Connect Unifi USG to Azure using a Site-to-Site VPN

ajawzero
7 min readJun 22, 2021

--

So there are a few people who have documented this process but I had to take from multiple articles and bits and pieces from each one to get it done. So I decided to write the steps down on how I did it (mostly so I can refer to it later) and hopefully it might help someone else reading this.

Configure Pre-req’s

The Azure VPN Gateway takes the longest to provision so that should be done early in the process. However, you’ll need a few pre-req’s if this is a fresh Azure instance (like it is for me). If you already have a Resource Group and Virtual Network, you can skip to the Azure VPN Gateway. These can be done during the provisioning of the Azure VPN Gateway because it won’t let you configure it without them but let’s walk through it to make it easier.

First, you need a Resource Group. Search for “Resource Group” in the search bar and select it.

Click “+Create” Pick the Subscription to associate it with, pick a name for the resource group, and pick the region it will be in. Click “Review and Create.” If everything looks good, click “Create.”

Next, you’ll need a Virtual Network if you don’t have one. Search for “Virtual Network” and select it.

Click “+Create.” Select the Subscription, the Resource Group (the one you just created), and name the network. I’m using a generic name here to serve as my main network in Azure. Click “Next: IP Address” to configure the subnets and IP addresses.

Configure your main address space and a subnet. You’ll get another subnet later from the VPN Gateway but if you’re going to use any VM’s, you’ll need to have a subnet here for them to use. I skipped the security due to costs. Click “Review and Create” and then “Create.”

Configure an Azure VPN Gateway

Search for “virtual network gateway” and select it.

Click “+Create.” Select the Subscription and name the gateway. Select the region (same as your Resource Group and Virtual Network). You can leave the Gateway type as VPN and VPN type as Route-based.

If this is a lab or small business environment (like mine), make sure you select “Basic” for the SKU. This is the cheapest option and you won’t need the higher end sku’s.

Select the Virtual Network (the one created previously). It will pre-populate a Gateway subnet. You can modify it or keep the pre-populated one.

If you have a Public IP already, you can use it or create a new one. Pick a name for your Public IP and keep the other default options. Click “Review + Create” then “Create.”

Note: I ended up creating the connection in a different tenant which is why the Resource Group names might not match up. However, the steps are the same.

Create a Local Network Gateway

Search for “Local Network Gateway” and select it.

Click “+Create.” Enter a name for the local network gateway, your external IP address, and the address space for the on-prem resources. Make sure you select the resource group you created previously or where everything else is located. Finish the config and click “Create.”

Create an Azure VPN Connection

This requires your gateway so check to make sure if has been deployed before going on. Search for “Connections” and select it.

Click “Create” and select the resource group, a “Site-to-site (IPsec)” connection, and name the connection. Hit “Next: Settings” to go to the next page.

Select the Virtual network gateway and the local network gateway that you created previously. Enter in a complex PSK (Pre-shared Key). Do not follow my example in the screenshot! Uncheck “BGP” and you can leave the rest as default. Click “Review + create” and then “Create” do complete the deployment.

Create and Configure Unifi USG Site-to-Site VPN

Ok, so we’ve completed the Azure configuration and now you need to log into your Unifi admin console. This part took me some trial and error the first time too so hopefully this will help you here. If I didn’t list the setting, you can leave the defaults.

Go to Settings → Networks and click “+Create New Network.”

Name: Pick a name for your new network

Purpose: Site-to-Site VPN

Enabled: Enable this Site-to-Site VPN (this should be checked)

Remote Subnet: I used the entire subnet of the Azure Virtual Network (/16). In this case, it was 10.11.0.0/16. I tried using the subnet of the gateway but that didn’t work for me.

Peer IP: This is the public IP you created for your Azure Gateway.

Local WAN IP: This is your office/home public IP address

Pre-Shared Key: This is the PSK you entered in for the Azure VPN connection.

IPsec Profile: Select Azure dynamic routing

Advanced Options:

Key Exchange: Select IKEv2

Hash: SHA1

IKE DH Group: 2

Under Advanced options, make sure you uncheck perfect forward secrecy and dynamic routing. There’s a bug in the UI where it re-checks itself every time you look at this config. So uncheck it and hit save and don’t go back.

And that’s it. Check to make sure your connection is working by going to your Resource Group → Virtual Network Gateway → Connections.

Troubleshooting

So ironically, after publishing this article and following the steps my own article, my site-to-site VPN failed to connect. So I’m going to add a troubleshooting section in here for people who might have the same issues. TL:DR — After hours of troubleshooting, the connection mysteriously connected using my original settings as I wrote in the article. I’m going to chalk it up to Unifi being buggy and quirky.

So the first troubleshooting step is to re-create the site-to-site VPN connection on the Unifi side. Make sure your Azure Public IP address and your ISP IP address is correct. Make sure the perfect forward secrecy and dynamic routing under Advanced Settings is unchecked.

If that does work, you can reset the “Connection” in Azure. This can be found in your “Resource Group.”

If that doesn’t help, you can use the VPN troubleshooting option. You’ll need a storage account and container which you can provision on-the-fly when you select it. You can use the same storage account and container on subsequent troubleshooting requests.

If that doesn’t give you information to help, you can reset the “Virtual Network Gateway.” This takes a while so go grab a cup of coffee while you wait.

Finally, you can completely tear everything down by deleting everything in the “Resource Group” and re-provisioning everything by following the steps from the beginning. This was part of my troubleshooting but even after re-provisioning, it did not work. I reset the connections and did the troubleshooting. On my final troubleshooting request, it said “Successful” and I checked the connection to verify that the connection was good.

I also provisioned a VM and RDP’d to it using the internal IP address and was able to access it without issues.

Hopefully these troubleshooting steps help if you run into issues.

--

--

ajawzero
ajawzero

Written by ajawzero

Cybersecurity Engineer | Veteran | Podcaster

No responses yet