Journalist
Edgerouter vpn site to site setup guide for EdgeRouter devices: IPsec tunnels, VPN site-to-site between networks, configuration, security, and troubleshooting
Edgerouter vpn site to site is when you connect two separate networks securely over the internet using a VPN tunnel between EdgeRouter devices. In this guide, you’ll find a practical, easy-to-follow approach to plan, configure, test, and maintain a reliable IPsec site-to-site VPN across EdgeRouter hardware. It’s written for small businesses, IT admins, and home labs who want solid, repeatable steps without getting lost in jargon. If you’re serious about security and uptime, you’ll want to check out the NordVPN deal embedded in this intro—it’s a great way to add an extra privacy layer for remote testing and ancillary traffic, and you can grab it here:
Useful Resources un clickable text:
– EdgeRouter Official Documentation – edgeos documentation
– Ubiquiti Community Forums – ubnt forums edgeos
– IPsec VPN overview – en.wikipedia.org/wiki/IPsec
– VPN topology guides for small networks – small business IT blogs
– EdgeRouter hardware lineup – ubiquiti.com
– General firewall and NAT concepts – sysadmin reference guides
– Networking basics for VPNs – networking textbooks and online courses
Introduction: what this guide covers at a glance
– Yes, Edgerouter vpn site to site is feasible and reliable with EdgeRouter devices
– You’ll learn the core concepts IPsec, IKE, tunnel prefixes, and you’ll see two mirrored configuration examples Site A and Site B
– Step-by-step, hands-on commands you can copy-paste or adapt to your IPs and subnets
– How to test, monitor, and troubleshoot the tunnel, plus common pitfalls and fixes
– Practical tips for routing, firewall rules, NAT, MTU, and performance optimization
– A comparison of how EdgeRouter’s site-to-site VPN stacks up against other options
– A Q&A section with at least 10 detailed questions to cover common scenarios
Body
Understanding site-to-site VPN basics on EdgeRouter
A site-to-site VPN creates an encrypted tunnel between two distinct networks across the internet so devices on either side can talk as if they’re on the same local network. For EdgeRouter devices, this is typically accomplished with IPsec, which provides data integrity, encryption, and authentication. The two ends of the tunnel are called peers, each with a public IP address, a local network LAN on that side, and a remote network reachable through the tunnel.
Key concepts you’ll encounter
– IPsec: The suite of protocols delivering secure, authenticated data exchange over an untrusted network.
– IKE Internet Key Exchange: The handshake that negotiates keys and security parameters. Most EdgeRouter setups use IKE groups IKEv1 or IKEv2, depending on firmware and configuration.
– ESP Encapsulating Security Payload: The actual encryption of the data channel.
– Local-prefix and remote-prefix: The LAN subnets on each side that will be reachable through the VPN.
– Tunnel: In EdgeRouter, you’ll assign a tunnel with a number e.g., tunnel 1 that carries the IPsec SAs Security Associations.
– NAT traversal NAT-T: If either side sits behind NAT, NAT-T ensures IPsec can work through NAT devices.
– PSK vs certificate-based auth: Pre-shared key PSK is common for small sites. certificates add scale and automation for larger deployments.
In practice, you’ll end up defining:
– A peer: the remote site’s public IP
– An IKE group: the encryption/hashing and lifetime values
– An ESP group: the data encryption/hashing and lifetime values
– Local and remote prefixes: your LANs that will be exchanged across the tunnel
– A PSK or a certificate for authentication
Why EdgeRouter is a good fit for site-to-site VPNs
– Robust CLI and GUI options, enabling precise control
– Works well for small-to-medium networks with modest throughput needs
– Active community and solid official docs
– Flexible firewall rules and NAT — you can tailor traffic between VPN networks and the internet
– Widely used in labs, home offices, and small businesses, so finding help is easy
Data and reality check
– The VPN market has grown steadily in the 2020s, with small office/home office SOHO deployments remaining a large portion of the market. For many admins, IPsec remains the go-to choice for site-to-site connections due to its maturity and reliability. EdgeRouter devices are a cost-effective option that still deliver enterprise-grade features when configured thoughtfully.
