Set Up UID VPN

Requirements

Notes

If you have already set up UniFi Identity OpenVPN, it must be deleted before WireGuard VPN can be set up.

VPN Type	Device Requirements	Application Requirements
OpenVPN	Dream Machine (UDM) Dream Machine Pro (UDM Pro) Dream Machine Special Edition (UDM SE)	N/A
WireGuard VPN	Dream Machine (UDM) Dream Machine Pro (UDM Pro) Dream Machine Special Edition (UDM SE) Cloud Key Gen2 Plus (CKP) UniFi Dream Wall (UDW) (EA)	UniFi Identity Agent: v1.51.1 or later Identity mobile app for Android: v0.55.2 or later Identity mobile app for iOS: v0.55.4 or later Identity desktop app for macOS: 0.55.1 or later Identity desktop app for Windows: 0.55.1 or later

VPN Type

Device Requirements

Application Requirements

OpenVPN

Dream Machine (UDM)
Dream Machine Pro (UDM Pro)
Dream Machine Special Edition (UDM SE)

N/A

WireGuard VPN

Dream Machine (UDM)
Dream Machine Pro (UDM Pro)
Dream Machine Special Edition (UDM SE)
Cloud Key Gen2 Plus (CKP)
UniFi Dream Wall (UDW) (EA)

UniFi Identity Agent: v1.51.1 or later
Identity mobile app for Android: v0.55.2 or later
Identity mobile app for iOS: v0.55.4 or later
Identity desktop app for macOS: 0.55.1 or later
Identity desktop app for Windows: 0.55.1 or later

Set Up One-Click VPN

Select a site from the drop-down menu in the top left corner.

Go to the dashboard.

Click One-Click VPN.

Click Set Up on the following page.

Configure the VPN settings as needed (see the table below for more information).

Setting	Action
Name	Enter the network name.
Assign to all users of the current site	Enable to automatically assign this VPN to all users of the selected site.
Deploy on	Select the UniFi Host that will host the VPN.
Type	UniFi Identity currently supports OpenVPN and WireGuard VPN.
VPN Server	Sync with the Public IP of UniFi Host: When enabled, the VPN server will auto sync with the public IP address of UniFi OS Host. It's suggested to enable this option if you are using dynamic IPs. Option1: Enable Sync with the Public IP of UniFi Host. Option2: Disable Sync with the Public IP of UniFi Host, and enter the public IP address of UniFi Host.
Protocol	Select the network's protocol.

Setting

Action

Name

Enter the network name.

Assign to all users of the current site

Enable to automatically assign this VPN to all users of the selected site.

Deploy on

Select the UniFi Host that will host the VPN.

Type

UniFi Identity currently supports OpenVPN and WireGuard VPN.

VPN Server

Sync with the Public IP of UniFi Host: When enabled, the VPN server will auto sync with the public IP address of UniFi OS Host. It's suggested to enable this option if you are using dynamic IPs.

Option1: Enable Sync with the Public IP of UniFi Host.
Option2: Disable Sync with the Public IP of UniFi Host, and enter the public IP address of UniFi Host.

Protocol

Select the network's protocol.

Notes:

You cannot modify an outer VPN port if your UniFi Host's public IP is the same as the WAN IP.
If your public IP and the WAN IP are different, you will need to create a port forwarding rule. For more details, see Network Deployment.

8. Click Show Advanced Settings to configure the following settings (Optional).

Setting	Action
Gateway IP/Subnet	Enter an IP address.
DNS Server 1	Enter an IP address for the primary DNS server.
DNS Server 2	Enter an IP address for the secondary DNS server.
Default DNS Suffix	Enter the DNS Suffix. Default DNS Suffix allows administrators to set a DNS suffix that is automatically filled following the hostname element. This means that Windows clients only need to enter the hostname element to access resources through their FQDNs.
Custom Routing	Specify which IP address or subnet will be routed through the One-Click VPN tunnel when VPN Proxy is set to the Intranet mode. Custom routing allows the configured IP addresses or subnets to still go through the One-Click VPN tunnel when the client is set to the Intranet mode. Without the need to route all traffic through the One-Click VPN tunnel, employees working remotely can use One-Click VPN to simply access the resources that are accessible only from the company network. The Intranet mode can significantly reduce the bandwidth usage coming from the One-Click VPN-connected clients, and in turn increase the internet speed of One-Click VPN. Note: This function only applies to clients using the Intranet VPN Proxy mode, the Global mode will still route all traffic through the VPN tunnel.
Maximum Connection Time	Specify the VPN session duration.

Setting

Action

Gateway IP/Subnet

Enter an IP address.

DNS Server 1

Enter an IP address for the primary DNS server.

DNS Server 2

Enter an IP address for the secondary DNS server.

Default DNS Suffix

Enter the DNS Suffix.
Default DNS Suffix allows administrators to set a DNS suffix that is automatically filled following the hostname element. This means that Windows clients only need to enter the hostname element to access resources through their FQDNs.

Custom Routing

Specify which IP address or subnet will be routed through the One-Click VPN tunnel when VPN Proxy is set to the Intranet mode.
Custom routing allows the configured IP addresses or subnets to still go through the One-Click VPN tunnel when the client is set to the Intranet mode. Without the need to route all traffic through the One-Click VPN tunnel, employees working remotely can use One-Click VPN to simply access the resources that are accessible only from the company network. The Intranet mode can significantly reduce the bandwidth usage coming from the One-Click VPN-connected clients, and in turn increase the internet speed of One-Click VPN.
Note: This function only applies to clients using the Intranet VPN Proxy mode, the Global mode will still route all traffic through the VPN tunnel.

Maximum Connection Time

Specify the VPN session duration.

Click Continue. A setup confirmation message will appear.

Click OK.

Set Up One-Click VPN

Requirements

Set Up One-Click VPN

What's Next