Journalist
Edgerouter x site to site vpn: comprehensive guide to configuring site-to-site VPN on EdgeRouter X for secure inter-network connectivity
Edgerouter x site to site vpn is a practical guide to setting up a site-to-site VPN on EdgeRouter X to securely link two networks over the internet.
In this guide, you’ll learn how to plan, configure, and troubleshoot a site-to-site VPN between two EdgeRouter X devices. We’ll cover GUI and CLI methods, security best practices, performance considerations, and real-world tips so you can get reliable connectivity between branch offices, home labs, or remote networks. If you’re looking for extra protection when your networks face the internet, consider NordVPN’s current deal—see the image below for the offer. NordVPN 77% OFF + 3 Months Free. NordVPN 77% OFF + 3 Months Free
Useful URLs and Resources:
– EdgeRouter X official documentation – ubnt.com
– IPsec site-to-site VPN overview – en.wikipedia.org/wiki/IPsec
– OpenVPN vs IPsec comparison – openvpn.net/blog
– NordVPN – nordvpn.com
– Networking with EdgeRouter articles – digitalocean.com/community/tutorials
– Small business VPN considerations – cisco.com
What is Edgerouter x site to site vpn?
A site-to-site VPN on EdgeRouter X creates an encrypted tunnel between two or more separate networks, usually across the internet. Each side has a public IP address and a private local network, and traffic destined for the other side travels through an IPsec tunnel. The result is seamless, encrypted inter-network communication that behaves like a single extended network, without exposing private subnets to the open internet.
Key takeaways:
– Uses IPsec for encryption and authentication.
– Typically operates between two gateways EdgeRouter X devices at different sites.
– Allows access to remote subnets as if they were locally connected.
Why this matters:
– You can protect sensitive data between offices, home offices, or data centers.
– You gain centralized control over traffic routing between sites.
– It scales well for small to medium branch networks without a full-blown MPLS setup.
Why use a site-to-site VPN on EdgeRouter X?
– Low-cost, simple, and flexible: EdgeRouter X is a compact, affordable router with solid IPsec support.
– Security by default: IPsec provides strong encryption AES, SHA and authenticated tunnels.
– Clear routing: You can push specific remote subnets into the tunnel, keeping other traffic on your regular internet path.
– Stable for small deployments: It’s well-suited for home labs, small offices, and multi-branch setups.
Common scenarios:
– A branch office needs access to central services in the main office, with traffic restricted to private subnets.
– A home office and a coworker’s at-home lab want to share resources securely.
– A managed service provider wants to connect multiple customer networks to a central hub.
Security note:
– Use a strong pre-shared key PSK or, if you’re comfortable with certificates, configure certificate-based authentication for even stronger security. Rotate keys on a regular basis and restrict access to known peers.
Prerequisites
Before you begin, gather these essentials:
– Two EdgeRouter X devices with EdgeOS firmware up to date.
– Public IP addresses on both sides or dynamic DNS setup if you don’t have a fixed IP.
– Defined private subnets on both sides for example, 10.0.0.0/24 on Site A and 192.168.1.0/24 on Site B.
– A strong pre-shared key PSK for IPsec or a certificate setup if you’re comfortable with PKI.
– Firewall rules that allow IPsec traffic UDP 500, UDP 4500 for NAT-T, ESP protocol 50 and traffic to the remote subnets.
Optional, but helpful:
– A planning sheet to map subnets, IP addresses, and routing.
– A way to monitor tunnel status EdgeOS has built-in tools. you might also use SNMP or syslog depending on your setup.
EdgeRouter X hardware details you might care about:
– Small form factor with multiple gigabit ports.
– Adequate for most small-site site-to-site VPNs, but performance depends on encryption settings and traffic load.
– Real-world tip: if you run multiple VPNs or heavy encryption, you may encounter throughput limits. plan accordingly.
Step-by-step GUI configuration EdgeOS
This is the friendliest path for many users. Here’s a practical, copy-and-paste-friendly flow you can follow.
1 Log in to EdgeRouter X’s UI
– Open your browser and navigate to the router’s IP usually http://192.168.1.1.