Prerequisites and planning
Before you wire up anything, map out:
– Public IPs or dynamic DNS names for both sites
– LAN subnets on each side e.g., 192.168.1.0/24 on Site A and 10.0.0.0/24 on Site B
– The desired tunnel/IPsec parameters IKE group, ESP group, lifetime
– How you’ll route traffic across the VPN static routes on both sides, or policy-based routing
– Whether NAT will be involved for traffic crossing the VPN often not necessary for inter-network traffic
A quick planning checklist
– Confirm both EdgeRouter devices run a supported EdgeOS version with IPsec capabilities
– Decide if you’ll use a PSK or a certificate-based approach PSK is simplest to start
– Ensure you have firewall rules that permit IPsec traffic UDP 500, 4500, IPsec ports
– Decide if you’ll allow NAT to affect traffic traveling over the VPN likely not for remote-network-to-remote-network traffic
– Prepare a test plan: verify reachability, ping tests across VPN, and traceroute to confirm traffic path
Step-by-step: configure Site A Local EdgeRouter
Below is a representative configuration for Site A. Replace the placeholders with your real IPs and network subnets. This example uses a pre-shared key and a standard AES-256/SHA-256 setup. The public IPs are placeholders. your actual public IPs will be different.
Code block: Site A EdgeRouter CLI
“`
set vpn ipsec ipsec-interfaces interface eth0
# IKE phase 1 settings
set vpn ipsec ike-group IKE-GROUP-1 proposal 1 encryption aes256
set vpn ipsec ike-group IKE-GROUP-1 proposal 1 hash sha256
set vpn ipsec ike-group IKE-GROUP-1 lifetime 3600
set vpn ipsec ike-group IKE-GROUP-1 dead-peer-detect interval 30
set vpn ipsec ike-group IKE-GROUP-1 dead-peer-detect timeout 120
# ESP phase 2 settings
set vpn ipsec esp-group ESP-GROUP-1 proposal 1 encryption aes256
set vpn ipsec esp-group ESP-GROUP-1 proposal 1 hash sha256
set vpn ipsec esp-group ESP-GROUP-1 lifetime 3600
set vpn ipsec esp-group ESP-GROUP-1 pfs enable
# IPsec site-to-site peer
set vpn ipsec site-to-site peer 203.0.113.2 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret ‘YourPskHere’
set vpn ipsec site-to-site peer 203.0.113.2 ike-group IKE-GROUP-1
set vpn ipsec site-to-site peer 203.0.113.2 default-esp-group ESP-GROUP-1
# Local and remote addresses
set vpn ipsec site-to-site peer 203.0.113.2 local-address 203.0.113.1
set vpn ipsec site-to-site peer 203.0.113.2 tunnel 1 local-prefix 192.168.1.0/24
set vpn ipsec site-to-site peer 203.0.113.2 tunnel 1 remote-prefix 10.0.0.0/24
# NAT traversal for VPN if needed
set vpn ipsec site-to-site peer 203.0.113.2 tunnel 1 allow-nat-networks
# Optional: enable logs for troubleshooting
set system syslog host 192.0.2.1 any/1 “VPN-SITE-TO-SITE: Tunnel 1 up”
Notes for Site A
– Replace 203.0.113.2 with Site B’s public IP
– Replace 192.168.1.0/24 with Site A’s LAN
– Replace 10.0.0.0/24 with Site B’s LAN
– Use a strong PSK and store it securely
Step-by-step: configure Site B Remote EdgeRouter
Now mirror the settings on Site B with the appropriate local/remote values swapped. Public IPs swap, and LANs swap to the other network.
Code block: Site B EdgeRouter CLI
# Use your interface connected to the internet
set vpn ipsec ike-group IKE-GROUP-2 proposal 1 encryption aes256
set vpn ipsec ike-group IKE-GROUP-2 proposal 1 hash sha256
set vpn ipsec ike-group IKE-GROUP-2 lifetime 3600
set vpn ipsec ike-group IKE-GROUP-2 dead-peer-detect interval 30
set vpn ipsec ike-group IKE-GROUP-2 dead-peer-detect timeout 120
set vpn ipsec esp-group ESP-GROUP-2 proposal 1 encryption aes256
set vpn ipsec esp-group ESP-GROUP-2 proposal 1 hash sha256
set vpn ipsec esp-group ESP-GROUP-2 lifetime 3600
set vpn ipsec esp-group ESP-GROUP-2 pfs enable
set vpn ipsec site-to-site peer 203.0.113.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 203.0.113.1 authentication pre-shared-secret ‘YourPskHere’
set vpn ipsec site-to-site peer 203.0.113.1 ike-group IKE-GROUP-2
set vpn ipsec site-to-site peer 203.0.113.1 default-esp-group ESP-GROUP-2
set vpn ipsec site-to-site peer 203.0.113.1 local-address 203.0.113.2
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 local-prefix 10.0.0.0/24
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 remote-prefix 192.168.1.0/24
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 allow-nat-networks
set system syslog host 192.0.2.2 any/1 “VPN-SITE-TO-SITE: Tunnel 1 up”
Notes for Site B
– Swap IPs in the same way you did for Site A
– Ensure the local-prefix 10.0.0.0/24 matches Site B’s LAN
– Ensure the remote-prefix 192.168.1.0/24 matches Site A’s LAN
– Keep the PSK identical on both sides
After applying these settings on both sides, bring the tunnels up and verify.
