UniFi VPN Proxy Service configuration

A VPN proxy is a monthly service that allows you to establish a secure VPN tunnel connection from your devices out to some servers in a data center somewhere. This VPN tunnel does a number of things – first, it protects your data from anyone who may be snooping on the network – for example, if you’re connected to the public WiFi at a coffee shop, hotel, or airport, using a VPN proxy service basically puts up a wall around your web surfing so that no one is able to take a look at your traffic. When used at home, a VPN proxy service helps protect your privacy from your ISP who may be interested in selling your data and surfing habits to advertisers.

A VPN proxy service also allows you to supposedly bypass geographic network restrictions in order to view content on the web that may not be available to your own geographic location. For example streaming services such as Netflix have different content for different countries, and if you appear to be coming from a different country, you can get some different content. Though – to be quite honest, I have found that most of these streaming services block content from blocks of IP’s that are known to be owned by popular VPN proxy services.

HULU blocking traffic from a VPN proxy service.

*** NOTE: Private Internet Access does have special ‘US East/West Streaming Optimized’ servers that supposedly give you full access to all of the most popular streaming services, though I have not tested these myself.

My favorite VPN proxy service is Private Internet Access. I have been using them for well over 5 years. They’re super easy to set up and use, surfing through their VPN servers is almost unnoticeable when compared to surfing without the VPN enabled, and most importantly, Private Internet Access has a proven 100% no-usage-logs policy that has been tested in court numerous times. Whenever I’m connected to the Internet at a location that is NOT my home Internet, I have Private Internet Access enabled.

Check out Private Internet Access here for as low as $2.03/mo:

Using Private Internet Access is super simple from your devices, but what if you wanted a smart light bulb to use it? Or your Roomba? Or you just want a secure WiFi network available without having to think about connecting to the VPN proxy service? That’s where we can use the VPN Client functionality in UniFi to do some fancy configurations with Private Internet Access or any other VPN proxy service that allows you to connect with OpenVPN. Let’s get started!

Private Internet Access Setup

Once you have logged into the Private Internet Access dashboard by surfing to PrivateInternetAccess.com and logging in, click on ‘Downloads’ and then scroll all the way to the bottom of the page.

Click on Downloads and scroll to the bottom.

Here we’re going to want to create an OpenVPN configuration file to use in UniFi, so click on the OpenVPN Generator:

In the OpenVPN Generator, click on ‘Linux,’ and then scroll down and select a the geographic location you want to connect to. Some of the servers are directly tied to a specific country or city, and some of the servers appear to be more generally load balanced in a certain region – such as US East and US West server options. For this tutorial, I’m going to choose ‘US West.’

You can leave the port selection default, and then click ‘Generate.’

This will prompt your browser to download a file with a .ovpn extension (OpenVPN configuration file). Save that file in a secure location – you’re going to need it for the UniFi configuration. You’ll also need to make note of your PIA username and password.

UniFi VPN Client configuration

The next step is to set up our Private Internet Access account as a VPN Client in UniFi – if you’d like a refresher on the 5 types of VPN in UniFi, be sure to check out my recent video where I go over each different type, and where they should be used:

*** NOTE: In this tutorial, I’m using UniFi Network version 7.5.176 running on a UniFi Dream Router (UDR) with UniFi OS version 3.1.16. If you’re viewing this tutorial on a different version, things may be *slightly* different than what I show here.

To get to the VPN Client settings, log into UniFi Network, click on ‘Settings’ and then click on Teleport & VPN.

Settings –> Teleport & VPN

There are 4 different VPN tabs across the top of the Teleport & VPN page – click on the 3rd tab ‘VPN Client.’

VPN Client tab

Here’s where we input all of our Private Internet Access info:

Name: Can be whatever – just describe the connection
Username: Your PIA username (usually in the format pXXXXXXX)
Password: Your PIA password

Then click ‘Upload’ and upload the PIA .ovpn configuration file that we downloaded in the previous step.

Once you have everything in place, click ‘Test & Save’ at the bottom. This may take a while (sometimes a minute or two). If the ‘Test & Save’ button seems to stall out…after about 2 minutes, you can click onto a different menu item, and then click back onto Teleport & VPN –> VPN Client tab, and you should see that the VPN Client connection out to Private Internet Access has been enabled:

Success!

What now?

OK – so, we have our VPN Client connection out to Private Internet Access up and running – what now? Well – that depends on how you want to use the VPN connection. I wouldn’t recommend simply using it for ALL traffic out of your network since the connection, while relatively solid, it’s 100% solid. There are times where it will get disconnected and will have to be reconnected to work again – that’s just the nature of this kind of VPN connection.

So I’m going to show you 3 different ways you can use this:

  1. Device specific – send all traffic from a specific device (such as your smart phone) through the VPN Client connection
  2. URL specific – send all traffic to specific domains through the VPN Client connection
  3. Network specific – create a ‘secure’ network that allows any device connected to surf through the VPN Client connection

Let’s get started with a device specific connection!

