VPN struggle with site to site

kwhelchel · May 16, 2025, 5:07pm

trying to create a site to site vpn between a udmpro and a udr7 with no luck. Do not have any public IP available. So i am using noip to handle this part. But I have also tried the wan IP also.
I can not get a connection at all.
The UDM is on a comcast modem with ports 500 and 4500 port forwarded to the udm.
I can’t even get get openVPN to connect to it from a pc. This is tried through setting up the vpn server on the udm and taking the file and importing it into the pc. Still no connection. So I am lost on where my problem might be here. Any thoughts ??

xMAXIMUSx · May 16, 2025, 6:25pm

When you say no public IP available do you mean no static IP? Or do you mean all you have is a CGNAT IP?

kwhelchel · May 16, 2025, 6:38pm

when I try to use site magic it shows the devices bur can not check them off and the message says no public ip

xMAXIMUSx · May 16, 2025, 6:57pm

If you don’t have a public IP on both sides then you won’t be able to use site magic.

kwhelchel · May 16, 2025, 7:53pm

best way to approach this then?

xMAXIMUSx · May 16, 2025, 8:12pm

There are quite a few ways. It depends on what you are trying to accomplish. If you are simply trying to connect to a server or services on either side you can setup something like netbird on a VPS as an example. We would need to know more about what you are trying to do to give a more granular answer.

kwhelchel · May 16, 2025, 8:27pm

I need to pass a local pc to another office so they can all be on the same subnet. The remote office will be using wired android devices so we need to pass this through router to router.

xMAXIMUSx · May 16, 2025, 8:36pm

In that case what I would do is still use the VPS option as your middle man.

Setup a wireguard server with this kind of config on your VPS. (Might need to omit the MASQUERADE unless you need a specific NAT need for it.)

[Interface]
PrivateKey = <YOUR_SERVER_PRIVATE_KEY>  # This is the server's private key
Address = 192.168.4.1/24  # Assign a static IP to the WireGuard interface
ListenPort = 51822  # The port WireGuard will listen on
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

Create a WireGuard Tunnel: In the UDM Pro’s interface, you’ll create a new WireGuard tunnel.

Peer Information:
- Private Key: The public key from the WireGuard server.
- Allowed IPs: The subnet you configured on the WireGuard server (e.g., 192.168.4.0/24).
Routing: Configure a static route on the UDM Pro to route traffic destined for the other network through the WireGuard tunnel.

kwhelchel · May 16, 2025, 8:51pm

OK i will look at that thank you

xMAXIMUSx · May 16, 2025, 9:45pm

Here is the more detailed outline

Node	Role	Internal WireGuard IP	LAN Subnet
VPS	Server	`10.0.0.1/24`	n/a (just a relay)
Site A	Client	`10.0.0.2/32`	`192.168.10.0/24`
Site B	Client	`10.0.0.3/32`	`192.168.20.0/24`

1. VPS (WireGuard Server)

[Interface]
Address = 10.0.0.1/24
PrivateKey = <VPS_PRIVATE_KEY>
ListenPort = 51820

# Site A
[Peer]
PublicKey = <SITE_A_PUBLIC_KEY>
AllowedIPs = 10.0.0.2/32, 192.168.10.0/24

# Site B
[Peer]
PublicKey = <SITE_B_PUBLIC_KEY>
AllowedIPs = 10.0.0.3/32, 192.168.20.0/24

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT

Make sure forwarding is enabled and add net.ipv4.ip_forward=1 to /etc/sysctl.conf

2. Site A Config

[Interface]
Address = 10.0.0.2/32
PrivateKey = <SITE_A_PRIVATE_KEY>

[Peer]
PublicKey = <VPS_PUBLIC_KEY>
Endpoint = your.vps.ip.address:51820
AllowedIPs = 10.0.0.0/24, 192.168.20.0/24
PersistentKeepalive = 25

Make sure to create static routes to 192.168.20.0/24 via 10.0.0.1
Ensure your LAN firewall on Site A allows forwarding between 192.168.10.0/24 <-> wg0

3. Site B Config

[Interface]
Address = 10.0.0.3/32
PrivateKey = <SITE_B_PRIVATE_KEY>

[Peer]
PublicKey = <VPS_PUBLIC_KEY>
Endpoint = your.vps.ip.address:51820
AllowedIPs = 10.0.0.0/24, 192.168.10.0/24
PersistentKeepalive = 25

Make sure to create static routes to 192.168.10.0/24 via 10.0.0.1
Ensure your LAN firewall on Site B allows forwarding between 192.168.20.0/24 <-> wg0

LTS_Tom · May 17, 2025, 10:42am

Overlay VPN solutions are also a way to get around CG-NAT

kwhelchel · May 17, 2025, 2:39pm

@LTS_Tom how does this work with unifi ??

LTS_Tom · May 19, 2025, 10:58am

It doesn’t, you install these on a host(s) behind the UniFi firewall.

randybell · May 24, 2025, 2:58pm

Do you need the remote devices on the same subnet or just access to the subnet at the home location?

Rather Han site to site, would teleport work for those android devices, WiFiman app connected back to your UniFi gateway. This will work without being on a public ip

kwhelchel · May 27, 2025, 2:23pm

Finally got it after begging with them in Oregon office we moved the UDM to another location that I can put a modem in bridge mode. Then poof it gets done and working in just a short time. told them it would be easier if we just have done it that way in the first place lol
Thanks Everyone