Journalist
Edgerouter vpn site to site setup guide: how to configure IPsec tunnels between EdgeRouter devices for secure site-to-site VPN connections
Edgerouter vpn site to site is a configuration that creates a secure IPsec tunnel between two EdgeRouter gateways to connect different networks over the Internet. In this guide, you’ll get a practical, step-by-step approach to planning, configuring, testing, and maintaining a site-to-site VPN with EdgeRouter devices. You’ll also find real-world tips, common pitfalls, and troubleshooting nerd-legs to help you get things working smoothly. Plus, I’ll show you how to verify the tunnel, keep things secure, and handle changes as your network grows. If you want a consumer VPN boost for remote workers or extra protection on the edge, I’ve included a quick promo in the intro so you can explore your options. NordVPN 77% OFF + 3 Months Free
Useful resources unpack these later if you want to dive deeper:
- EdgeRouter documentation – ubnt.com
- EdgeOS CLI reference – help edges router
- IPsec concepts explained – en.wikipedia.org/wiki/IPsec
- VPN best practices for small offices – example open-source guides
- Network topology planning resources – network planning basics
Introduction: what you’ll learn and why it matters How to turn off vpn on edge
- Yes, Edgerouter vpn site to site is a reliable way to connect two or more networks across the Internet using IPsec.
- In this guide you’ll see: a how to design a simple two-site VPN topology, b which settings to choose for IKE and IPsec, c how to create tunnels and guard the traffic with basic firewall rules, d how to route traffic between subnets, e how to test and troubleshoot, f how to scale for more sites, g common pitfalls and how to fix them.
- We’ll cover EdgeRouter X, EdgeRouter 4, and higher-end EdgeRouter models, with practical caveats for each.
- You’ll also get concrete, copy-paste-ready command blocks with placeholders so you can adapt quickly to your real IPs and subnets.
- If you’re curious about a broader VPN approach for devices that aren’t site-to-site on your LAN, I’ll point to consumer VPN options and how they differ from a true site-to-site tunnel.
What “site-to-site VPN” means for EdgeRouter
- A site-to-site VPN connects two distinct networks so devices on one side can reach devices on the other side as if they were on the same LAN.
- IPsec is the encryption protocol that protects traffic as it traverses untrusted networks like the Internet.
- EdgeRouter devices rely on EdgeOS Vyatta-based to configure IKE the key exchange and IPsec tunnels, plus the traffic rules needed to allow those tunnels to pass.
Prerequisites and planning
- Two EdgeRouter devices with reliable internet connections one at each site.
- A public IP address on each edge static is ideal. dynamic IPs are workable with dynamic DNS if you can’t get a static address.
- Subnet planning: ensure the LAN subnets don’t overlap. For example, Site A might be 192.168.10.0/24 and Site B 192.168.20.0/24.
- A strong pre-shared key PSK for authentication, or you can opt for certificate-based authentication if your EdgeRouter setup supports it PSK is simpler for small setups.
- Firewall awareness: you’ll need to allow IPsec-related traffic often ESP, AH, UDP 500, UDP 4500 for NAT-T and permit VPN traffic across the tunnel.
- Optional: plan for dynamic DNS if IPs aren’t static, and plan for multiple sites if you decide to scale later.
