Ubiquiti edgerouter x vpn site to site: comprehensive guide to configuring IPsec site-to-site VPN on EdgeRouter X for two sites

Yes, you can set up a site-to-site VPN on a Ubiquiti EdgeRouter X. In this guide, I’ll walk you through why you’d want a site-to-site VPN with EdgeRouter X, what you need before you start, how to configure it using both the web UI and the CLI, and how to test and troubleshoot so traffic between two offices stays private and reliable. This post covers practical steps, common caveats, and best practices so you can get a solid, production-ready tunnel without surprises. If you’re also looking to protect remote workers or devices, check out NordVPN using the deal below to complement site-to-site security with endpoint protection.

NordVPN deal: 77% off plus 3 months free — a handy add-on for protecting individual devices or small office laptops outside the tunnel. Free browser vpn edge

Useful resources unlinked for easy copying:

• EdgeRouter X official docs – ubnt.com
• Ubiquiti Community forums – community.ubnt.com
• IPsec site-to-site concepts – en.wikipedia.org/wiki/IPsec
• VPN throughput basics – articles and whitepapers from major networking vendors
• Dynamic DNS basics – dyndns.org or ddns.net help pages

Introduction short guide

• Yes, you can set up a site-to-site VPN on a Ubiquiti EdgeRouter X.
• In this step-by-step guide, you’ll learn how to plan networks, configure IPsec in both the UI and CLI, and verify the tunnel with real traffic.
• You’ll see practical examples for two sites with different LAN subnets, plus tips for NAT, firewall rules, and routing so traffic flows correctly.
• We’ll cover common mistakes, troubleshooting steps, performance expectations, and security best practices to keep your tunnel robust.

Why a site-to-site VPN with EdgeRouter X

• EdgeRouter X is a low-cost, compact device that can run full EdgeOS with IPsec support, making it a solid option for small-to-medium branch sites.
• A site-to-site VPN lets two or more separate networks share resources and talk securely as if they were on the same local network.
• Encryption choices AES-128/256, SHA-1/256 give you flexibility to balance security and performance.
• With the right settings, you can achieve reliable, site-wide routing of internal services, printers, file servers, and VoIP between locations.

Prerequisites and planning

• Hardware and firmware: EdgeRouter X at Site A and Site B, both running the latest EdgeOS release you can reasonably run on the device 2.x series. EdgeRouter X is designed for VPN workloads but performance varies depending on cipher and traffic. expect VPN throughput in the range of a few dozen to a few hundred Mbps in typical setups.
• Network topology: Two offices with public IP addresses static or dynamic with DDNS. If either side sits behind NAT, you’ll enable NAT traversal NAT-T for IPSec.
• LAN subnets: Plan non-overlapping subnets for each site, for example Site A 192.168.1.0/24 and Site B 192.168.2.0/24. If you’re using VLANs or more complex topologies, map those out before configuring the tunnel.
• Shared secret: Create a strong pre-shared key PSK for the IPsec tunnel. For production, rotate keys periodically and avoid simple phrases.
• DNS and reachability: Ensure both sites’ EdgeRouters can resolve each other if using dynamic DNS, and verify basic reachability over the public IPs before starting VPN setup.

Option 1: Site-to-site VPN using the EdgeRouter X web UI UI method
Step-by-step outline Tunnelbear vpn rating and comprehensive guide 2025: features, performance, privacy, pricing, and comparisons

1. Access the EdgeRouter UI

• Open a browser and log in to the EdgeRouter at https://.
• Do the same at the other site for the remote connection.