Device Specific VPN Client Connection

Let’s say you want your smart phone, or a smart TV, or your IoT robot vacuum to always use the secure VPN Client connection out to the Internet. This can be done by creating a Traffic Route. Before we go too far though, let’s set a baseline for our testing – using a smart phone as the example here, connect to your WiFi and navigate to https://whatismyip.com. You should see the WAN IP address that your ISP gives you – whether this is a static or dynamic IP.

https://whatismyip.com results

If you further surf to PIA’s VPN test page at https://privateinternetaccess.com/what-is-my-ip, you should see that you are UNPROTECTED. Notice that this page also shows you your ISP, general location, browser, OS, and screen resolution – you give away a LOT of information when just surfing around the web!

Now we have our baseline…let’s tell UniFi that our phone should ALWAYS use the PIA VPN Client connection. To do that in UniFi Network, navigate to Settings –> Routing.

Settings –> Routing

In this case, we’ll want to use the following settings:

What to Route? All Traffic
On: (Select your device from the list) – note that you can select multiple devices here – you don’t need to create a separate rule for each device.
Interface: VPN (the name of the VPN Client we set up in the last step)
Description: Whatever you want

Click ‘Add Entry’ at the bottom when done. It may take a few seconds for the routing to take effect. But – after a few seconds, if we go back to https://whatismyip.com we should see some new info:

Now protected with PIA!

If we also go back to PIA’s test page, we should see that not only has our IP address changed to something other than our actual WAN IP, we are now protected by PIA!

Success!

Why does this matter?

No doubt the first question someone may ask is why does this matter? Well – here’s the thing…when you surf around the web unprotected, your ISP has a way of connecting your home or business IP address (they know who they gave each IP address to) to the websites that you’re surfing to. This is valuable information to sell to advertisers in order to target you with more effective advertising so that you buy more stuff. There are other reasons to protect your devices as well, but when surfing from home, I’m not nearly as concerned about people spying on my network traffic since I control the network.

When you’re surfing through a secure VPN proxy connection, your ISP has no way of linking where you’re surfing with who you are, and therefore they get no useful information, and your privacy is increased.

URL Specific VPN Client Connection

Instead of creating Traffic Routes for specific devices that are connecting out to the web, let’s now set up a rule that protects any traffic destined for specific domains. For example, if you were using the PIA ‘Streaming Optimized’ servers and wanted all of your Netflix traffic to use the PIA connection, you would set up a Traffic Route so that netflix.com uses the PIA VPN Client connection – let’s set it up!

In UniFi Network, navigate to Settings –> Routing and use the following settings:

What to Route? Specific Traffic
Category: Domain Name
Domain Name: Add some domains – I’m going to add netflix.com and privateinternetaccess.com – note that you can also specify ports here
On: All Devices
Interface: VPN (the name of the VPN Client we set up in the last step)
Description: Whatever you want

Click ‘Add Entry’ at the bottom to apply this rule – it may take a few moments to start working.

Let’s test! If I surf to https://whatismyip.com I should see the WAN IP address that my ISP gave me (if you’re surfing with the same device from the previous rule we set up, you may have to delete that rule to see this).

Whatismyip.com is NOT routed through the PIA VPN Client because I didn’t add that domain to the list!

You should be seeing your actual WAN IP because https://whatismyip.com is NOT one of the domains that we added to our domain traffic routing rule. So far so good – let’s try surfing to the https://privateinternetaccess.com/what-is-my-ip test page:

Success! This domain is using the PIA VPN Client connection because it’s on the domain list!

And there we go – we get a different WAN IP here and PIA is telling us that we’re protected because we have added privateinternetaccess.com to the list of domains that we’re routing through the VPN Client connection.

Network Specific VPN protection

OK – one more example. Let’s say that most of the time you just want to surf normally through your ISP’s connection, but *sometimes* you want to connect to a wired or wireless network that routes ALL traffic through the VPN client tunnel. Or you want to create a network where any wired or wireless device connected will be routed through VPN – to do that, we need to set up a separate network VLAN and WiFi SSID.

In my UDR, I have 2 networks set up with 2 separate wireless SSID’s – Dreamy and Dreamy Guests. Dreamy is my standard WiFi network for my default LAN, and Dreamy Guests is for – you guessed it – guests.

First, we’re going to start by creating a new VLAN – a totally separate network that is specifically going to be used for our PIA VPN Client connectivity. We’ll call this network Dreamy Secure. In UniFi Network, navigate to Settings –> Networks, and then click ‘New Virtual Network.’

Give the network a name, and then UNCHECK ‘Auto-Scale Network.’ You could technically leave this set to Auto-Scale, but I prefer to have full control over my IP addressing and VLAN ID settings, so we’re going to set those manually for the purposes of this tutorial.

For the host address, I’m going to change the network subnet to 192.168.53.1/24 – again this is just personal preference. The 3rd octet (the 53 in 192.168.53.1) is going to match the VLAN ID. (53 as in the first two letters of SEcure – the SE is 53 – helps me remember).

Now let’s switch ‘Advanced’ from Auto to Manual so that we open up some more settings.

I’m going to set the VLAN ID to 53 (again – personal preference here – you can set it to whatever you want as long as it doesn’t overlap with any other existing VLAN ID’s).

