Journalist 
Edgerouter vpn site to site: complete step-by-step EdgeRouter site-to-site VPN configuration with IPsec, NAT, verification, and troubleshooting
Yes, Edgerouter vpn site to site is possible. In this guide I’ll walk you through a practical, end-to-end approach to getting a reliable EdgeRouter site-to-site VPN up and running, from planning and prerequisites to testing, troubleshooting, and maintenance. You’ll learn how to configure IPsec on EdgeRouter devices EdgeOS, set up strong phase-1 and phase-2 proposals, handle NAT, and verify that both tunnels and traffic are flowing correctly. If you’re looking for extra protection while you test or browse the wider internet, NordVPN often offers deals you can take advantage of here:
Useful resources and references unlinked in this intro:
– EdgeRouter Wiki – ubnt.com
– IPsec Overview – en.wikipedia.org/wiki/IPsec
– IKEv2 vs IKEv1 – docs.microsoft.com
– NAT Traversal NAT-T basics – cisco.com
– VPN compatibility guides – ubnt.com
– OpenIPsec concepts – en.wikipedia.org/wiki/IPsec
– Networking fundamentals – arstechnica.com
– Small business network design basics – smallbizlabs.com
Introduction: what you’ll get in this post
– A clear, practical plan for building a site-to-site VPN between two EdgeRouter devices or between an EdgeRouter and another vendor’s device
– Step-by-step CLI commands and GUI cues, plus sample configurations you can copy and adapt
– Important security considerations: strong IKE/ESP proposals, PSK handling, and firewall rules
– Common pitfalls and troubleshooting checklists to save you hours
– Real-world testing tips: how to verify tunnels, subnets, and connectivity
– Optional optimization tips to maximize throughput and reliability on EdgeRouter hardware
Whether you’re connecting a branch office to a main site or linking a data center to a remote location, this guide covers the essentials and beyond. If you prefer a quick-start, you’ll find a concise checklist right after the prerequisites.
A quick-start checklist
– Confirm both sites have static public IPs or reliably reachable dynamic IPs with a dynamic DNS fallback
– Decide the local and remote subnets for each edge e.g., 192.168.1.0/24 on Site A, 10.1.0.0/24 on Site B
– Pick an IKE group and ESP group with strong encryption e.g., AES-256, SHA-256
– Generate strong pre-shared keys and keep them secret
– Ensure firewall rules allow VPN traffic ESP, AH if used, and UDP 500/4500 for NAT-T
– Prepare test devices or hosts on each side to verify routing
– Review and enable log verbosity during the initial tests
– If you’re testing publicly, consider using NordVPN in a controlled way to shield endpoints during setup see affiliate note above
Body
Understanding the Edgerouter VPN site-to-site approach
EdgeRouter devices run EdgeOS, a fork of Vyatta-style VPN tooling, and they support IPsec site-to-site VPNs that are compatible with most vendor implementations Cisco, Juniper, Fortinet, etc.. The core components you’ll configure are:
– IKE Phase 1 settings: how peers authenticate and establish the secure channel
– IPSec Phase 2 settings: the actual encryption and integrity used for traffic
– Site-to-site peers: the two endpoints that establish the tunnel
– Local and remote subnets: which networks are reachable over the VPN
– NAT traversal and firewall rules: ensuring traffic flows through the tunnel and is protected
Why EdgeRouter for site-to-site VPN? It gives you a balance of hands-on control and performance, with a robust CLI for fine-grained tuning, GUI options for those who prefer clicking, and solid documentation. For many setups, a single EdgeRouter in each site handles multiple tunnels, making it cost-effective for branch-to-main site connections.
