Journalist
Edgerouter vpn site to site: a comprehensive guide to site-to-site VPNs, EdgeRouter configuration, security, and troubleshooting
Edgerouter vpn site to site is a method to securely connect two or more networks over the internet using IPsec VPN tunnels on EdgeRouter devices. In this guide, you’ll get a practical, step-by-step approach to planning, configuring, testing, and maintaining EdgeRouter-based site-to-site VPNs. We’ll cover everything from the basics to advanced tips, plus real-world troubleshooting. If you’re shopping for privacy or just trying to link two office networks, this guide has you covered. For readers who want a quick privacy boost while you work, consider this limited-time offer:
What you’ll get in this guide quick overview
– A clear definition of site-to-site VPNs and why EdgeRouter is a solid choice for SMBs and home labs
– A practical planning checklist: subnets, WAN interfaces, firewall zones, and traffic you want to protect
– A concrete, copy-paste-ready configuration example for edge devices on both sides of the tunnel
– How to verify the tunnel, test connectivity, and diagnose common problems
– Security considerations: IPSec proposals, IKE versions, NAT, and certificate vs PSK options
– Performance tips: how to maximize throughput and minimize latency on EdgeRouter
– Troubleshooting steps and common gotchas with real-world examples
– A robust FAQ so you can quickly find the answers you need
Useful resources you’ll want to keep handy un clickable text
– Official EdgeRouter documentation – help.ui.com/hc/en-us/categories/200086657-EdgeRouter
– EdgeRouter configuration examples and community tips – community.ui.com
– IPsec overview and security architecture – en.wikipedia.org/wiki/IPsec
– NAT traversal concepts NAT-T – en.wikipedia.org/wiki/NAT-T
– IKEv1 vs IKEv2 basics – en.wikipedia.org/wiki/IKE Internet_Key_Exchange
– NIST security guidelines for VPNs – csrc.nist.gov/publications
– General VPN testing and troubleshooting guides – search engine results for IPsec VPN troubleshooting
– EdgeRouter official forums and user threads – community.ui.com
What is Edgerouter site-to-site VPN
A site-to-site VPN creates an encrypted tunnel between two networks, typically over the public internet, so devices on one LAN can reach devices on the other LAN as if they were on the same private network. On EdgeRouter devices, the site-to-site VPN is implemented using IPsec. You’ll define a tunnel peer on each EdgeRouter, specify the local and remote subnets, and then create security associations SAs and policies that govern how traffic traverses the tunnel.
Key concepts you’ll encounter
– IPsec: the encryption and authentication framework that protects data in transit between sites.
– IKE Internet Key Exchange: the protocol that negotiates security associations. IKEv2 is preferred for stability and faster rekeying. IKEv1 is older and still supported in many setups.
– Phase 1 IKE and Phase 2 IPsec: the two negotiation stages that establish the tunnel and then protect actual user data.
– Local-subnet and remote-subnet: the networks on each side that will be reachable through the tunnel.
– NAT traversal NAT-T: how IPsec tunnels work when either side is behind NAT.
EdgeRouter’s approach is straightforward once you understand the core pieces: you set a peer the other side’s public IP, decide on authentication pre-shared key or certificates, pick your IKE/IPsec proposals, and then define which networks should be reachable across the tunnel.
Prerequisites and planning
Before you touch the CLI or the UI, get your plan straight. A well-planned VPN saves you a lot of headaches later.
– Map your networks
– Site A LAN: 192.168.1.0/24
– Site B LAN: 10.0.0.0/24
– Optional: management networks and VPN management VLANs
– Gather necessary information
– Public IPs: Site A public IP and Site B public IP or dynamic DNS if you don’t have static IPs
– Subnets to expose across the tunnel
– Authentication method: pre-shared key PSK or certificates PKI. PSK is simplest for small setups. certificates are more scalable for larger deployments.
– Plan the tunnel bearing in mind redundancy
– If you need failover, you’ll typically configure two tunnels primary and secondary or two different peers. EdgeRouter supports multiple site-to-site peers.
– Firewall and NAT planning
– Decide which traffic is allowed through the VPN tunnel
– Plan NAT exemptions so VPN traffic isn’t double-NAT’d or translated unnecessarily
– Performance expectations
– EdgeRouter models differ in throughput and VPN acceleration. If you’re running several tunnels or high-speed links, pick a model that can keep up.