I’m also going to set the DHCP server Range to Start: 192.168.53.10 and Stop: 192.168.53.254. This means that most of the IP addresses in this network are available to DHCP devices (automatically assigned), but I am also leaving 2-10 available to set onto devices statically if I want. Click ‘Add’ when done.

OK – so now we have our new secure network created as VLAN ID 53. Let’s add a wireless SSID on top. Navigate to Settings –> WiFi. Click ‘Create New’ to add a new WiFi SSID.

The name of the network is the SSID that will be broadcast to you devices, so choose that carefully – I’m calling mine ‘Dreamy Secure.’ You’ll also want to set a nice strong WiFi password.

For the network, you’ll want to select the VLAN that we just created – in my case, it’s called ‘Dreamy Secure.’ Everything else can be left default. Click ‘Add WiFi Network’ when done.

OK – so we now have our secure network VLAN and WiFi network – but it is not yet associated with the PIA VPN Client functionality. Click on Settings –> Routing. For the purposes of this tutorial, I’m going to delete my previous routing rule for routing specific domains through PIA. That means we can now start fresh with the Traffic Routes. Use these settings to route all Dreamy Secure network traffic through the PIA VPN Client:

What to Route? All Traffic
On: Dreamy Secure (our secure VLAN)
Interface: VPN (the PIA VPN Client we created)
Description: Whatever you want.

Should look like this when finished:

Click ‘Add Entry’ and we’re all set! Now, any device that connects to the Dreamy Secure network will go through our PIA VPN Client – let’s test!

Connect a device such as your smart phone to the Dreamy Secure WiFi. Then open up https://whatismyip.com. You should see a WAN IP that is different than the one your ISP handed out to your firewall.

Let’s also test by going to https://privateinternetaccess.com/what-is-my-ip:

Once again, you should see PIA’s notification that you’re protected, and the IP address should be PIA’s, not your own ISP’s WAN IP.

So excellent! Now wireless devices can use our PIA connection. But what about wired devices? What if you wanted to hard wire your Roku or smart TV to use this connection? For that, we’ll need to visit the Port Manager. Click on Devices and then any of your switches (in my case, I’m just using the 4-port switch on the UDR, but this should also work fine for any connected UniFi switch). Then click on Port Manager from the right-hand slide-out tray.

In the Port manager, select one or more of your switch ports (I’m going to select Port 4). You can change the name of the port if you want (optional), but you’ll want to set the ‘Primary Network’ to ‘Dreamy Secure (53)’ (or whatever VLAN you created as your secure network).

Click ‘Apply Changes’ and you’re all set – now anything that is plugged into Port 4 on the back of my UDR will automatically be given an IP address in my secure network VLAN that uses the PIA VPN Client.

*** NOTE: This final step assumes that you’re plugging in wired devices that are not capable of understanding VLANs – such as your smart TV. If you do have a device such as a VoIP phone, computer, or another switch that does understand VLANs, you can leave the port settings default, but set the VLAN ID at the device level instead.

If you do set up a separate ‘secure’ VLAN and wireless network, you’ll also want to be sure to set up firewall rules. The UniFi firewall is wide open by default (all VLANs have access to all other VLANs) – but you can fix this with just a few simple rules. I cover those simple rules in my UniFi Network VPNs video above – give it a watch and make sure you secure your networks!

And of course if you ever need some help with any of your networking, wireless, security, VPN, firewall or other technical needs – Rogue Support is here to help! Just click the banner below.

Comments 9

  1. Great video and tutorial. Thank you very much Chris. I faced just one problem – DNS leak. Did you check this point? Any suggestions will be appreciated.

  2. Hi there,

    Have you been able to setup multiple active tunnels to the VPN provider?
    So one tunnel to a server in New York and another tunnel to let’s say London and have connected at the same time? I can configure multiple tunnels but can only get 1 connected. I have to pause it and connect another profile.

    Cheers
    Onno

  3. Hello! I am on UniFi OS v3.1.16 and Network 8.0.7 and I’m not seeing “Teleport and VPN” as an option under settings, just “VPN”. Also under the VPN setting there’s only “VPN Server” & “Site-to-Site VPN” options. What is going on here?

    Cheers

  4. Hi there,

    Today i bought and installed PIA VPN for Unifi network ( UGX-lite, unifi switches and a Cloud Key Gen2 Plus. PIA VPN does connect without any problem. But when i try to route domains or specific devices, i can not connect outside my own network. For example i routed the domain privateinternetaccess.com via the PIA VPN connection. After i did that, i could not reach the pia-website anymore. When i delete the routed domain, i can reach the domain without problems. I would like to know what i am doing wrong.

    1. Update! After updating the firmware of my UXG-Lite to 3.1.16 all works fine. Ubiquiti fixed an issue where traffic is not routed through the VPN interface if a Traffic Route is configured.

  5. Great video. I set this up to test on specific computers. I then removed the rule. Have you seen that even after you remove the rule, those specific computers are still utilizing the IP versus the normal ISP IP?

Leave a Reply

Your email address will not be published. Required fields are marked *