2. Prepare VPN details

• Local subnet: Site A LAN e.g., 192.168.1.0/24
• Remote subnet: Site B LAN e.g., 192.168.2.0/24
• Remote public IP: Site B’s router public IP or its DDNS hostname if you’re using dynamic IPs
• PSK: A strong shared secret you’ll use on both sides

3. Create the IPsec IKE group and IPSec tunnel

• Navigate to VPN > IPsec.
• Create an IKE group IKEv1 is widely supported. IKEv2 can be used on newer firmwares.
  • Name: IKE-GROUP-SITE-TO-SITE
  • Encryption: AES256
  • Hash: SHA256
  • DH Group: 2 MODP 1024 or 14 MODP 2048 depending on your security requirements
  • PFS: enable for Phase 2
  • Key lifetime: 28800 seconds 8 hours or as your security policy requires
• Set up a new IPsec peer the remote site
  • Remote IP: Site B public IP
  • Authentication: Pre-Shared Secret
  • Shared secret:
  • Local subnet: Site A LAN
  • Remote subnet: Site B LAN
  • IKE group: IKE-GROUP-SITE-TO-SITE
  • NAT-T: Enable if either side is behind NAT

4. Create the IPsec tunnel

• Add a tunnel often Tunnel 1 by default
  • Local subnet: 192.168.1.0/24
  • Remote subnet: 192.168.2.0/24
  • Encapsulation: ESP with AES256, SHA256
  • Perfect Forward Secrecy PFS: enabled
• Save and apply changes

5. NAT and firewall considerations

• Ensure VPN traffic is exempt from NAT on both sides, so packets between subnets aren’t NATed.
• Create firewall rules to permit traffic between Site A LAN and Site B LAN through the VPN tunnel. A typical rule allows icmp, tcp, udp between the two subnets.

6. Routing and VPN status

• Verify the tunnel status in the UI VPN > IPsec or the status summary for the tunnel.
• Add static routes or enable policy-based routing so traffic to the remote subnet uses the VPN. If you’re using dynamic routing, ensure routes point to the tunnel interface.
• Test: from a host in Site A try pinging 192.168.2.10 or a server in Site B. check traceroute to confirm traffic goes through the tunnel.

7. Troubleshooting tips

• If the tunnel doesn’t come up, double-check PSK, remote IP, and LAN subnets on both sides.
• Ensure both peers have matching IKE group settings and lifecycle parameters.
• Review firewall rules on both sides to confirm VPN traffic isn’t blocked.
• Confirm NAT-T is enabled if one side is behind a NAT device.

8. Security and maintenance

• Use a strong PSK and rotate regularly.
• Enable DPD Dead Peer Detection and keep-alive features, if available, to keep tunnels healthy.
• Log IPsec events and monitor for unusual retry patterns or frequent re-negotiations.

Option 2: Site-to-site VPN using the CLI CLI method
If you prefer to configure via the command line or need automation, here’s a generic CLI approach you can adapt. Adjust IPs, subnets, and keys to your environment.

Example adjust values accordingly

configure
set vpn ipsec ike-group IKE-SITE-TO-SITE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-SITE-TO-SITE proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE-SITE-TO-SITE proposal 1 dh-group 'weathered'  # choose a DH group supported by your edgeos version
set vpn ipsec ike-group IKE-SITE-TO-SITE proposal 1 lifetime '3600'
set vpn ipsec ipsec-0 ike-group 'IKE-SITE-TO-SITE'
set vpn ipsec ipsec-0 esp-group 'ESP-SITE-TO-SITE'
set vpn ipsec site-to-site peer <REMOTE_PUBLIC_IP> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <REMOTE_PUBLIC_IP> authentication pre-shared-secret '<YOUR_PSK>'
set vpn ipsec site-to-site peer <REMOTE_PUBLIC_IP> local-address <LOCAL_PUBLIC_IP>
set vpn ipsec site-to-site peer <REMOTE_PUBLIC_IP> tunnel 1 local-subnet '192.168.1.0/24'
set vpn ipsec site-to-site peer <REMOTE_PUBLIC_IP> tunnel 1 remote-subnet '192.168.2.0/24'
set vpn ipsec site-to-site peer <REMOTE_PUBLIC_IP> ike-group 'IKE-SITE-TO-SITE'
set vpn ipsec site-to-site peer <REMOTE_PUBLIC_IP> tunnel 1 protocol 'esp'
commit
save

Note: The exact syntax can vary slightly by firmware version. If you’re unsure, use the EdgeRouter UI for the initial setup and then refine via CLI as needed.

