How-to Ubiquiti Unifi Security Gateway (USG) Cloudkey VPN without Radius server (local users)
I wanted to use VPN without mandatory installing a Radius server. This is possible with an Ubiquiti USG if you follow the following instruction strictly:
Read this official instruction before you continue reading mine. It’s very important you understand and follow the instruction step by step. I strongly advice to create a ticket with Ubiquiti support https://help.ubnt.com/hc/en-us/requests/new because no system, network and circumstances are the same. Also instructions change very fast because of the updates. If you don’t know what to do, ask for help. The version when I installed VPN was 5.3.8 and when created this document 5.4.11.
1. Create config.gateway.json file
First your create a textfile with filename ‘config.gateway.json’. Be aware you don’t have any other extension (for eg. txt or other, it has to be .json)
Content of this textfile :
Save this as config.gateway.json. In this example two users were created: user1 with password password1 and user2 with password password2. Change this in something you want.
Download and install WinSCP.
Start WinSCP and connect to the IP address of your Cloudkey. Use the credentials (username/password) of your Cloudkey to login.
Go to the directory /srv/unifi/data/sites/default (or how you named your site).
Copy here the created config.gateway.json.
3. Create network for VPN
Go to settings in Unifi and click Networks, click CREATE NEW NETWORK.
Fill in the information like shown below and click on CREATE NEW RADIUS PROFILE.
Fill in the information like below:
You can use the information like mentioned in the instructions of Ubiquiti (link top of the page)i. Click on SAVE and click again on SAVE.
When the USG completed it’s provisioning you will be able to use VPN with using the username/password you created.
Ubiquiti Unifi and my ISP appear to be a good team!
My ISP (Ziggo) issues?
Many times people write on social media or forums that Ziggo (My ISP) internet very bad performs. Most of the times this is due to bad devices with the main cause failing wireless connections. Of-course there are also cases known which is the fault of Ziggo. Distribution centers or DNS which suddenly stopped working. Some days ago there was an issue which was the mistake of Microsoft (solution KB3206632). It’s clear you can not easily pin point the problem of an internet connection.
I got a Technicolor cable modem where suddenly a firmware update caused I wasn’t able to change the DNS anymore. This was the reason for me to change the cable modem in bridge mode.
After struggling a while with an ASUS AC-68U and Linksys AC1600 I decided that these ‘high-end’ consumer products had to go and embrace an enterprise product. I was not able to get a stable enough environment with the (pro-)consumer products. I had the following issues on a regular basis:
- The technicolor acting weird with the mentioned routers (DHCP issues, strange client error messages)
- Ring doorbell and the
- Nefit Easy lost a lot of times their wireless connection (FYI both working on 2.4 ghz)
- Sony VAIO laptop was not able to maintain a stable wireless connection, especially having a lot of DNS issues with websites. (FYI also on 2.4 ghz)
- 5 ghz was working fast but also experienced DNS issues (stuttering (unable to load websites and pictures/video’s on Facebook, etc…) while speedtests report a fast enough speed
- App of Philips HUE didn’t connect fast when using it via WiFi on the LAN.
The disadvantage of this setup was having multiple SSIDs (wireless network names). I got several times the question why those names are not the same. You have to know that these routers and clients lack the feature to know which connection is the best. To explain it easy the client will connect to the first connection possible and tries to maintain this connection till it completely get lost. This is not what you would like to happen.
The ideal situation would be that you have one network name per band and the client automatically can roam between access points depending of the signal strength. This kind of system is called MESH. Also will some people say you can name the same network name for the separate wifi bands (2.4 and 5 Ghz). In theory this is correct, clients are able to choose the band best suitable for them, but some devices like the Ring and Nefit Easy are not able to do this advance client communications and will get confused resulting in losing the connection. I advice to disable automatic choosing of channels and bands for this reason.
I was ready for an Enterprise WiFi solution. I’ve chosen for Ubiquiti with their Unifi enterprise WiFi products.
At first I choose for the following setup:
- 1x UniFi AP AC PRO
- 1x UniFi AP AC LITE
- 1x UniFi Cloud Key (this device is running because I didn’t want a JAVA installation on my PC or NAS due to maintenance and security worries)
This basis setup I choose to start if I like the environment. The installation and features surprised me in a good way.