– Enter admin credentials.
2 Create a VPN tunnel IPsec on Site A
– Go to VPN -> IPsec -> Tunnels -> Add.
– Local address: enter Site A’s public IP or dynamic DNS hostname as appropriate.
– Remote address: Site B’s public IP.
– Local subnet: Site A’s private network, e.g., 10.0.0.0/24.
– Remote subnet: Site B’s private network, e.g., 192.168.1.0/24.
– Authentication: pre-shared secret, then enter a strong PSK note this must match on Site B.
– IKE Phase 1 settings: choose a secure group e.g., DH Group 14 with AES-256 and SHA-256.
– P1 key exchange: Main
– ESP Phase 2 settings: AES-256 with SHA-256. PFS: Group 14 2048-bit for added protection.
3 Create a tunnel on Site B mirror
– Repeat the same steps, but swap Local/Subnet values to Site B’s numbers and use Site A’s public IP as Remote.
4 Enable NAT-T if needed
– In most setups, NAT-T is on by default. If not, ensure UDP 4500 is allowed and that IPsec NAT-T is enabled in the tunnel settings.
5 Add a static route for remote subnets
– On Site A: route to Site B’s subnet via the tunnel interface tunnel1 or the named tunnel you created.
– On Site B: route to Site A’s subnet via the tunnel interface.
6 Firewall considerations
– Ensure there are firewall rules permitting traffic between the two private subnets through the IPsec interface.
– For basic setups, you can assign the tunnel as a trusted path and permit related/established traffic.
7 Test the connection
– From a host on Site A, ping a host on Site B for example, 192.168.1.10 and vice versa.
– Use traceroute/ping to verify that traffic flows through the VPN tunnel rather than the public internet.
8 Save and monitor
– Save the configuration.
– Check the VPN status in EdgeOS to verify the tunnel is up and SA Security Association parameters are established.
Tips:
– If you see “phase 1 negotiation failed” or “PSK mismatch,” re-check the PSK on both sides.
– Ensure both sides use the same IKE and ESP proposals encryption, hash, and DH group.
– If NAT is involved at one site, ensure NAT-traversal rules are enabled on that side.
Step-by-step CLI configuration EdgeOS
If you’re comfortable with the command line, here’s a representative, copy-paste config snippet to get you moving. Adjust IPs and subnets to fit your topology.
– Enable IPsec interfaces
set vpn ipsec ipsec-interfaces interface eth0
– Define IKE group placeholder name IKE-2048
set vpn ipsec ike-group IKE-2048 proposal 1 dh-group 14
set vpn ipsec ike-group IKE-2048 proposal 1 encryption aes256
set vpn ipsec ike-group IKE-2048 proposal 1 hash sha256
set vpn ipsec ike-group IKE-2048 proposal 1 group 14
– Define ESP group for IPsec phase 2
set vpn ipsec esp-group ESP-256 proposal 1 encryption aes256
set vpn ipsec esp-group ESP-256 proposal 1 hash sha256
– Site-to-site peer Site A to Site B
set vpn ipsec site-to-site peer 203.0.113.2 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret YourPSKHere
set vpn ipsec site-to-site peer 203.0.113.2 ike-group IKE-2048
set vpn ipsec site-to-site peer 203.0.113.2 esp-group ESP-256
set vpn ipsec site-to-site peer 203.0.113.2 local-address 203.0.113.1
set vpn ipsec site-to-site peer 203.0.113.2 tunnel 1 local-subnet 10.0.0.0/24
set vpn ipsec site-to-site peer 203.0.113.2 tunnel 1 remote-subnet 192.168.1.0/24
– Site-to-site peer Site B to Site A
set vpn ipsec site-to-site peer 203.0.113.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 203.0.113.1 authentication pre-shared-secret YourPSKHere
set vpn ipsec site-to-site peer 203.0.113.1 ike-group IKE-2048
set vpn ipsec site-to-site peer 203.0.113.1 esp-group ESP-256
set vpn ipsec site-to-site peer 203.0.113.1 local-address 203.0.113.2
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 local-subnet 192.168.1.0/24
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 remote-subnet 10.0.0.0/24
– Apply the changes
commit
save
– Verify the tunnel
show vpn ipsec sa
– Add static routes if needed
set protocols static-route 192.168.1.0/24 next-hop 10.0.0.2
set protocols static-route 10.0.0.0/24 next-hop 192.168.1.2
Note: The exact interface names eth0, tunnel 1 and IPs will vary by your environment. Replace with your actual values.