Firewall, NAT, and routing key concepts
- NAT exemption NAT-T rules: VPN traffic between Site A and Site B should bypass NAT to avoid double NATing VPN packets.
- LAN-to-LAN firewall rules: Allow traffic from 192.168.1.0/24 to 192.168.2.0/24 and reverse across the VPN.
- DNS considerations: If you rely on internal hostnames, ensure DNS resolution across sites via internal DNS or VPN-assisted DNS tricks works.
- Routing: If you’re using static routes, point the remote subnet toward the VPN tunnel. If you’re using dynamic routing, enable a suitable protocol and exchange routes over the tunnel.

Performance considerations and data
- EdgeRouter X hardware summary: a compact device designed for small offices or branches. Typical VPN throughput depends on the chosen cipher, the number of concurrent VPN tunnels, and the overall load on the router. Expect VPN throughput in the low hundreds of Mbps at best under ideal circumstances. real-world results depend heavily on traffic patterns and encryption settings.
- Encryption choices: AES-256 and SHA-256 provide strong security but may slightly impact throughput compared to lighter configurations like AES-128/SHA-1. If you need higher throughput and security remains acceptable, you can test AES-128 and SHA-256 first and then move to stronger options if needed.
- IKEv1 vs IKEv2: IKEv1 is widely supported on many EdgeRouter firmwares. If your devices support IKEv2, it can offer faster rekeying and can be more efficient in some scenarios. Check your firmware release notes to confirm which IKE versions you can use.

Security best practices
- Use a long, random pre-shared secret and rotate it periodically.
- Keep EdgeRouter X firmware up to date to benefit from security and stability fixes.
- Enable logging for VPN events to help with troubleshooting and auditing.
- Consider using an additional layer of protection, like endpoint VPN clients for remote workers, a strong password policy, and device-level protections antivirus, updated OS.

Question-focused guide quick take
- Should I use IPsec or OpenVPN for EdgeRouter X? IPsec is the native option on EdgeRouter X and is well-suited for site-to-site tunnels with routers. OpenVPN can be implemented via other devices or software, but IPsec is simpler for a straight two-site setup.
- Can two sites behind NAT establish a VPN tunnel? Yes, with NAT-T enabled on both ends, EdgeRouter X can negotiate IPsec tunnels even when the peers are behind NAT.
- Can I run multiple site-to-site tunnels on EdgeRouter X? Yes, you can configure more tunnels if you have more remote sites ensure the device has enough resources to handle the load.
- How do I verify the tunnel is up? Check the VPN > IPsec status in the UI, review the tunnel state, and ping hosts in the remote LAN from a host on the local LAN to confirm traffic is flowing.

Frequently Asked Questions
- What is a site-to-site VPN in simple words?
- How does IPsec secure traffic between two sites?
- What are the minimum requirements to set up a site-to-site VPN on EdgeRouter X?
- How do I pick IPsec encryption and hashing algorithms?
- What if my remote site has a dynamic IP? Can we still connect?
- How can I confirm traffic is using the VPN tunnel and not the regular WAN path?
- What should I do if the tunnel keeps dropping every few hours?
- How do I add a second remote site to the same EdgeRouter X?
- Are there any performance tweaks I should consider to maximize VPN throughput?
- How can I automate VPN configuration for multiple EdgeRouter X devices?
- Is it possible to use IKEv2 on EdgeRouter X, and if so, how?

Conclusion omitted per instructions
No dedicated conclusion section is included, but with these steps you’re equipped to configure a solid site-to-site VPN between two EdgeRouter X devices. Start with the UI guide to get a working tunnel quickly, then refine with CLI for automation and deeper customization. Remember to secure the tunnel with a strong PSK, keep firmware updated, and test traffic regularly to ensure everything stays private and reliable.

Would you like a sample config tailored to your exact LAN subnets and public IPs? If you share your two site subnets and the remote public IP for Site B, I’ll draft a ready-to-paste UI configuration and a CLI snippet you can deploy.

翼游vpn 全方位评测与使用指南：下载安装、加密协议、隐私保护、流媒体解锁、跨设备设置与性价比