From time to time it’s quite useful to appear to be an internet user for example from the US instead of Germany. Or in the UK. Of course there are services for this. I won’t mention a specific one, because it’s impossible to watch YouTube videos without seeing a “sponsored message”. For a while you were practically carpet-messaged with offers for VPN when watching YouTube videos.
What was my use case? I didn’t want to roll out VPN clients to each of my systems, because I don’t use a VPN for the confidentiality, but for being able to appear as a user from a different country. Think about using pricing disparities.
However, I didn’t want to provide my VPN credentials to friends, family and visitors, but just the credentials for a special WLAN, which I could easily change. This way I can also use the VPN for devices that have no VPN functionality or locked down systems, where someone is unable to install a VPN client. A television set accessing the internet from the US or UK is quite simple this way.
That said, I assume you have found the VPN provider of your least distrust (or most functionality, where trust is not that necessary) for the following instructions.
This is how I configured this with the Unifi gear I’m using at home. My router is a Unifi Cloud Gateway Ultra.
In order to route something through a different route than your default gateway, you create a policy-based route inside of Unifi. However, you can’t simply put a WLAN into a routing policy, you need to configure a network before this. The policy-based routes work on the basis of the “network” object, not the “Wifi” objects.
- So login to your Unifi Console. Go to Sprocket (“Settings” icon, the second from the bottom) → Networks. Then choose “New virtual network”. Choose a network name, for example “MyLAN US”. The router will most probably automatically be set to your only router in your configuration. I’ve chosen “192.168.x.1/24” for the host address of the Unifi Cloud Gateway Ultra (UCG) and left advanced at auto. The auto setting will choose a VLAN tag for you. Of course if you have more advanced needs for your network, you should configure them accordingly as I did. This is valid for all situations where I state that I keep things at “auto”.
- Afterwards I configured a WLAN. At Sprocket → Wifi → “Create New”. I named it “MyWLAN US”, defined a nice password, and chose as Network “MyLAN US”. Again I kept Advanced at auto. Ensure that your switches are configured in a way that the VLAN used for MyLAN is available on the port where your access point is connected to your LAN.
- Now you have to configure the VPN. I chose NordVPN. This isn’t an endorsement for them in any way. I will probably swap them for something different in the future, but it seems that the carpet messaging worked. NordVPN will provide you with a .ovpn config file and a service username and a service password. The .ovpn file I chose uses a tunnel endpoint in the US. So choose Sprocket → VPN. Go to the tab “VPN Client”. Then go to “Create new”. Then select “OpenVPN”. Give it a nice name like “VPN US”. Then upload the .ovpn file. Afterwards the system should ask for a username and a password. It’s the one NordVPN calls the service password, it’s not the one you use for logging into NordVPN. One hint: I had problems with the authentication data. When I did a cut and paste on my own, the credentials didn’t work. However, when I used the “copy” link at the NordVPN website I had no problem. Then click on “Apply Changes”. The VPN tunnel should now connect.
- Then go to Sprocket → Routing. You are already in the necessary tab “Policy-based route”. Then click on “Create Entry”. On the next screen choose a nice name like “VPN US route”. Select “All Traffic”. As “Source” choose the network I configured in the first step, the “MyLAN US” one. So all systems in the network “MyLAN US” are subject to this rule. As we attached the LAN “MyLAN US” to the WLAN “MyWLAN US”, this policy is used for all wired and wireless clients using one of them (by choosing the WLAN or having the VLAN configured on the LAN port used by the client). As interface you scroll down to the VPN clients part of the list and choose the VPN client “VPN US”.
As soon as you connect to the WiFi “MyWLAN US” and use a website showing your IP address, you should now see a US IP address. Or whatever endpoint you have chosen with your VPN provider.
Of course there is a disadvantage. The connection between you and the router is only encrypted by the mechanisms of wireless LAN and of course by TLS when you are using such a protocol. It’s not end-to-end, it’s SomewhatNearTheEndpointButInYourControl-to-endpoint. That said, as I said before, I don’t see the use case of such VPN in encryption but in tunnelling. From my point of view they could introduce a non-encrypted service level, because in the end the traffic is outside the encrypted tunnel anyway after it leaves the tunnel endpoint on the other side.
The other disadvantage is that changing the tunnel endpoint is not that easy. You have to configure it on the UCG. However, you change it for all clients at the same time without the need for changing it on each client separately.
