Remote access with a Ubiquiti USG-Pro

[HCHTech]

Since our shop is standardized on Sonicwall, I have a ton of clients where I've setup remote access for workers using their NetExtender SSL VPN, and RDP shortcuts to the individual desktops. All good and working on every client we've configured like this. I get one or two calls per week, usually they just forgot their VPN password, which is instantly reset-able from the firewall interface.

Now, I'm trying to make a similar setup for my single USG Pro that I have in the field @ my church. Is anyone doing this that might share tips? It looks like Unifi doesn't have their own VPN client, and only offer L2TP, which is IPsec. I long ago stopped using IPsec VPN with our Sonicwall clients, as SSL VPN is more secure. Lastly, setting up split tunnel seems like a process that I don't want to support.

This is a pro-bono client, so I'm not keen to setup something that is going to require a ton of support.

Is anyone doing this? It almost seems simpler to just donate some Logmein licenses!

 

[Markverhyden]

in my book IPSEC is fine for small organizations that don't have any major statutory requirements like HIPAA, etc. VPN setup in Unifi is much simpler than in Edgemax. One thing I've had problems with the the IP scope on the VPN client. In the past when I setup VPN's I'd have the client scope one octet off of the LAN scope. eg LAN is 192.168.200.x, VPN client 192.168.201.x For some reason I've always had to go to another private scope. eg LAN is 192.168.200.x, client VPN 172.26.5.x.

You can use the built in VPN clients in the OS.

I've also found that Mac OS clients can't hit the remote LAN unless all traffic is routed over the connection.

How much and how many users. Remember that Hamachi has 5 endpoints for free. I have two customer's I've had to move to that from Unifi VPN because of certain undocumented features. It does have a little undocumented maintenance such as rebooting machines and deleting then creating new clients.

 

[RoadRunner]

Draytek client is free:
https://www.draytek.com/products/smart-vpn-client/

 

[YeOldeStonecat]

For remote access we just setup Splashtop Business...resell those.
Nice and easy peasy for end users to use, and multi factor auth.

As much as I love Ubiquiti hardware, we only use their USGs for simple setups that don't need much, else Untangle is our "go-to". The USG has, as you noted, L2TP VPN built in, easy to setup clients, authenticate against radius server in the USG. However, it's another step for clients to get confused over.

There are guides to install the OpenVPN server into Unifi gateways, I believe the roadmap will have it in the GUI down the road.

So even in our setups with Untangle....which has OpenVPN built in and that's easy to use, I still prefer doing Splashtop for clients...only 1x step for clients instead of 2x steps.