So recently we have started using Ubiquiti Unifi routers and access points. We have been using the Ubiquiti Unifi Security Gateway as our router of choice. While these are a great product there are some limitations with the GUI. For instance when you are trying to create a site to site VPN between USG’s if one is behind another router (NAT) then the VPN will not work. A simple box on the VPN page that allows you to enter your external IP address would solve the issue, but there isn’t one. So below i will detail how to set this up. It is actually not that hard.

Leave the quotes of all commands. Leave out the <> tags in commands.

  1. Create your VPN’s as normal, as if you were not behind a NAT. Do this through the Unifi Controller portal for each site. Use a manual IP Sec VPN.

    Site 1:
    Peer IP – The Public IP of site 2
    Local WAN IP – The Public IP of site 1 (This site)

    Site 2:
    Peer IP – The Public IP of site 1
    Local WAN IP – The Public IP of site 2 (This site)

  2. Log into the USG that you have behind a NAT, do this using Putty.
  3. Enter the IP address of the USG. For the credentials enter your ssh credentials from your cloud key. You make those during setup. You can also change them in the Controller software settings.
  4. Once in, enter the command “configure
  5. Then enter the following command “set vpn ipsec site-to-site peer <Remote USG Public IP> authentication id <Public IP (This site’s public IP)>
  6. Enter the command “commit;save;exit
  7. The VPN should start working after a few minutes. This change is temporary and will only work until the USG is provisioned again.
  8. To make this permanent, you need to upload the config to the controller.

Uploading the config file to the CloudKey

Install Filezilla and use the following settings to FTP into your CloudKey.

Host: IP of the cloud key

Username: ubnt

Password: SSH password of the site

Port: 22

  1. In The Tree structure find your site folder – /usr/lib/unifi/data/sites/site_ID (You can find the site ID by looking in the address bar of the controller when on that site EG.
  2. Download my Config File and edit to match your setup. 
  3. Change <Remote USG External IP> to the IP of your remote USG (the one not behind NAT)
  4. Then change <External IP Behind NAT(This site’s external IP)> to the external IP address of the site behind the NAT.
  5. When editing the file remove the <> but keep the “”.
  6. Drag the .JSON file into that folder
  7. All going well, re-provision your USG and everything should be working.

If you decide to use the code below and save the file yourself, you MUST name it config.gateway.json

Example config file

	"vpn": {
		"ipsec": {
			"site-to-site": {
				"peer": {
					"<Remote USG Public IP>": {
						"authentication": {
							"id": "<Public IP of NAT Site(This site's external IP)>"

Link to Config File