Lots of WiFi access points and routers scan only the channels used by WiFi to check which other WiFi is causing any interference. Ubiquiti scans those frequencies but also check those used by other devices such as a microwave or baby-phone which enables you to make a better decision which channel to use. You are also able to see how much of that bandwidth in that channel is being used. With this information the other wireless routers and access points look like a kids toy.
It’s very clear which channels are occupied and busy and which not.
When you click on the channel you get even more in-depth information..
With this information I was able to fine-tune my channel per floor, because each floor experienced different types of disturbances.
It’s better to not setup the channel being chosen automatic. There are (mostly old) device which cannot hop automatic to the new channel which will result in unstable or even lost of the connection. The advantage of a fixed chosen channel is that it will give those devices a stable connection. Take care of choosing a channel which is not interfering with neighbors their equipment but surely also not those from yourself.
One of the main reasons to switch to Ubiquiti Unifi WiFi is the feature to use MESH/roaming in home like I written before.
Here you can see my S7 roam from Slaapkamer to Mancave In stead of choosing another AP manually Unifi takes care it will automatically roam from Slaapkamer (upper floor) to Mancave (lower floor).
But this is not the only advantage. There is also an advantage regarding redundancy. Imagine the AP is not available due to maintenance or another reason other APs will be able to serve these clients.
Here you see the Chromecast roam from Slaapkamer to Woonkamer because I forced a maintenance of AP Slaapkamer resulting the clients to roam to other APs nearby. Clients will continue to work, maybe temporarily with a slower throughput but they keep on working, eventually the Chromecast will roam back to the AP with better connection.
It works very well. Everybody with multiple APs in home should have a system with MESH/roaming features.
I love measuring statistics and speed so I started to do.
These are my results with my old Linksys EA6400 (AC1200). Maximum download 283.3 Mbit/s, average 258.8 Mbit/s and upload maximum 26.44 Mbit/s and average 22.52 Mbit/s. This is without roaming or other features enabled. This AP was in our living room (Woonkamer) because here the speed is the most important for our devices. (measured with using the 5 Ghz band)
I was shocked of the difference. I first noticed the download speed. I had expected a higher speed with this Enterprise product. We have at home a 300 Mbit download and 30 mbit upload connection. Maybe you notice the test server is slower than using with the linksys but I reran the test several times on the 10 Gb/s and the difference keeps the same. The first positive thing I noticed was the upload speed. Average from 22.52 Mbit/s to 30.18 Mbit/s) which is a nearly 34% faster. The ping time is also shorter, 26 ms to 20 ms, which is 30% faster. This can be called a big gain.
At that moment I wasn’t aware of how good the stability was of Unifi products. Because the strange behaviour of the Technicolor from my ISP Ziggo I decided to buy also the router of Ubiquiti so my whole infrastructure will be Unifi. I called Ziggo to change my router into bridge mode. It’s not possible to change the TC7210 manually in bridge mode.
The Unifi Security Gateway Router :
I know the stability would be better because you can arrange and control DHCP and DNS.
The system is now running more than two months and I have to say I’m impressed and I should have done this much earlier. All devices (iOS / Android / Windows 10) but especially the Nefit Easy, Philips HUE and Ring working very stable now.
In Unifi it looks like this:
The first options show the Dashboard, showing the most important information in this view.
The second option is for statistics.
The third option is called “Maps” but I don’t use it for the limitations not able to use floors.
The fourth option is “Devices” and you can see the Unifi devices.
The fifth option is called “Clients” which show you the clients which are currently connected.
Sixth and last option is called “Insights” which enables you to see the clients during a specific time frame they were connected to the system.
On this page I found my NEST Protect V2 for the first time. I was never able to find them with Fing or Linksys, Unifi no problem! (for security reasons I don’t show IPs but you can see them in Unifi).
In this example I have selected the clients from 24 hours but you can choose more options which are added or updated in new versions.
You buy good equipment for home. Linksys, ASUS or Cisco products for (pro-)consumers are despite their higher price lacking a lot of features. I didn’t write about lots of features like VPN, guestnetwork, etc… Most important is it’s working very stable. We had no issues in those two months. Download speeds of 36+ MB/s ( 288 Mbit/s ) with a UTP connection via Steam are not rare.
My wife here iPhone and iPad are working better since our migration to Ubiquiti Unifi. I noticed on my computers and android devices a much better working DNS. All smarthome devices working faster and more stable than ever before. Throw away those consumer routers, switches and access points!