Step-by-step configuration: two-site example
Note: Replace placeholders with your real IPs, subnets, and secrets:
- SITE A: LAN 192.168.10.0/24, public IP A: a.b.c.d
- SITE B: LAN 192.168.20.0/24, public IP B: w.x.y.z
- PSK: yourStrongPsk123
EdgeRouter A Site A
- Step 1: Prepare the IKE and IPsec groups
configure
set vpn ipsec ike-group IKE-GROUP proposal 1 encryption aes128
set vpn ipsec ike-group IKE-GROUP proposal 1 hash sha1
set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group 2
set vpn ipsec ike-group IKE-GROUP lifetime 3600
set vpn ipsec esp-group ESP-GROUP proposal 1 encryption aes128
set vpn ipsec esp-group ESP-GROUP proposal 1 hash sha1
set vpn ipsec esp-group ESP-GROUP lifetime 3600
- Step 2: Define the site-to-site peer and PSK
set vpn ipsec site-to-site peer w.x.y.z authentication mode pre-shared-secret
set vpn ipsec site-to-site peer w.x.y.z authentication pre-shared-secret 'yourStrongPsk123'
set vpn ipsec site-to-site peer w.x.y.z ike-group IKE-GROUP
set vpn ipsec site-to-site peer w.x.y.z default-esp-group ESP-GROUP
set vpn ipsec site-to-site peer w.x.y.z local-address a.b.c.d
- Step 3: Tunnel specifics local/remote subnets
set vpn ipsec site-to-site peer w.x.y.z tunnel 1 local-subnet 192.168.10.0/24
set vpn ipsec site-to-site peer w.x.y.z tunnel 1 remote-subnet 192.168.20.0/24
- Step 4: Commit and save
commit
save
EdgeRouter B Site B
- Step 1: Mirror the same groups and PSK
- Step 2: Define the peer public IP A and PSK
set vpn ipsec site-to-site peer a.b.c.d authentication mode pre-shared-secret
set vpn ipsec site-to-site peer a.b.c.d authentication pre-shared-secret 'yourStrongPsk123'
set vpn ipsec site-to-site peer a.b.c.d ike-group IKE-GROUP
set vpn ipsec site-to-site peer a.b.c.d default-esp-group ESP-GROUP
set vpn ipsec site-to-site peer a.b.c.d local-address w.x.y.z
set vpn ipsec site-to-site peer a.b.c.d tunnel 1 local-subnet 192.168.20.0/24
set vpn ipsec site-to-site peer a.b.c.d tunnel 1 remote-subnet 192.168.10.0/24
Notes on topology and IP addressing
- If you have more than two sites, you can extend the same approach by creating additional peers: each peer needs its own local-subnet and remote-subnet mapping.
- Do not overlap LAN subnets across sites. otherwise, routing becomes ambiguous.
- For dynamic IPs, consider setting up a dynamic DNS hostname on the edge that changes and using that hostname in the peer configuration when supported, or refresh PSK and re-establish tunnels if IPs change.
Firewall and NAT considerations
- Allow the EVPN-like IPsec traffic on both ends. In practice, you’ll want to permit ESP protocol 50 and UDP ports 500 and 4500 for ISAKMP/IKE and NAT-T.
- Create a VPN firewall policy to allow traffic from VPN networks to VPN networks without NAT.
- Disable NAT for traffic between the two private subnets. you don’t want to NAT the traffic as it travels between the sites.
- A common approach is to add a firewall rule that permits traffic from the local LAN to the remote LAN via the VPN tunnel, and vice versa.
Testing and verification
- Basic checks:
- Ensure the tunnel is up: look for an IPsec SA security association on both sides.
- Ping across subnets: from a host on Site A to a host on Site B e.g., 192.168.10.50 -> 192.168.20.50.
- Check routing tables to confirm the path is via the VPN tunnel and not a direct LAN route.
- Useful EdgeRouter commands:
- show vpn ipsec sa
- show arp
- show interfaces tunnel
- show logread | grep IPsec
- Troubleshooting common issues:
- PSK mismatch: re-check the pre-shared secret on both sides.
- Subnet overlap: verify local-subnet and remote-subnet do not overlap.
- Firewall blocks: confirm ESP and NAT-T ports aren’t blocked by intermediate devices.
- Dynamic IP changes: if a site’s public IP changes, re-run the tunnel rekey or update the peer configuration.
Monitoring and maintenance
- Regularly check tunnel status, uptime, and rekey intervals.
- Consider setting up alerts for tunnel down events if your environment supports it.
- For larger deployments, track multiple tunnels in a centralized dashboard or a monitoring tool, and ensure logs are stored for audit and debugging.
Security best practices
- Use strong, unique pre-shared keys or certificates if you can. Avoid default or easily guessable values.
- Keep EdgeRouter firmware updated to benefit from security fixes and stability improvements.
- Limit VPN access to the minimum necessary subnets and services.
- Periodically review firewall rules to remove any stale or unnecessary allowances.
- If you scale to more sites, consider centralized management or automation for consistency and fewer manual mistakes.
Advanced tips for EdgeRouter configurations
- If you run into intermittent tunnel drops, check MTU and MSS clamping settings. mis-sized packets can cause tunnel instability.
- For multiple remote sites, use right-sized subnets and consider route-based VPNs or policy-based VPNs depending on your EdgeOS version and support.
- If you require IPv6 site-to-site VPN, verify IPv6 addressing, firewall rules, and IPsec configurations explicitly support IPv6 on both sides.
Common pitfalls and how to avoid them
- Subnet conflicts: always double-check your LAN subnets before starting the VPN setup.
- Over-restrictive firewall rules: you can lock yourself out from the VPN if you deny VPN traffic. Start with permissive rules and tighten gradually.
- Not testing after each step: test after you set up the tunnels and again after adding routes to ensure traffic actually flows through the VPN.
