Unifi and surfshark vpn will not work

Networking & Firewalls
1

Hi!

I’m having trouble getting my VPN-client to work with the unifi-gear i just got.

This is my second try to get something going with unifi - the first time I had to reboot the switches again and again… to have a working network…

Now, some four years later I got myself an UDM-Pro and the USW-pro-HD. After having a look at youtube and some questions to Mr. Google I thought that using a VPN for a vlan isn’t that difficult to do (until now opnsense and tp-link did it - but I wanted to have one controller…). I configured the vlan, imported the wireguard-configuration and added the route to have all traffic of the ‘88-vlan’ going through the surfshark-tunnel (connection was up and marked running). Kill-switch was activated.

For testing I used a notebook that got his IP from the 88-vlan → ok

ping for 8.8.8.8 and google.com worked → ok

Visiting ‘what is my ip address’ was the bad thing. I’m still having my ISP-IP. The surfshark-tools showed also that I wasn’t using surfshark. Besides this, why isn’t the kill-switch preventing me from reaching the internet with another than the configured gateway/tunnel?

And now, the question of questions… What else do I have to do to use the surfshark-tunnel? All I see form the documentation at Ubiquiti is that I did all I have to do!?

As I do have some 10G-stuff I do have different ‘routers’ configured with the unifi-networks, to have all the 10G-Network-traffic being handled by the USW-pro-HD. Can this be a problem?

Every help is deeply appreciated.

Kind regards,

Tom

2

Assuming the WG VPN is configured to work then you should be able to simply use the policy engine to choose the devices or network to route those through that VPN. Is that what you are doing?

3

The VPN-tunnels are up and running:

vpn
vpn200×134 8.39 KB

This is the rule:

rule

It’s always the same

  • creating the vpn-tunnel and using the wizard
  • creating the vpn-tunnel and creating the route later

I changed the router-setting for every network to be the UDM:

router
router392×232 30.4 KB

but that, having different Routers, wasn’t the source of my little problem…

4

Are you using the policy manager to create that rule?

5

This last one I created with this new object-oriented manager

policy
policy1722×186 34.7 KB

6

So the surf shark tunnel is up, the policy route is set with a kill switch, but the device still shows your ISP as the address when going to a site such as https://ifconfig.co/ or https://ip.wtf/ ?

7

yes!! exactly…

As I thought I did something wrong, I did a reset of every unifi device and started all over again.

But no change:

#1 The notebook gets a correct IP from the vlan that should use the vpn-tunnel
but then:
#2a ping isn’t good:

ping 9.9.9.9
PING 9.9.9.9 (9.9.9.9) 56(84) Bytes an Daten.
64 Bytes von 9.9.9.9: icmp_seq=1 ttl=54 Zeit=17.7 ms
64 Bytes von 9.9.9.9: icmp_seq=3 ttl=54 Zeit=15.2 ms
64 Bytes von 9.9.9.9: icmp_seq=4 ttl=54 Zeit=16.3 ms
64 Bytes von 9.9.9.9: icmp_seq=5 ttl=54 Zeit=15.3 ms
64 Bytes von 9.9.9.9: icmp_seq=7 ttl=54 Zeit=14.4 ms
64 Bytes von 9.9.9.9: icmp_seq=8 ttl=54 Zeit=16.8 ms
64 Bytes von 9.9.9.9: icmp_seq=9 ttl=54 Zeit=16.2 ms
64 Bytes von 9.9.9.9: icmp_seq=10 ttl=54 Zeit=16.0 ms
64 Bytes von 9.9.9.9: icmp_seq=11 ttl=54 Zeit=17.2 ms
64 Bytes von 9.9.9.9: icmp_seq=12 ttl=54 Zeit=15.5 ms
64 Bytes von 9.9.9.9: icmp_seq=13 ttl=54 Zeit=15.6 ms
64 Bytes von 9.9.9.9: icmp_seq=15 ttl=54 Zeit=16.5 ms
64 Bytes von 9.9.9.9: icmp_seq=17 ttl=54 Zeit=15.0 ms
64 Bytes von 9.9.9.9: icmp_seq=18 ttl=54 Zeit=16.4 ms
64 Bytes von 9.9.9.9: icmp_seq=19 ttl=54 Zeit=15.8 ms