Key concepts you’ll see repeated
– IKE group: defines encryption, hash, and DH parameters e.g., IKE-1 or IKE-2
– ESP group: defines encryption and integrity for data transfer
– Local-subnet and remote-subnet: what each side will originate and accept through the tunnel
– Pre-shared key PSK: shared secret used for authentication
– NAT-T: NAT traversal support to handle devices behind NAT on either side
Prerequisites and hardware considerations
– EdgeRouter models: EdgeRouter X, EdgeRouter 4/6/8/12, or higher based on throughput needs
– Firmware: latest EdgeOS version to ensure IPsec features and security patches
– Public IP addresses: static is ideal. dynamic addresses can work with dynamic DNS, but require additional update logic
– Subnet planning: ensure there’s no overlapping subnets across sites
– Internet connectivity: reliable link with at least a few Mbps of spare headroom to handle VPN overhead
– Optional: a monitoring plan to keep an eye on tunnel uptime and latency
– Security baseline: disable unused services, use strong PSKs, and keep devices up to date
Network planning and subnet design
Plan your networks so that:
– Site A local subnet: 192.168.1.0/24
– Site B remote subnet: 10.1.0.0/24
– You can scale to multiple remote sites by adding more site-to-site peers on each EdgeRouter, but keep an organized naming convention for peers and subnets
– Reserve a dedicated interface for VPN when possible e.g., eth2 or eth3 for VPN traffic to simplify firewall rules
Security-minded tip: avoid using very broad subnets on VPNs like 0.0.0.0/0 unless you’re intentionally creating a full-tunnel VPN. Narrow subnets help with routing stability and performance.
Step-by-step configuration EdgeRouter CLI, two sites
Below are representative commands you can adapt. These examples assume:
– Site A: local-subnet 192.168.1.0/24, public IP 203.0.113.10
– Site B: remote-subnet 10.1.0.0/24, public IP 198.51.100.20
– IKE group: IKE-1 with AES-256 and SHA-256
– ESP group: ESP-1 with AES-256 and SHA-256
– PSK: MySecretPSK123
Site A EdgeRouter CLI
“`
configure
set vpn ipsec ike-group IKE-1 proposal 1 encryption aes256
set vpn ipsec ike-group IKE-1 proposal 1 hash sha256
set vpn ipsec ike-group IKE-1 proposal 1 dh-group 14
set vpn ipsec ike-group IKE-1 lifetime 28800
set vpn ipsec esp-group ESP-1 proposal 1 encryption aes256
set vpn ipsec esp-group ESP-1 proposal 1 hash sha256
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec site-to-site peer 198.51.100.20 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 198.51.100.20 authentication pre-shared-secret ‘MySecretPSK123’
set vpn ipsec site-to-site peer 198.51.100.20 address 198.51.100.20
set vpn ipsec site-to-site peer 198.51.100.20 ike-group IKE-1
set vpn ipsec site-to-site peer 198.51.100.20 default-esp-group ESP-1
set vpn ipsec site-to-site peer 198.51.100.20 local-subnet 192.168.1.0/24
set vpn ipsec site-to-site peer 198.51.100.20 remote-subnet 10.1.0.0/24
commit
save
Site B EdgeRouter CLI
set vpn ipsec site-to-site peer 203.0.113.10 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 203.0.113.10 authentication pre-shared-secret ‘MySecretPSK123’
set vpn ipsec site-to-site peer 203.0.113.10 address 203.0.113.10
set vpn ipsec site-to-site peer 203.0.113.10 ike-group IKE-1
set vpn ipsec site-to-site peer 203.0.113.10 default-esp-group ESP-1
set vpn ipsec site-to-site peer 203.0.113.10 local-subnet 10.1.0.0/24
set vpn ipsec site-to-site peer 203.0.113.10 remote-subnet 192.168.1.0/24
Notes:
– Replace IPs with your real public addresses
– If you’re behind NAT on either side, ensure NAT-T is enabled and UDP 4500 is allowed through your firewall
– You can also run the same on GUI if you’re more comfortable with a click-based approach. Look for VPN > IPsec > Site-to-Site in the EdgeOS GUI and mirror these settings
Firewall rules and NAT considerations
You’ll typically need to:
– Allow ESP protocol 50 and IKE UDP 500 traffic through the firewall on both edges
– Allow NAT-T UDP 4500 if either side is behind NAT
– Create firewall rules to permit traffic from local-subnet to remote-subnet over the VPN tunnel
– Make sure you don’t inadvertently drop return traffic. enable “established/related” rules where applicable
Example firewall-into-VPN rule conceptual, adapt to your zone names
– On-site A: allow 192.168.1.0/24 to 10.1.0.0/24 via VPN
– On-site B: allow 10.1.0.0/24 to 192.168.1.0/24 via VPN
Testing and verification steps
– Check tunnel status in EdgeOS:
– CLI: show vpn ipsec sa