– Documentation and change management
– Keep a written plan of the exact VPN parameters peers, PSK, subnets, proposals so you can reproduce or revert changes easily.
Step-by-step setup: EdgeRouter site-to-site VPN CLI-focused
Below is a practical, copy-ready sequence you can adapt to your two-site setup. The example uses AES-256, SHA-256, DH-group 14, and IKEv2, which are common modern choices. Adjust to your needs.
Note: The commands assume eth0 is your WAN interface and eth1 is your LAN on Site A. On Site B, swap in the appropriate interfaces and subnets.
Site A EdgeRouter to Site B
– Enter configuration mode
– configure
– Attach VPN to the WAN interface
– set vpn ipsec ipsec-interfaces interface eth0
– Define IKE and IPsec proposals
– set vpn ipsec ike-group IKE-1 proposal 1 encryption aes256
– set vpn ipsec ike-group IKE-1 proposal 1 hash sha256
– set vpn ipsec ike-group IKE-1 proposal 1 dh-group 14
– set vpn ipsec esp-group ESP-1 proposal 1 encryption aes256
– set vpn ipsec esp-group ESP-1 proposal 1 hash sha256
– Create the tunnel peer Site B public IP
– set vpn ipsec site-to-site peer 203.0.113.2 authentication mode pre-shared-secret
– set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret “YourPresharedKey”
– set vpn ipsec site-to-site peer 203.0.113.2 ike-group IKE-1
– set vpn ipsec site-to-site peer 203.0.113.2 default-esp-group ESP-1
– Define the tunnel local and remote subnets
– set vpn ipsec site-to-site peer 203.0.113.2 tunnel 1 local-subnet 192.168.1.0/24
– set vpn ipsec site-to-site peer 203.0.113.2 tunnel 1 remote-subnet 10.0.0.0/24
– Optional: enable NAT-T and keepalive
– set vpn ipsec site-to-site peer 203.0.113.2 tunnel 1 auto-discovery 1
– set vpn ipsec site-to-site peer 203.0.113.2 tunnel 1 protocol 17 # UDP encapsulation if needed
– Commit and save
– commit
– save
– Exit configuration mode
– exit
Site B EdgeRouter to Site A
– Use matching IKE/IPsec proposals
– Create the tunnel peer Site A public IP
– set vpn ipsec site-to-site peer 198.51.100.4 authentication mode pre-shared-secret
– set vpn ipsec site-to-site peer 198.51.100.4 authentication pre-shared-secret “YourPresharedKey”
– set vpn ipsec site-to-site peer 198.51.100.4 ike-group IKE-1
– set vpn ipsec site-to-site peer 198.51.100.4 default-esp-group ESP-1
– set vpn ipsec site-to-site peer 198.51.100.4 tunnel 1 local-subnet 10.0.0.0/24
– set vpn ipsec site-to-site peer 198.51.100.4 tunnel 1 remote-subnet 192.168.1.0/24
Important notes about the config
– Authentication: PSK is simpler, but certificates are better for larger deployments or if you frequently re-key. If you go with certificates, you’ll need a PKI setup and trust anchors on both sides.
– Proposals: AES256 + SHA256 with DH group 14 are strong defaults. You can adjust to AES128 if you need compatibility or performance improvements, but be mindful of security trade-offs.
– Local vs remote subnets: ensure there are no overlapping subnets across sites. otherwise, traffic might be routed incorrectly or dropped.
– NAT rules: you’ll generally want to exclude VPN subnets from NAT. If you’re running a typical home/office setup with NAT at the edge, add NAT exemptions for traffic destined to the remote subnet so that VPN traffic isn’t translated.
NAT exemption example Site A
– set nat rule 501 source address 192.168.1.0/24
– set nat rule 501 destination address 10.0.0.0/24
– set nat rule 501 type ‘none’ or disable NAT on the VPN interface, depending on your EdgeRouter version
Firewall implications
– EdgeRouter devices usually have a default firewall policy that might block traffic across a VPN tunnel. Create or adjust firewall rules to allow traffic from the local LAN to the remote LAN and vice versa.