How to verify the VPN tunnel
Verification is key. You want to confirm the tunnel is up, traffic can pass, and routes are correct.
Quick checks
– Use the EdgeRouter CLI to show IPsec status:
– show vpn ipsec sa
– show vpn ipsec remote-peers
– show vpn ipsec tunnel
– Ping across sites:
– From a host on Site A 192.168.1.x, ping a host on Site B 10.0.0.5
– If pings fail, test with traceroute to ensure the path goes through the VPN
– Check routing:
– Verify static routes for the remote network exist and point to the VPN
– Use traceroute from both sides to ensure the path hits the VPN before leaving the LAN
– Review logs:
– tail -f /var/log/messages or the equivalent in your EdgeOS version
– Look for IPsec negotiation events, tunnel up, or negotiation failures
Common issues and fixes
– Mismatch in PSK: Double-check the pre-shared secret on both sides
– Mismatch in IKE/ESP parameters: Ensure the chosen IKE group and ESP group are identical on both ends
– NAT-T problems: If one side is behind a NAT, ensure NAT-T is enabled and the NAT translation doesn’t break the tunnel
– Firewall blocks: Ensure the EdgeRouter firewall rules permit IPsec UDP 500, 4500, IP protocol 50/51 for ESP
Firewall and NAT considerations
EdgeRouter uses a separate firewall policy framework. You’ll want to ensure:
– VPN traffic is allowed through the firewall on both sides
– LAN traffic to remote LAN can be routed without NAT if you’re not routing all traffic out to the internet
– If you need to access internet from devices on the VPN, you may separate traffic using policy-based routing or allow specific traffic to NAT
A practical tip: keep VPN traffic clear of overly aggressive NAT rules. NAT-ing traffic between two private subnets across a VPN can cause confusion and delays. If you don’t need Internet access for VPN devices via the tunnel, minimize NAT on tunnel traffic.
Troubleshooting tips and best practices
– Keep a consistent naming convention for your IKE groups and ESP groups. it makes debugging and replication easier.
– Maintain backup configurations before making changes. a misstep can take the tunnel down.
– Use a staging environment if you can replicate the network in a lab and test changes there.
– Monitor tunnel uptime and latency to catch intermittent issues early.
– If your tunnel won’t come up, verify:
– PSK is identical on both sides
– Local-address is the public IP of the local EdgeRouter
– Remote-prefix and Local-prefix don’t clash with other networks
– Use the GUI as a sanity check if you’re comfortable. sometimes a GUI-based setup reveals misconfigurations quickly.
Performance and reliability tips
– Keep the EdgeRouter firmware updated to ensure IPsec improvements, bug fixes, and better hardware support.
– For higher throughput, consider enabling hardware acceleration if your model supports it where available by your hardware revision and firmware.
– Adjust MTU and MSS on the tunnel if you encounter fragmentation issues. typical VPN MTU is slightly lower than your LAN MTU to avoid fragmentation.
– Use strong, modern ciphers AES-256, SHA-256 for the ESP/IKE groups to balance security with performance.
– Plan for redundancy if uptime is critical: consider a second WAN link and a failover strategy, or a second EdgeRouter in a failover pair.
EdgeRouter vs other VPN options
– IPsec site-to-site on EdgeRouter is a solid, proven choice for inter-site connectivity, especially for small businesses with fixed subnets.
– OpenVPN is flexible and widely supported across platforms but might be more complex to tune on EdgeRouter.
– WireGuard is lightweight and fast, but EdgeOS support for site-to-site WireGuard can be less mature and may require newer firmware or manual workarounds.
