Which Unifi VPN should I be using here?

thecomputerguy

thecomputerguy

Well-Known Member
Reaction score
1,326
A client who isn't on MSP reached out to me to audit their VPN configuration. At the moment, they have a crappy ASUS Bestbuy special with the required ports opened up and the VPN Server is running on their Synology NAS using OpenVPN.

I know that punching a hole through their network and opening up the NAS to the world isn't a great idea, especially since (as far as I know) the NAS doesn't support MFA with OpenVPN.

So ... they are are open to dropping the ASUS for a Ubiquiti UDM and setting up the VPN at a network level. I would REALLY, REALLY like to stay in the Ubiquiti Ecosystem because I'm familiar and comfortable with it. This company is VERY small ... 3-5 users. They need a VPN because their NAS stores something like 20TB's of data so chopping up that data and using Sharepoint isn't really an option.

It looks like UB allows for the following VPN options: OpenVPN, Teleport (Mobile Only), WireGuard, and L2TP.

I'm feeling like the best option here is WireGuard but I'm not sure it supports 2FA through a Unifi Gateway ...

Am I on the right track here?

@YeOldeStonecat
@Sky-Knight
 
I pretty much stopped doing VPNs for the past several years...(thanks to 365)....but if I recall, with Unifi, the only VPN they have that supports MFA is their newer UID product. I have not played with it yet.
 
YeOldeStonecat said:
I pretty much stopped doing VPNs for the past several years...(thanks to 365)....but if I recall, with Unifi, the only VPN they have that supports MFA is their newer UID product. I have not played with it yet.
Click to expand...

But punching a hole through the network into the NAS hosted VPN server is typically a no no right?

And when you were doing VPN's what protocols were you typically using ... with or without Unifi?
 
Agreed I would not port forward to a NAS, nor...anything internal these days. I just don't like port forwarding in todays crazy climate.

For clients large enough to have more servers and exposed services years ago, like RD Gateway, Exchange, etc...I'd usually have Untangle at the edge, I wanted a full UTM. And back then, Unifi gateways weren't really matured yet. With Untangle I did OpenVPN at first (which...they do have it supporting MFA), and then Wireguard when they released it...because it was lightweight and fast.

With Unifi gateways...didn't really do VPN...used them at simpler clients. I have site to site VPNs going for clients with multiple locations, but...mobile client to HQ, I maybe set up one or two, with OpenVPN ..back then...they're not using VPN anymore.

I'd be curious to see what this new UID service is.
 
You should use the WireGuard Option - it's setup with a Public/Private key pair so it's very secure.

WireGuard is pretty new, and the best, next comes OpenVPN, then in third place is L2TP. OpenVPN is generally fine yo use, but avoid L2TP.

1699565048160.png

UID implements a full 2FA key system across not only the networking/Wifi/physical access portion of things, but also for VPN. A good option to use.
 
You must log in or register to reply here.

Similar threads

tek9
[SOLVED] IPsec VPN and FreePBX provisioning
Replies
4
Views
487
tek9
tek9
thecomputerguy
AutoCAD LT .... Egnyte, Vault, or in-house?
Replies
8
Views
374
Sky-Knight
Sky-Knight
HCHTech
Automating certificate deployment for RDP over VPN
Replies
10
Views
405
YeOldeStonecat
YeOldeStonecat
thecomputerguy
Unify L2TP VPN & "Use default Gateway on Remote Network"
Replies
0
Views
527
thecomputerguy
thecomputerguy
HCHTech
Hot-Desking setup
Replies
0
Views
337
HCHTech
HCHTech
Back
Top