– A simple policy-based approach:
– Allow input on the LAN to the VPN tunnel
– Allow forward traffic between the local LAN and remote LAN across the VPN
– Deny unnecessary inbound traffic from the VPN, unless you have a compelling reason to allow it
Verification and testing
Once you’ve applied the config, you’ll want to verify that the tunnel is up and traffic can flow.
– Check tunnel status
– show vpn ipsec sa
– show vpn ipsec status
– show vpn ipsec tunnel
– Basic connectivity tests
– From Site A, ping a host on Site B: ping 10.0.0.5
– From Site B, ping a host on Site A: ping 192.168.1.20
– If pings fail, check the tunnel status, phase 1 and phase 2 negotiation, and firewall rules.
– Traceroute to diagnose routing
– traceroute to 192.168.1.0/24 from Site B can reveal where the path breaks
– Ensure the correct route to the remote subnet is installed in the EdgeRouter
– Logs and diagnostics
– tail -f /var/log/messages at the time you attempt to establish the tunnel
– Look for common issues: bad PSK, mismatched IKE proposals, NAT issues, or firewall drops
Common issues and fixes
– Mismatched pre-shared key
– Ensure the PSK on Site A matches Site B exactly, including case and spaces.
– Different IKE/IPsec proposals
– Make sure both sides use the same IKE group, encryption, hash, and DH group settings.
– Subnet overlap
– If 192.168.1.0/24 overlaps with 192.168.2.0/24 on the other site, traffic won’t route properly. Change a subnet or adjust addressing.
– NAT problems
– Ensure VPN traffic isn’t NAT’d on either side, or that appropriate NAT exemptions are in place.
– Dynamic IP challenges
– If one side uses a dynamic IP, you’ll need a dynamic DNS update mechanism or a VPN solution that supports dynamic IP updates.
Advanced tips and best practices
– Prefer IKEv2 when possible
– IKEv2 handles roaming and rekeying more smoothly, which is great for sites with variable connectivity or mobile clients.
– Use strong authentication and consider certificates for large deployments
– If you’re operating multiple tunnels or want to scale, PKI-based authentication reduces the risk of PSK leakage and makes automated rotation easier.
– Consider two-tunnel redundancy
– In a critical setup, configure two separate site-to-site tunnels with different remote peers. This improves resilience if one path or peer goes down.
– Separate management traffic
– Keep management traffic on separate networks or VLANs and limit management access across VPN as appropriate.
– Performance considerations
– EdgeRouter devices have varying VPN throughput. If you’re pushing high-speed traffic, ensure your model has the CPU headroom for IPSec encryption. Using AES-GCM and hardware acceleration if available on your model can help with throughput.
– Dynamic DNS and remote access for changing IPs
– If you’re using dynamic IPs on one or both ends, set up a reliable Dynamic DNS service and update the VPN peer configuration when IPs change or use a router that supports dynamic IP updates automatically.
– Security hardening
– Always keep firmware up to date.
– Use the minimum required access across the tunnel. Lock down services and applications that can be accessed across the VPN.
– Consider monitoring and alerting for VPN tunnel state changes.
Performance and data points to consider
– Encryption overhead: IPsec adds CPU overhead. On smaller EdgeRouter models, it’s common to see a slight decline in raw throughput when encryption is enabled. If high throughput is a requirement, factor in hardware capabilities and consider pivoting to a higher-end EdgeRouter model.
– Latency: VPN tunnels introduce some additional latency due to encryption, decryption, and routing. For most SMBs and labs, this isn’t noticeable, but for latency-sensitive applications, design with that in mind.
– Reliability: Strong ISPs and redundant WAN connections can improve VPN uptime. If you rely on a site-to-site VPN for business continuity, plan for failover and test it regularly.
Troubleshooting quick-start checklist
– Confirm tunnel status on both sides with show vpn ipsec sa/status.
– Ensure both sides use the exact same IKE and IPsec proposals, including encryption and hashing algorithms.
– Verify the PSK or certificate configuration matches on both sides.
– Check for overlapping subnets and resolve any conflicts.
– Confirm firewall rules allow traffic across the VPN tunnel in both directions.
– Validate NAT exemptions so VPN traffic isn’t translated.
– Test with direct pings first, then expand to other protocols SSH, SMB, RDP, etc..
