Tag Archives: ubiquiti networks

Modify Teleport VPN Subnet on Ubiquiti UniFi Gateway

Posted on by

Current lines of the UniFi Gateway devices, such as the UXG-Fiber that I am using, include a built in VPN server called Teleport. The idea is a simple, zero-configuration VPN solution. When activated, the VPN is configured automatically by selecting an unused subnet from the 192.168.X.0/24 range.

While initial deployment was as simple as advertised, I quickly ran into a problem where UniFi assigned a subnet that overlapped with a subnet on an upstream router. Teleport, being a zero-configuration service, gave no way to actually set what subnet is in use. Insert some curiosity and a solution.

Requirements

  • Administrative access to the UniFi OS Control Plane (Cloud Key or equivalent).
  • SSH access to the UniFi OS Control Plane (Cloud Key or equivalent), required to access the MongoDB.

Summary Steps

  • Gain SSH Access to the UniFi OS Control Plane
  • Determine the Site_ID Value for the Teleport Configuration
  • Modify the Teleport Subnet

Continue reading

Ubiquiti UniFi Security Gateway Disable NAT

Posted on by

This is a guide for disabling the Network Address Translation (NAT) function on the Ubiquiti Networks UniFi Security Gateway (USG). The NAT functionality can be disabled by a custom config.gateway.json file on the UniFi Controller. There is no User Interface option currently to disable NAT.

Note: These instructions apply to the Unifi Security Gateway (USG) line of products, which are end of life. The config.gateway.json method does not exist on the UDM and UXG line of products.

If you’re here looking to disable NAT on a UDM or UXG product line, know that there is now an option in the web interface. It is no longer necessary to make command line or other filesystem changes as of at least the 9.4 controller firmware line.

Requirements

  • Unifi Security Gateway (USG)
  • SSH access to the UniFi Controller

Summary Steps

  • Create or update a custom config.gateway.json configuration file
  • Perform a manual device provision of the USG

Continue reading

Unifi VPN Radius Challenge Fails with Invalid Password

Posted on by

An issue exists between the Ubiquiti Networks Unifi software controller v5.10.19 and a Microsoft Radius or Network Policy Server (NPS) when NTLMv2 responses are forced on all Domain Controllers. When this condition exists, radius calls from the Unifi controller fail with error event that indicates the password is invalid. The security logs on the radius server report the following failure:

Failure Information:
     Failure Reason:     Unknown user name or bad password.
     Status:             0xC000006D
     Sub Status:         0xC000006A     (Account logon with misspelled or bad password)

The issue is limited only to VPN connections. WiFi connections using the same Radius connection profile and user account succeed.

Applying the registry key in Microsoft KB 2811487 to the Radius server resolves the issue.

Set DWORD:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy\Enable NTLMv2 Compatibility = 1