Common issues and troubleshooting
– Phase 1 not negotiating
– Check PSK match on both sides.
– Ensure both sides use the same IKE group and encryption settings.
– Verify that the public IPs are reachable and not blocked by a firewall.
– Phase 2 not negotiating or SA not established
– Confirm ESP proposals AES, SHA match on both sides.
– Verify tunnel endpoints and local/remote subnets are correct.
– Ensure that the remote subnet is not overlapping with a local network.
– NAT traversal problems
– If one side is behind NAT, enable NAT-T UDP 4500 on both sides.
– Check firewall rules to allow UDP 500 and UDP 4500.
– Traffic not routing through VPN
– Ensure static routes point to the VPN tunnel interface.
– Confirm firewall rules permit traffic between the two subnets through the IPsec interface.
– VPN drops or flaps
– Check for dynamic IP changes. consider dynamic DNS if you don’t have static IPs.
– Ensure keepalive/DPD settings are aligned. some devices aggressively reload tunnels.
– Performance issues
– IPsec can add overhead. EdgeRouter X has limited CPU power for high-throughput VPN with strong crypto.
– If you see degraded performance, reduce the encryption strength e.g., AES-128 or adjust tunnel configurations, or upgrade to a more capable device for heavy traffic.
Security best practices
– Use strong authentication
– Prefer certificate-based authentication if you can manage PKI, otherwise pick a long, random PSK and rotate it periodically.
– Choose strong cryptography
– AES-256 for ESP, SHA-256 for integrity, DH group 14 or higher for IKE.
– Limit access
– Only allow VPN traffic between the necessary subnets. avoid broad access to your LANs.
– Regularly update firmware
– Keep EdgeRouter X firmware up to date to mitigate known vulnerabilities and improve IPsec reliability.
– Monitor and log
– Enable logging for VPN events and monitor tunnel uptime, SA details, and traffic patterns.
– Backups and redundancy
– Maintain backup configurations for both sites. consider a secondary path or a redundant VPN hub if uptime is critical.
Performance considerations
– EdgeRouter X hardware is solid for light to moderate VPN workloads, but actual throughput depends on:
– Encryption settings AES-256 vs AES-128
– Number of concurrent tunnels
– Subnet sizes and traffic mix LAN-to-LAN, LAN-to-WAN, etc.
– Firmware optimization and CPU load from other services
– Practical expectations:
– For typical home lab or small office use with AES-256 and standard ESP, you might see dependable VPN bandwidth in the low hundreds of Mbps range, but this can vary.
– If you need sustained multi-gigabit VPN performance, you’ll likely want a more capable edge device or dedicated VPN concentrator.
Real-world use cases
– Small office to main office with 10.0.0.0/24 and 192.168.1.0/24 networks
– Remote employees needing site-to-site compatibility as part of a broader mesh VPN design
– Temporary office setups where you need quick, secure channeling between sites without MPLS
Other VPN options and considerations
– IPsec is widely supported and tends to be robust on EdgeRouter X. it’s a good default for routers and gateways.
– OpenVPN can be run on EdgeRouter X via packages, but it may involve more setup work and performance trade-offs.
– WireGuard is praised for speed and simplicity, but its native support on EdgeRouter X depends on firmware features. check your firmware notes for WireGuard availability and instructions.
– For clients that require secure remote access rather than site-to-site, consider a client VPN setup often OpenVPN or WireGuard on a separate gateway.
Real-world tips and best practices
– Plan your subnets to avoid conflicts: ensure the nets on both sides don’t overlap.
– Document every parameter: PSK, IKE group, ESP settings, and tunnel IPs. Good notes save time later.
– Keep a change log: when you modify VPN settings, note the date and the reason.
– Test changes during a maintenance window if possible to avoid surprises during production hours.