– Review system logs for hints about negotiation failures or dropped packets.
– If using dynamic IPs, confirm that updates propagate to the peer or switch to a fixed IP if feasible.
Related topics you might explore
– Hybrid VPN setups: combining IPSec with GRE for dynamic routing over VPN tunnels
– VPN failover strategies: automatic re-routing and monitoring
– Site-to-site vs client VPNs: when you’d use one or the other
– How to monitor VPN health: SNMP, syslog, and alerting rules
FAQ: Frequently Asked Questions
# What is a site-to-site VPN on EdgeRouter?
A site-to-site VPN on EdgeRouter creates an encrypted IPsec tunnel between two private networks over the public internet, enabling devices on one site to reach devices on the other as if they were on the same network.
# Do I need certificates or can I use a pre-shared key PSK?
For small setups, PSK is simplest and fast to deploy. For larger networks or when you want scalable automation and rotation, certificates are more secure and manageable.
# How many VPN tunnels can EdgeRouter handle?
This depends on the model. Most EdgeRouter devices support multiple site-to-site tunnels. Check your specific model’s hardware capabilities and performance specs.
# Should I use IKEv1 or IKEv2?
IKEv2 is generally preferred for stability, faster rekeying, and better mobility support. IKEv1 is older but still widely supported. ensure both sides match on the chosen version.
# How do I test if the tunnel is up?
Use commands like show vpn ipsec sa and show vpn ipsec status to verify tunnel status, then run pings across the remote subnet to confirm data flow.
# How can I prevent VPN traffic from being NAT’d?
Configure NAT exemptions for the VPN traffic, typically by adding a rule that prevents NAT for traffic between the local and remote subnets across the VPN.
# Can I have multiple tunnels to the same remote site?
Yes. You can configure multiple site-to-site tunnels for redundancy or to use different ISPs. Each tunnel will have its own peer and tunnel settings.
# How do I handle dynamic IPs on one side?
Use Dynamic DNS and ensure the peer is updated with the new IP address when it changes. Some EdgeRouter firmware versions support dynamic updates automatically.
# What are common pitfalls to avoid?
Overlapping subnets, mismatched PSK or proposals, failing to update firewall rules, and not excluding VPN traffic from NAT are common issues. Also, make sure you’ve documented the exact tunnel parameters so future changes don’t break connectivity.
# How can I improve performance on a busy EdgeRouter VPN?
Choose strong but efficient encryption AES-256 with SHA-256, enable hardware acceleration if your model supports it, and ensure the router has sufficient CPU resources. Reducing unnecessary traffic across the tunnel can also help.
# Is it safe to rely on a single EdgeRouter for a critical site-to-site VPN?
For production-critical links, consider redundancy: multiple tunnels, redundant WAN links, and monitoring with automated failover. Regular backups of your VPN configuration are a good practice.
# Can I mix IPv4 and IPv6 traffic over the same VPN?
Yes, many EdgeRouter configurations support IPv4 and IPv6 traffic over the same IPsec tunnel, but you’ll need to configure subnets and firewall rules accordingly and test both protocols.
# How often should I rotate my pre-shared key PSK?
If you’re using PSK, rotate it on a schedule aligned with your security policy. Short rotations increase operational overhead, so balance security with manageability.
# What should I document when I set up a site-to-site VPN?
Document the following: peer public IPs, PSK or certificate details, IKE/IPsec proposals, local and remote subnets, NAT exemptions, firewall rules, and any DNS/DHCP considerations. Keep a change log for future audits or troubleshooting.
# How do I monitor VPN health over time?
Set up logging for VPN negotiation events, monitor tunnel uptime, and keep an eye on latency and packet loss across the VPN. Centralized logging or a simple alerting rule can help you catch issues early.
# How do I upgrade EdgeRouter firmware without breaking VPNs?
Back up your config before upgrading. After upgrading, re-check your VPN tunnels carefully, as firmware changes can affect default behaviors and available features. If issues arise, revert to the previous firmware while you diagnose.
If you want more hands-on examples, I’ll be happy to tailor the exact commands to your specific network layout and EdgeRouter model. This guide is designed to be a practical, no-fluff reference you can return to whenever you’re setting up or debugging a site-to-site VPN with EdgeRouter.