Scaling beyond two sites
- When adding more sites, replicate the peer and tunnel setup for each site, keeping individual PSKs or certificate identities distinct.
- Plan a consistent naming scheme for peers and subnets to avoid confusion as you scale.
- Consider a hub-and-spoke design if you have many sites requiring inter-site communication, which can simplify routing tables and reduce complexity.
IPv6 considerations
- If you need IPv6 site-to-site VPN, ensure your EdgeRouter supports it and that the IPv6 subnets are distinct on each side.
- Update firewall rules to handle ESP/UDP 500/4500 for IPv6, as some devices treat IPv6 traffic a bit differently than IPv4.
FAQ: Frequently asked questions
# What is Edgerouter vpn site to site?
Edgerouter vpn site to site is a configuration that creates a secure IPsec tunnel between two EdgeRouter gateways to connect different networks over the Internet, enabling devices on one site to reach devices on the other as if they were on the same LAN.
# Do I need two EdgeRouter devices to make a site-to-site VPN work?
Yes. A site-to-site VPN requires two gateways at the very least, one at each site, to establish a tunnel that encrypts traffic between the two networks.
# Should I use IKEv1 or IKEv2 for EdgeRouter site-to-site VPN?
IKEv2 is generally preferred for modern networks because it re-establishes quickly after outages, is more secure with fewer configuration quirks, and tends to work better with NAT-Traverse. If you’re maintaining an older EdgeRouter setup, IKEv1 is still possible but consider upgrading where feasible.
# How do I choose local and remote subnets?
Pick non-overlapping private subnets for each site. For example, Site A can be 192.168.10.0/24 and Site B 192.168.20.0/24. The key is that routers know which side owns which subnet so traffic can route correctly.
# What if my public IPs aren’t static?
You can use dynamic DNS DDNS to keep a hostname updated with your current IP. On many EdgeRouter setups, you can point the peer to the hostname rather than a fixed IP and refresh the tunnel automatically when the IP changes.
# How do I test a site-to-site VPN after configuring it?
- Verify the tunnel status look for an active IPsec SA.
- Ping hosts across subnets Site A to Site B.
- Check routing to ensure traffic takes the VPN path.
- Use traceroute to confirm the path and identify where it breaks if it doesn’t work.
# What firewall rules are essential for IPsec VPNs?
Allow IPsec-related traffic: ESP protocol 50, UDP 500 ISAKMP, UDP 4500 NAT-T. Then ensure there are rules permitting traffic between VPN subnets across the tunnel and blocking unsolicited inbound traffic as appropriate.
# Can I have multiple site-to-site VPNs on the same EdgeRouter?
Yes, you can configure multiple IPsec peers, but you’ll need separate tunnel definitions for each peer and corresponding firewall and routing entries. Keep things organized with clear naming.
# How do I handle overlapping subnets if I expand later?
Plan subnets now with future growth in mind. Use non-overlapping ranges for each new site and document every change. If a conflict arises, you’ll need to readdress the affected LANs and adjust VPN tunnel configurations accordingly.
# What are some common EdgeRouter pitfalls to avoid?
- PSK mismatch between sites
- Subnet overlaps
- Blocking ESP or NAT-T in firewalls
- Not updating firewall rules after adding a new VPN tunnel
- Forgetting to add static routes for remote subnets
# Is there a recommended sequence for updating firmware during VPN deployments?
Yes. Start with a stable firmware version on both EdgeRouters, then incrementally update, testing VPN connectivity after each upgrade. Always back up configurations before updating.
# Can I use a consumer VPN service for site-to-site purposes?
Consumer VPN services like NordVPN are designed for endpoint-to-endpoint privacy and not for inter-site corporate-style site-to-site VPNs. They don’t replace the need for IPsec tunnels between sites. They can complement secure remote access for individual devices, but the core site-to-site connection should be IPsec between your edge devices.
Conclusion: Note — no formal conclusion section required
This guide gives you a solid blueprint to set up Edgerouter site-to-site VPNs with EdgeRouter devices. From planning and topology to concrete EdgeOS commands and practical troubleshooting tips, you’ve got a ready-to-use framework. If you want to explore more VPN options for personal use or remote workers, check out the NordVPN promo in the introduction and decide whether a consumer VPN can complement your setup for non-site-to-site needs. Remember, the most important part is careful planning and incremental testing—build your tunnels, verify them, then expand with confidence.
电子科大vpn 使用指南:校园网访问、隐私保护、翻墙技巧、VPN 选型与速度优化