Creating an SSID that is VPN-Connected

VPN
1

For work I sometimes need to VPN to another region to access geo-blocked assets or hit services from a local region.

Is it possible to setup an additional SSID on my Unifi setup, something like NETWORK-UK, which is connected to a UK-based VPN endpoint while my other SSID’s are still directly connected to the internet with no VPN? Is there a good guide on how to do this?

2

Yes, and its easy to do, first make a VLAN (it makes an additional network) then setup your VPN client to the VPN server you will connect to. Next make a routing rule for all traffic the VLAN to use the interface for the VPN. This will route the network over the VPN. Next make a new wireless network for your VLAN and bam you’re done👍

3

Couple questions:

  1. This would only work for layer 3 traffic right? Layer 2 (multicast/broadcast) wouldn’t flow over the VPN?

  2. Would you disable DHCP on the client side?

4

I’ll add my questions too as I pondered this also.

Could one AP run both VLAN SSID?

5

Okay, I figured it would be something like that. Any chance you know of a good guide somewhere on this, specifically the routing rules? I couldn’t find one - perhaps I need to write one.

6

Correct on point 1, it’s routed not bridged.

The VPN is a routed network, you will get a local IP and then that traffic is routed across the VPN so you cannot disable DHCP server on the local lan unless you intend to serve an address from a remote DHCP server which, unless you have a very specific reason to do so, just complicates matters. (Or unless you intend to go entirely manual IP assignment which would be weird but, OK!)

7

Yes most of Unifi’s APs can operate more than you’d likely use as a standard home user. As an example here are my WLAN networks:

  1. Standard home users (my wife and I)
  2. PhillyNet a VLAN with all WAN traffic routed over VPN to a network I manage in Philly for TV and other media Streaming
  3. UKNet same as Philly but to UK
  4. IoTLAN (2.4Ghz only) IoT device VLAN with WAN block, and only allowed connectivity to my HA server which is on its own VLAN
  5. Unifi Cameras VLAN
  6. Guest VLAN isolated except for communication to/from HA server

Now, I can run all that on a single AP, but it’s not necessary and I have multiple APs. Example my bedroom in wall AP only has the standard, Philly, and UK WLANs in it as nothing else is needed there.

8

I wish I had the time I’d make a guide for you, but sorry I’m not able to fit that in.

9

Excellent thanks for the info

I was wondering if I could have VPN VLAN/SSID earlier this month when watching the EURO2024.
I was thinking of adding up an IoT VLAN too. Just was waiting for the cloud gateway ultra to be delivered.

Now I just need to find some time between family and work to play around with that side!

I’m also dipping my toe in to HA

10

I waited for HA to mature a bit and have followed it for a while. This year felt like a good time and dude have I been right. They’ve had some great advancements in standard features in the last year. I think in the next two years it’ll finally have about everything I want. Also, a switch maker will be releasing new switches this fall/winter that I can hardly wait for. Inovelli if you’re interested. I plan on having most of what I can on Z-Wave.