-shared key you define so you can enter them when you configure the VPN on the client side.
  • Configure an always-on machine on the home LAN. This is necessary if you want to be able to wake machines on the LAN while you’re not at home because broadcast packets (e.g., packets sent to 255.255.255.255, 192.168.1.255, etc.) cannot cross subnet boundaries (i.e., they can’t go from 192.168.1.x to 192.168.2.x). Or so reliable sources on the internet tell me :).
    • I use an old Raspberry Pi 3B+ for this because it uses very little power.
    • Install your favorite wake-on-LAN software package. I use WakeOnLAN.
    • Make sure you have sshd installed on this machine so you can ssh into it and execute the wake-on-LAN commands.
  • Configure the client machines you want to have remote access with the IP address for the VPN and the proper credentials. This is reasonably straightforward under iOS and Windows 10/11.
    • Use L2TP as the VPN protocol.
    • The IP address in this context is the external IP address used by your LAN.
    • If, like me, that external IP address is subject to change (e.g., fiber, cable) you’ll need to use a service like www.no-ip.com to translate a custom URL to an IP address. Note that to keep that translation up to date you’ll have to install some software on your “always on” machine which periodically informs the translation service what the external IP address is. Or you could just keep it updated manually, as in my experience those dynamic IP addresses don’t change very often.
    • The credentials will involve a username, password, and pre-shared key, all of which were defined when you set up the VPN in the UDM.
    • For Windows you need to make an important tweak to the default VPN configuration which can only be made through Network & Internet Settings -> Advanced Network Settings -> More Network Adapter Settings.
    • Right click the VPN you defined and select Properties -> Security. Make sure Allow these protocols and Microsoft CHAP Version 2 (MS-CHAP v2) are selected. Click Okay to store the change and back out. If you don’t do this Windows won’t be able to authenticate against the UDM’s VPN.
  • Every time you log into the VPN under Windows you’ll need to set up a route to your home LAN.
    • The manual way to do this is by entering the following at an elevated command prompt (PowerShell works fine, too). For my setup I use

      route add 192.168.1.0 mask 255.255.255.0 192.168.5.1.

      The general pattern is

      route add <your home LAN address starting point> mask <your subnet mask> <the VPN gateway>

    • A better way is to configure the VPN connection so it automatically adds the necessary route when it comes up (thanx to chris-itg over on reddit for this). You apparently can’t do this though the UI but you can do it through PowerShell:

      Add-VpnConnectionRoute -ConnectionName “<VPN adapter name>” -DestinationPrefix “192.168.1.0/24

      The VPN adapter name is the one you assigned when you created the VPN.
  • On iOS you don’t need to do anything special regarding routing because, by default, iOS VPN connections send all traffic over the VPN once it’s running.

  1. frankly, overkill for the home environment…but that’s what being a geek is all about. 

  2. although it does change frequently 

  3. which compensates for the relatively poor/missing documentation 

  4. at least not easily 

Leave a Comment

Your email address will not be published. Required fields are marked *

Categories
Archives