Connecting Ubiquiti Unifi USG to Azure via VPN

Connecting Ubiquiti Unifi USG to Azure via VPN

As a self confessed Ubiquiti fanboy that wants to learn the Microsoft Azure platform (just well, because), it made sense to attempt to create a Site-to-Site (AKA Site-to-Cloud) VPN connection between my Ubiquiti UniFi USG and my Azure Cloud.  The following tutorial shows the steps that worked for me.

First off, versions and assumptions, at the time of writing I was using:

Ubiquiti UniFi USG Firmware Version:

Ubiquiti UniFi Controller Version: 5.6.29

Stage 1: Azure Preparation

Create Virtual Network Gateway

In order to connect our USG to our Azure space, we need a destination within Azure in the form of a Virtual Network.  Assuming this is already done, we now need to create a Virtual Network Gateway for our VPN connectionr, to create one, perform the following steps:

Click on the burger menu in the top left


In the search box of the New pane that appears, type Virtual Network Gateway, then press enter

At the top of the list should be an option for Virtual Network Gateway, click it and in the new pane that appears, click Create (bottom of the screen):

On the Create Virtual Network Gateway form, all of the options should stay as default but except for the following:


SKU: you need to select the VPN type, you can find information about the different options here (for UK) or here (for USA), I opted for Basic.

Virtual Network: select the one you want to connect to.

Public IP Address: you may need to create a new one, this is a defined service from Azure to provide a public IP address for your Cloud estate.

Subscription: how you want to pay for the services.

Location: Physical hosting location for your services around the VPN connection.

Create Local Network Gateway

In the Azure Portal, click 

In the search box of the New pane that appears, type Local Network Gateway, then press enter

Click Create in the page that appears

The IP Address is the public IP address of your UniFi USG unit

The Address Space is a usable range of IPs on your local network (the network serviced by he UniFi USG), I use this CIDR calculator to easily define a small range of numbers in the upper range of my local submit, for example: gives me four addresses.

Create Connection

In the Azure Portal, click 

In the search box of the New pane that appears, type Connection, then press enter

Click on Connection in the results:

Click Create at the bottom of the Connection pane

In the form that appears, user the following options (choosing your own subscription, resource group and Location):


Stage 2: Ubiquiti UniFi Setup

Create Virtual Network Gateway

Login to your UniFi controller and click the settings icon 

Click Networks

Click Create New Network

Give the Network a useful name

For the Purpose property, select Site-to-Site VPN

Select Manual IPsec has the VPN Type

Under Remote Subnets, click Add Subnet and enter the same local subnet you defined earlier in the Create Local Network Gateway section (example:

In Peer IP enter the public IP address from Azure

In Local WAN IP enter the IP address on the public interface of your UniFi USG

In Pre-Shared Key enter the key we defined earlier in the Create Connection section

Under the IPsec Profile select Azure dynamic routing

Click to expand Advanced Options

IMPORTANT NOTE: there is a bug at the moment in the UniFi Controller software, whereby PFS & Dynamics Routing are always selected.

Uncheck both PFS and Dynamic Routing

Click Save

Verifying the Connection Status

Viewing the Connection Status on Azure

Once everything is setup, the VPN connection should initiate automatically, to verify, you can view the connection status in the Microsoft Azure portal.  To do this:

Go to your Dashboard

Click the Connection we made earlier

Make sure you are on the Overview tab

Wait a short while and you should see something like the following:

Viewing the Connection Status on Ubiquiti UniFi USG

Incorrect VPN Status on the UniFi Controller

Unfortunately at the time of writing their appears to be a bug with the Ubiquiti Controllers reporting of Site-to-Site VPN connections because despite having the VPN connection to Azure established, the Ubiquiti Controller Dashboard shows no Active Tunnels and zero packets in either direction.

I can confirm the my standard client-to-site connection shows up on the Dashboard so the issue is specific to site-to-site VPNs.

If you do want to verify on the USG that the VPN tunnel is up, you can do so via the command line:

SSH in to the USG device directly (not in to the controller)

Type the following command:

show vpn ipsec sa

You should get a result similar to the following:

peer- #1, ESTABLISHED, IKEv2, 0d1dh838jd29d39:39483jdhudsu3fd
local ‘’ @
remote ‘’ @



Bob McKay

About Bob McKay

Bob McKay works at Perfect Image, is a father, programmer and a self confessed techie-geek type.

Disclosure Policy

Bob on Google+

Leave a Reply

Your email address will not be published. Required fields are marked *