#2b

ping google.com
PING google.com (92.249.39.147) 56(84) Bytes an Daten.
64 Bytes von 92.249.39.147: icmp_seq=1 ttl=53 Zeit=15.1 ms
64 Bytes von 92.249.39.147: icmp_seq=2 ttl=53 Zeit=15.9 ms
64 Bytes von 92.249.39.147: icmp_seq=4 ttl=53 Zeit=15.5 ms
64 Bytes von 92.249.39.147: icmp_seq=5 ttl=53 Zeit=17.0 ms
64 Bytes von 92.249.39.147: icmp_seq=6 ttl=53 Zeit=16.1 ms
64 Bytes von 92.249.39.147: icmp_seq=7 ttl=53 Zeit=16.6 ms
64 Bytes von 92.249.39.147: icmp_seq=8 ttl=53 Zeit=16.1 ms
64 Bytes von 92.249.39.147: icmp_seq=9 ttl=53 Zeit=17.1 ms
64 Bytes von 92.249.39.147: icmp_seq=10 ttl=53 Zeit=15.9 ms
64 Bytes von 92.249.39.147: icmp_seq=11 ttl=53 Zeit=16.4 ms
64 Bytes von 92.249.39.147: icmp_seq=13 ttl=53 Zeit=16.4 ms
64 Bytes von 92.249.39.147: icmp_seq=14 ttl=53 Zeit=16.6 ms

#3 I cannot get to ‘whatismyipaddress’ - it just times out…

I will try to set up the vpn-tunnel manually.

8

I have the manually created vpn-tunnel up and running:

surf-vpn

there is a policy created during vpn setup (not done manually - used the network-wizard)

route_2

ping looks better, at least there is no packet lost:

ping 9.9.9.9
PING 9.9.9.9 (9.9.9.9) 56(84) Bytes an Daten.
64 Bytes von 9.9.9.9: icmp_seq=1 ttl=54 Zeit=24.2 ms
64 Bytes von 9.9.9.9: icmp_seq=2 ttl=54 Zeit=22.9 ms
64 Bytes von 9.9.9.9: icmp_seq=3 ttl=54 Zeit=22.4 ms
64 Bytes von 9.9.9.9: icmp_seq=4 ttl=54 Zeit=24.9 ms
64 Bytes von 9.9.9.9: icmp_seq=5 ttl=54 Zeit=23.2 ms
64 Bytes von 9.9.9.9: icmp_seq=6 ttl=54 Zeit=22.2 ms
64 Bytes von 9.9.9.9: icmp_seq=7 ttl=54 Zeit=22.0 ms
64 Bytes von 9.9.9.9: icmp_seq=8 ttl=54 Zeit=23.6 ms
64 Bytes von 9.9.9.9: icmp_seq=9 ttl=54 Zeit=21.8 ms
64 Bytes von 9.9.9.9: icmp_seq=10 ttl=54 Zeit=21.8 ms
64 Bytes von 9.9.9.9: icmp_seq=11 ttl=54 Zeit=24.2 ms
64 Bytes von 9.9.9.9: icmp_seq=12 ttl=54 Zeit=22.3 ms
64 Bytes von 9.9.9.9: icmp_seq=13 ttl=54 Zeit=21.9 ms
64 Bytes von 9.9.9.9: icmp_seq=14 ttl=54 Zeit=23.2 ms
64 Bytes von 9.9.9.9: icmp_seq=15 ttl=54 Zeit=24.9 ms
64 Bytes von 9.9.9.9: icmp_seq=16 ttl=54 Zeit=23.4 ms
64 Bytes von 9.9.9.9: icmp_seq=17 ttl=54 Zeit=22.9 ms

but dns isn’t working

ping google.com
^C

9

I changed the dns-settings:

dns-server from ‘auto’ to the two dns-server shown in the surfshark config-file

gateway from ‘auto’ to the host-address of the vlan.

ping is ok

dns seems to work

surfshark tools showing a surfshark-connection

BUT

it is sooooooooo ssslllllllloooooooooooooooooowwwwwwww → not usable….

10

Tested surfshark with openVPN and that is much better - not what I want…

How do I get the wireguard-connection fixed…??

11

No idea, I am using it with ProtonVPN & Wireguard and it’s working fine on several systems. I also have PIA but they only support OpenVPN but it works fine with that too.

12

@LTS_Tom Thank you for your support! Knowing, that you are reading and reacting to my problem helped me a lot.

I will have to find a way to get a deeper look in the logs of wireguard. If you do have a hint where to have a look let me know :innocent:

Best wishes from Germany (the new hell of electricity-bills)!

Tom

13

Hmm…

I think I know what it is…

If I select a Router for a network that is not the UDM I do get this behavior, that the traffic of the vlan will not be routed through the vpn-tunnel!

And that was is most important in my eyes - the kill-switch - is doing nothing in this situation… the traffic reaches the wan and going through the non-vpn-connection. Don’t know what to say…