Ubiquiti Teleport and site to site VPN

Question

Hi, hope to get some advice here. We recently bought a Ubiquiti Dream Machine Pro (DMP) with the latest Unifi OS 4.0.6 and Network 8.3.32. I managed to set up a site to site VPN between DMP and one of our VPCs with dual tunnels. We're able to access the instances in the VPC from our office network. The VPN tunnels are stable.

Here's the problem. We use the Ubiquiti Teleport for remote access to the office. The Teleport users are unable to access the AWS VPC via the existing site to site VPN. The static route I set up on DMP is: Destination network: CIDR (/24) of our AWS VPC, Next hop: inside ip of AWS vgw of that VPN. I've added the Teleport traffic to the VPC route tables. Also allowed inbound traffic from Teleport in the security groups.

TraceRoute results:
Scenario 1: From office local network -> office network gateway ip (10.0.1.1) -> ip in our AWS VPC (Successful)
Scenario 2: From home Teleport to office -> office WAN public ip -> inside ip of AWS vgw (looping) (Failed to access VPC)

What else can I do to make it work for the Teleport users?

Thanks,
PH

randy · Accepted Answer

That looks like the issue. The "Local IPv4 network CIDR" needs to contain all subnets allowed from the client-side of the VPN

randy · Answer

You do Not need to create another customer (2nd) gateway as long as the traffic is coming from the existing DMP.

Since you wrote:  inside ip of AWS vgw (looping) 
This makes me think it's a problem with route table config in your AWS VPC. I suggest you ensure you're routing traffic destined for the VPN clients back to the VGW (and not out towards a NAT or Internet Gateway)

Can you share more info about the Ubiquiti architecture? a rough diagram would be super helpful!

Here are 3 components needed to make this work without hairpin nat:
1) Security Association - both sides of the VPN need to allow the subnets that are allowed to send traffic over the VPN - sounds like this must be correct or the tunnel(s) wouldn't come up
2) Routing
    a) Route traffic destined for the VPC to the  inside IP of the VPG
    b) Return route - in AWS you need to ensure you're routing traffic destined for the VPN clients back to the VGW (and not out towards a NAT or Internet Gateway)
3) Security Groups

Can you enable VPC Flow Logging?

randy · Answer

Hello, It sounds like what you need is to enable "hairpin nat" on the Ubiquiti Dream Machine Pro (DMP). [Here's an article on how to do that for the Ubiquiti EdgeRouter.](https://help.ui.com/hc/en-us/articles/204952134-EdgeRouter-Hairpin-NAT#2)

Here's how I'd think about it: you don't want to allow the Public IP address of the VPN client access, you want to hide/NAT the client behind a private (RFC1918 address) that's within your network.

I'd also ensure the Security Group is allowing traffic from the Clients' IP address as assigned by Ubiquiti Teleport. What's important here is to allow the Private addresses assigned to the VPN clients to be allowed to connect to the resources in the AWS VPC.

blacktulip12 · Answer

Also, can I add two 'Local IPv4 network CIDR' to the s2s vpn connection?
![Enter image description here](/media/postImages/original/IMloJQvvMqSh291J8e65XrQQ)

blacktulip12 · Answer

Hi Randy, attached the routes in the route table that the site to site VPN connects to. For 2.b), where do I set the route to direct the traffic destined 192.168.2.0/24 to the vgw? Is it the one in the screenshot attached?
![Enter image description here](/media/postImages/original/IMqgwgqwlgR7ivB2LBIrhbfg)

I can enable the VPC flow log. Shall I log all the traffic or just 'REJECT' traffic? Thanks.

blacktulip12 · Answer

Hi,

I finally figured out how to make it work after seeing this post [https://repost.aws/questions/QUVxhGEH-iSiy1UvGpzs5Ijw/aws-site-to-site-vpn-configure-multiple-cidr-ranges](). Basically, need to set Local IPv4 network CIDR to 0.0.0.0/0 in the vpn connection configuration. And then tighten the security control in the VPC security group.

Ubiquiti Teleport and site to site VPN

Add your answer

Relevant content