Troubleshoot UID VPN Issues
  • 15 Mar 2023
  • 4 Minutes to read
  • Dark
    Light

Troubleshoot UID VPN Issues

  • Dark
    Light

Common One-Click VPN Issues

  • One-Click VPN is frequently disconnected.
  • The status shows VPN Connected but you still cannot connect to the internet.

If you encountered these issues, please check the following and try connecting to the VPN again:

  1. Make sure One-Click VPN is set up correctly.
  2. Make sure port 10118 is enabled.
    • If a public IP address is assigned your UniFi OS Console, port forwarding does not need to be configured manually.
    • If no public IP address is assigned your UniFi OS Console, port forwarding needs to be configured on the router to which the UniFi OS Console is connected to.
    • Make sure that port 10118 is not included in any custom port forwarding rules.
  3. Make sure the One-Click VPN status is Active.
    1. Go to your UID Manager Portal and select a site.
    2. Click VPN on the left sidebar.
    3. Click a VPN and make sure the status is Active.
  4. Make sure a public IP address is configured.
  5. Make sure your UID Agent is online.
Notes

VPN Connection Issues or Frequent VPN Disconnections/Timeouts

  • For users: If you are unable to connect to One-Click VPN, please contact your UniFi Identity administrator and then submit your feedback on your Identity mobile app.

  • For administrators: Go to your UID Manager Portal > One-Click VPN > VPN to modify a VPN.

Important
  • Do not modify a One-Click VPN on the UniFi Network application.

If you've followed the steps above but are still experiencing connection issues, refer to the resolutions below.

1. Check if a public IP is configured

If your UniFi OS Console does not have a public IP address, you will need to configure port forwarding. Multi-level port forwarding is required for consoles with a public IP address that has multi-level routes. You can use the following methods to check your console's public IP settings:

  • Method 1: Check in the UniFi OS Portal.
    1. Go to Settings > General.
    2. Check if the WAN IP is a public IP.
  • Method 2: Check via SSH.
    1. Enter the following traceroute command:

      ssh root@UDM_IP
      traceroute google.com
      
    2. Check if the first router address is a public IP.
      troubleshoot-VPN-trace

    3. Enter this command to check the VPN operating environment.

      ssh root@UDM_IP
      unifi-os shell
      uid health vpn
      

2. Check the One-Click VPN configuration

  1. Sign in to your UID Manager Portal (https://[your workspace domain].ui.com/cloud).
  2. Select a site from the drop-down menu in the top-left corner.
  3. Go to the Dashboard.
  4. Click One-Click VPN.
  5. Select a VPN network.
  6. Click View VPN Settings to open the network properties page.
  7. Make sure the VPN settings are correct, especially the VPN port and IP address settings.

3. Enter the telnet command to check the VPN port connectivity

Notes
  • This method is only available when the VPN uses TCP protocol. The IP and port are automatically filled in VPN settings.
  • If the telnet IP port can be connected, a Connected to status will be shown.
    troubleshoot-VPN-telnet

  • If the telnet IP port cannot be connected, an Unable to connect status will be shown.
    troubleshoot-VPN-no-route

4. Sign in to the UniFi OS portal via SSH

Notes
  • Do not close the SSH terminal because you will need to return to it later.
  1. Enter the following command:
    ssh root@UDM_IP
    tcpdump -i eth8 dst port 10118
    
Notes
  • eth8 in the command line represents the console WAN port with an Ethernet connection, and is calculated as eth(n-1), where n indicates the port number.

  • Example: eth8 on a UDM Pro indicates that Port Number 9 on the console is connected via Ethernet cable (eth(9-1) = eth8 ). For a UDM, it would be eth(5-1) or eth(4).

  1. Launch your Identity desktop app or mobile app.
  2. Click One-Click VPN.
  3. Check if packets are being sent and received.
Notes
  • If you're still experiencing connection issues, please check your port forwarding and firewall rules.

One-Click VPN only supports multiple public IP addresses on a single WAN when using the TCP network protocol. When this protocol is in use, all console IPs are available.

If you use the UDP protocol to set up a One-Click VPN, you will only be able to use the primary IP for VPN connections. This is because UDP is a connectionless protocol. When client packets sent to the server reach the network layer, the server is likely to forget the client’s requested destination IP. As a result, the server chooses the primary IP as the source address when sending packets back to the client. Therefore, you cannot use multiple public IPs while using the UDP protocol.


One-Click VPN doesn't support multiple WAN configurations over UDP because the protocol cannot remember the source IP address when packets return to the server. As an alternative, you can do either of the following:

  • Switch the protocol from UDP to TCP:
    1. Log in to your UID Manager Portal and select a site.
    2. Click Dashboard on the left sidebar, click One-Click VPN, and click VPN on the left sidebar.
    3. Select a device and go to Settings > General > Protocol and change UDP to TCP.
  • Make sure one of the WAN ports remains unplugged if it is not needed.

Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.