– Consider a small test environment: spin up a lab setup to verify changes before applying to production networks.
Frequently Asked Questions
# What is EdgeRouter X?
EdgeRouter X is a small, affordable router from Ubiquiti designed for home offices and small businesses. It runs EdgeOS, supports VLANs, firewall rules, and IPsec VPNs, making it a solid option for site-to-site VPNs and other network projects.
# What is a site-to-site VPN?
A site-to-site VPN connects two or more private networks over the public internet, creating a secure, encrypted tunnel so devices on one network can communicate with devices on the other as if they were on the same LAN.
# Can I use IPsec on EdgeRouter X without a cloud service?
Yes. IPsec is a built-in feature in EdgeOS. You configure the tunnels, authentication, and routing directly on the EdgeRouter X without needing a cloud-based VPN service.
# Should I use a pre-shared key or certificates?
Both work. A strong PSK is easier to manage for small setups, but certificate-based authentication is more scalable and secure, especially for larger deployments.
# What encryption should I use for IPsec?
AES-256 with SHA-256 is a common, strong choice. You can adjust to AES-128 if you need more performance, but this reduces the cryptographic strength slightly.
# How do I test if the VPN tunnel is up?
Ping a device on the remote network from a host on the local network, check the VPN status in the EdgeOS UI, and review the IPsec SA table using the CLI or GUI.
# How do I troubleshoot a VPN tunnel that won’t come up?
Check PSK alignment, IKE/ESP proposals, NAT-T settings, firewall rules, and route configurations. Ensure public IPs are reachable and that there’s no IP conflict between subnets.
# Can I run multiple VPN tunnels on a single EdgeRouter X?
Yes, you can configure multiple IPsec tunnels to different remote sites. Just ensure you have unique tunnel IDs and properly defined local/remote subnets for each tunnel.
# How do I add a dynamic DNS to handle changing public IPs?
Use a dynamic DNS service on both sides and configure EdgeRouter X to keep the DNS records updated. Then reference the dynamic DNS hostname instead of a fixed IP in your tunnel settings.
# How do I secure the VPN with best practices?
Rotate PSKs regularly, use strong encryption AES-256, SHA-256, and prefer certificate-based authentication when possible. Keep firmware updated and restrict access to known peers.
# What about performance? Will EdgeRouter X handle high traffic?
EdgeRouter X is capable of handling VPN traffic for small-to-moderate networks, but performance depends on encryption strength and overall traffic. For heavy, enterprise-grade loads, consider a higher-end gateway or a dedicated VPN appliance.
# Do I need to configure NAT rules for site-to-site VPN?
NAT is generally not required between the two private networks for a pure site-to-site VPN. You may need to adjust NAT on the edge to prevent double NAT or conflicts, especially if you’re also providing outbound internet access from each site.
# What’s the difference between IKEv1 and IKEv2 for IPsec on EdgeRouter X?
IKEv2 is newer and typically faster and more robust, particularly in roaming scenarios or with dynamic IPs. If your devices support IKEv2, it’s usually worth using. If you’re sticking with IKEv1 for compatibility, ensure the proposals on both sides match.
# How do I monitor VPN tunnels over time?
Use EdgeOS’ built-in VPN status screens, check IPsec SA tables, monitor packet counters, and keep an eye on log files for tunnel events. Consider setting up SNMP or a centralized log collector for long-term monitoring.
# Can I use a VPN with dynamic IPs at both sites?
Yes, but you’ll want either dynamic DNS on both sides or a fallback plan. Ensure your tunnel configuration references the dynamic DNS hostname rather than a fixed IP, and set up proper rekey intervals and keepalives.
# What if I need to connect more than two sites?
You can add additional IPsec tunnels to connect to more sites. Each site should have its own tunnel configuration, and you’ll route the appropriate subnets across each tunnel. Plan routing to avoid subnet conflicts and ensure performance remains manageable.
If you’re ready to dive deeper, this Edgerouter x site to site vpn guide gives you the foundations you need to connect two networks securely. Remember, always test changes in a controlled environment, document every parameter, and keep security best practices in mind as you scale your network.