– GUI: VPN IPsec status page
– Ping from Site A host to a host in Site B e.g., 192.168.1.100 -> 10.1.0.20
– Verify UDP 500/4500 and ESP traffic is seen in logs
– Confirm that the VPN tunnel re-establishes automatically after a reboot or a brief internet outage
– If a tunnel won’t come up, verify:
– PSK matches on both sides
– Local/remote subnets do not overlap
– Phase-1 and Phase-2 proposals are identical on both sides
– Firewall rules permit the traffic
Common issues and how to fix them
– Mismatched IKE proposals: ensure both sides use AES-256, SHA-256, and the same DH group
– PSK mismatch: double-check the secret on both ends and consider rotating PSKs if suspicion arises
– Overlapping subnets: adjust subnets so there’s no overlap. reconfigure as needed
– NAT issues: ensure NAT-T is enabled and that NAT rules aren’t translating VPN traffic unexpectedly
– Traffic not routing through VPN: ensure the VPN tunnel is up, and that the firewall allows traffic to pass between local and remote subnets
Advanced tips and optimization
– Use strong encryption: AES-256 with SHA-256 for both IKE and ESP
– Enable dead-peer detection DPD to keep tunnels healthy in fluctuating internet conditions
– Consider multiple tunnels for redundancy if your environment demands higher reliability
– For larger deployments, plan a routing table strategy to avoid suboptimal path selection
– Monitor tunnel uptime with simple scripts or SNMP traps to catch dropouts early
– If you need IPv6 support, you can extend the IPsec configuration to include IPv6 subnets. plan subnet design to avoid conflicts
Security and best practices
– Never reuse PSKs across multiple peering partners
– Rotate PSKs periodically and after any suspected exposure
– Limit tunnel traffic to only what’s needed principle of least privilege
– Regularly back up EdgeRouter configurations and keep a documented change log
– Maintain up-to-date firmware on all EdgeRouter devices
Migration and maintenance notes
– If you add a new site, replicate the peer configuration and ensure unique local/remote subnets
– Periodically review firewall rules to prune unused or overly permissive entries
– For changes in subnets, coordinate updates on both sides and test in maintenance windows
– When upgrading EdgeOS, test VPN functionality before rolling the change into production
GUI vs CLI: which approach to use?
– CLI recommended for precision: The commands shown above are precise, repeatable, and work well for automated provisioning. It’s a favorite for network engineers who want full control.
– GUI: Great for quick setup or when you’re less comfortable with command lines. The GUI mirrors many of the same settings IKE group, ESP group, local/remote subnets, and PSK. If you’re new, start with the GUI to get a feel for the fields, then switch to CLI for automation.
Real-world testing scenarios and scenarios to consider
– Single branch to headquarters: typical two-site tunnel with one primary PSK
– Multi-branch to HQ: multiple site-to-site tunnels to the same core network. ensure distinct peer definitions and subnets
– Failover testing: simulate a WAN outage and ensure traffic routes to a primary tunnel or another backup tunnel if configured
– Cloud integration: sometimes you’ll connect EdgeRouter to a cloud VPN gateway. ensure cloud-side settings align with your EdgeRouter configurations
Security considerations for long-term reliability
– Use unique pre-shared keys per connection and rotate them on a schedule
– Keep your EdgeRouter firmware updated. security fixes can affect VPN stability
– Audit firewall rules periodically to avoid creeping permissiveness
– Use logging to detect unusual VPN activity and respond quickly
Troubleshooting quick-reference
– Tunnel never comes up: verify PSK, local/remote subnets, and IKE/ESP proposals
– Traffic goes nowhere: confirm routing tables, and ensure the remote subnet is reachable via the VPN interface
– Intermittent connectivity: check link stability, MTU/ MSS issues, and enable DPD
– VPN works from some hosts but not others: check host firewall settings and host-specific routing
Performance considerations
– EdgeRouter devices vary in throughput. plan for the expected VPN load + overhead
– AES-256 and SHA-256 encryption adds CPU overhead. if you’re hitting a ceiling, consider upgrading to a faster EdgeRouter model or offloading to a device with a higher crypto throughput
– For sites with heavy traffic, consider a dedicated VPN appliance or additional tunnels to balance load