– For dynamic DNS or changing IPs, consider a dynamic DNS service to keep peers in sync, and plan for reconfiguration if public IPs change.
Security best practices for EdgeRouter site-to-site VPN
– Use strong PSKs or move toward certificate-based authentication if you scale beyond a few sites.
– Minimize exposed services on the EdgeRouter to reduce attack surface.
– Regularly audit firewall rules to ensure only the necessary traffic crosses the VPN.
– Keep logs and monitor for unusual activity. IPsec events can reveal negotiation problems that could precede a larger issue.
– Consider segmenting traffic: allow traffic to tunnel endpoints but restrict other East-West traffic unless absolutely necessary.
Real-world tips and considerations
– If you’re dealing with dynamic IP addresses on either site, you’ll need a dynamic DNS solution and a plan to re-establish the tunnel when IPs change. EdgeRouter can be configured to re-initiate on IP change if you’re using a dynamic DNS service.
– When planning remote access testing, you can route specific test subnets across the VPN to avoid impacting your entire network.
– Documentation matters. Keep a simple, shareable doc with your VPN IPsec settings, PSK, and the LAN prefixes so you can reproduce or modify later.
Frequently Asked Questions
# 1 What is Edgerouter vpn site to site?
Edgerouter vpn site to site is a setup where two EdgeRouter devices create a secure IPsec tunnel over the internet to connect two separate LANs as if they were on the same network.
# 2 Do I need a static IP on both sites?
Static IPs simplify configuration and reliability. If you have dynamic IPs, you can use dynamic DNS on each side and configure the tunnels to reconnect when IPs change, but it adds a layer of complexity.
# 3 Can I use a pre-shared key PSK for authentication?
Yes. PSK is the simplest method for small deployments. For larger networks, consider a certificate-based approach for automation and scalability.
# 4 Which encryption should I choose for IPsec on EdgeRouter?
AES-256 is a strong default. pair it with SHA-256 for integrity. You can adjust to AES-128 if you need a lighter load, but AES-256 is a good balance of security and performance for most setups.
# 5 How do I test the VPN after setup?
After applying the configuration, verify the tunnel status, ping devices across LANs, and check route tables to ensure traffic is going through the VPN. Use EdgeRouter usables such as show vpn ipsec and the logs to verify tunnel negotiation progress.
# 6 What if the tunnel never comes up?
Double-check the PSK, IKE/ESP group settings, and local/remote prefixes. Ensure NAT-T is enabled if behind NAT, and verify firewall rules allow IPsec traffic. Review the logs for negotiation errors.
# 7 How do I route traffic between the two sites?
Configure static routes on both sides for the remote LAN, ensuring the routes point to the VPN tunnel as the next hop. In many EdgeRouter setups, the tunnel itself handles routing to the remote network once the VPN is established.
# 8 Do I need to disable NAT for VPN traffic?
Not always, but often you don’t want to NAT traffic between the VPN endpoints. NAT is typically used for traffic going to the internet, not for inter-site VPN traffic. If you must NAT, ensure you configure it carefully so VPN subnets aren’t translated in a way that breaks the tunnel.
# 9 How scalable is Edgerouter site-to-site VPN?
IPsec site-to-site VPN scales well for a few sites and small networks. For multiple sites with dynamic changes, consider automation and certificate-based authentication, and plan for a centralized management approach.
# 10 Can I use internet-exposed domains or services across the VPN?
Yes, you can route internal services across the VPN, but keep security in mind. Access should be restricted to the VPN-connected networks, and public-facing services should remain on protected public endpoints.
# 11 How do I upgrade EdgeRouter firmware without breaking the VPN?
Back up the configuration before upgrading, review the release notes for IPsec-related changes, and test in a lab environment if possible. After upgrade, verify tunnel functionality and reapply any specific CLI commands if required.
# 12 Is VPN performance dependent on hardware?
Yes. EdgeRouter performance depends on CPU, memory, and NIC capabilities. For 1 Gbps or higher throughput, ensure you’re using a model and firmware that supports your target speeds and that you take advantage of hardware acceleration where available.
If you’re looking to expand VPN capabilities beyond two sites, or you want a smoother remote access scenario, you can explore additional VPN options and integration strategies with EdgeRouter, but for many small deployments, a solid IPsec site-to-site VPN remains the most reliable fit. Remember to keep the configuration clean, document changes, and test thoroughly to maintain a stable network bridge between sites.