Best practices recap
– Plan subnets carefully and avoid overlap
– Use strong IKE/ESP proposals and rotate PSKs
– Enable NAT-T when behind NAT. verify firewall rules allow VPN traffic
– Test thoroughly before moving to production
– Maintain documentation and version control for configs
Frequently Asked Questions
# What is Edgerouter?
EdgeRouter is a family of routing devices from EdgeOS Ubiquiti that provide advanced networking features, including IPsec VPN, firewall, NAT, and more. They’re popular for small to medium-sized networks due to their balance of price and capability.
# Can EdgeRouter do site-to-site VPN?
Yes. EdgeRouter devices support IPsec site-to-site VPNs, allowing you to connect two remote networks securely over the internet.
# Which EdgeRouter models support IPsec site-to-site VPN?
Most EdgeRouter models released in the last several years support IPsec site-to-site VPNs, including EdgeRouter X, EdgeRouter 4/6/8/12, and higher. Always check the current EdgeOS release notes for any model-specific caveats.
# What should I plan before configuring?
Plan your subnets, decide on a static IP or dynamic DNS setup for both sites, choose strong IKE/ESP proposals, and have PSKs ready. Prepare firewall exceptions and ensure you can test connectivity across the tunnel.
# How do I configure IPsec on EdgeRouter via CLI?
Use the EdgeOS CLI to setIKE group and ESP group parameters, define the site-to-site peer, set local and remote subnets, and apply the PSK. Then commit and save. The exact commands are shown in the step-by-step configuration section above.
# How can I verify a tunnel is up?
Run show vpn ipsec sa in the EdgeRouter CLI or check the IPsec status page in the GUI. You should see a tunnel state like “ESTABLISHED” and active SA entries.
# How do I troubleshoot common IPsec problems?
Confirm PSK matches, verify that IKE/ESP proposals align on both sides, ensure no subnet overlap, and check firewall rules. Look at logs for authentication or negotiation failures and adjust as needed.
# Can I have more than one site-to-site VPN tunnel on a single EdgeRouter?
Yes. You can configure multiple site-to-site peers on the same EdgeRouter, each with its own local/remote subnets and unique PSK.
# How do I secure the VPN connection against exposure?
Use a strong PSK, rotate keys regularly, enable DPD, limit traffic to necessary subnets, and keep firmware up to date. Avoid exposing anything unnecessary to the VPN tunnel.
# Do I need a static IP on both sides?
Static IPs simplify configuration and reliability. If you use dynamic IPs, you’ll need dynamic DNS on both ends and a method to update the peer addresses when IPs change.
# How do multi-site VPNs affect routing?
Routing becomes more complex with multiple tunnels. Use careful subnet planning and, if needed, a dynamic routing protocol or static routes filtered per tunnel to avoid routing loops and ensure predictable paths.
# What about IPv6 traffic over IPsec?
IPv6 can be supported, but it requires careful subnet planning and appropriate VPN policies on both ends. Review EdgeRouter IPv6 capabilities and ensure compatibility with your remote site’s IPv6 design.
# Can I use third-party VPN services with EdgeRouter?
You can connect EdgeRouter to other VPN gateways like a cloud VPN or another vendor’s device using IPsec site-to-site, but ensure the configurations on both sides match in IKE/ESP settings and that routing is properly configured.
# How often should I review VPN health?
Regularly—quarterly at minimum. Check tunnel uptime, review logs for anomalies, verify that firewall rules still reflect your security posture, and test recovery after simulated outages.
# Is NordVPN suitable for site-to-site VPN on EdgeRouter?
NordVPN is primarily designed for end-user VPN protection remote access. For site-to-site connections between two fixed sites, IPsec site-to-site on EdgeRouter is typically used. However, NordVPN’s services can complement remote access testing or lab environments if needed. If you’re testing security and want an extra layer during setup, consider using the NordVPN deal linked earlier in this post for personal protective testing during learning phases.
End of post.