From time to time it’s quite useful to appear to be an internet user for example from the US instead of Germany. Or in the UK. Of course there are services for this. I won’t mention a specific one, because it’s impossible to watch Youtube videos without seeing a “sponsored message”. For a while you were practically carpet messaged with offers for VPN when watching youtube videos.
What was my use case? I didn’t want to roll-out VPN clients to each of my system, because i don’t use a VPN for the confidentiality, but for being able to appear as a user from a different country. Think about using pricing disparities.
However didn’t want to provide my VPN credentials to friends, family and visitors, but just the credentials for a special WLAN, which i could easily change. This way i can also use the VPN for devices that have to VPN functionality or locked down systems, where someone is unable to install a VPN client. An television set accessing the internet from US or UK is quite simple this way.
That said, i assume you have found the VPN provider of your least distrust (or most functionality, where trust is not that nescessary) for the following instructions.
This is how i configured this with the Unifi gear i’m using at home. My router is a Unifi Cloud Gateway Ultra.
In order to route something through a different route than your default gateway, you create a policy-based inside of Unifi. However you can’t simply put a WLAN into a routing policy, you need to configure a network before this. The policy-based routes work on the basis of the “network” object, not the “Wifi” objects as well.
- So login to your Unifi Console. Go to Sprocket(“Settings” icon, the second from the bottom)->Networks. Then choose “New virtual network”. choose a Network name for example “MyLAN US”. The router will be most probably automatically set to your only router in your configuration. I’ve choosen “192.168.x.1/24” for the host address of the Unifi Cloud Gateway Ultra (UCG) and left advanced at auto. The auto setting will choose a VLAN tag for you. Of course if you have more advanced needs for your network, you should configure them accordingly as i did. This is valid for all situations where i state that i keep things at “auto”.
- Afterwards i configured a WLAN. At Sprocket->Wifi->”Create New”. I named it “MyWLAN US”, defined a nice password, and choose as Network “MyLAN US”. Again i kept Advanced at auto. Ensure that your switches are configured in a way that the VLAN used for MyLAN is available on the port where your access point is connected to your LAN. 3.Now you have to configure the VPN. I choose NorthVPN. This isn’t an endorsement for them in any way. I will probably swap them for something different in the future, but it seems that the carpet messaging worked. NorthVPN will provide you with a .ovpn config file and a service username and a server password. The .opvn file i choose. uses an tunnel entpoint in the US. So choose Sprocket->VPN. Go to the tab “VPN Client”. Then go to “Create new”. Then select “OpenVPN”. Give it a nice name like “VPN US”. Then upload the opvn file. Afterwards the system should ask for a username and a password. It’s the one NorthVPN calls the service password, it’s not the one you use for login into NorthVPN. One hint: I had problems with the authentication data. When i did a cut n’past on my own, the credentials didn’t work. However when i used the “copy” link at the NorthVPN website i had no problem. Then click on “Apply Changes”. The VPN tunnel should now connect.
- Then go to Sprocket->Routing. You are already in the nescessary tab “Policy-based route”. Then click on “Create Entry”. On the next screen choose a nice name like “VPN US route”. Select “All Traffic”. As “Source” choose the Network I configured in the first step, the “MyLAN US” one. So all systems in the Network “MyLAM US” are subject to this role. As we attached the LAN “MyLAN US” to the WLAN “MyWLAN US”, this policy is used for all wired and wireless clients, using one of them (by chosing the WLAN or having the VLAN configured on the LAN port used by the client. As interface you scroll down to the VPN clients part of the list and choose the VPN client “VPN US”.
As soon as you connect to the WiFI “MyWLAN US” and use a website showing your IP address, you should now see an US ip-address. Or whatever endpoint you have chosen with your VPN provider.
Of course there is a disadvantage. The connection between you and the router is only encrypted by the mechanisms of wireless LAN and of course by TLS when you are using such a protocol. It’s not end-to-end, it’s SomewhatNearTheEndpointButInYourControl-to-endpoint. That said, as i said before, i don’t see the use case of such VPN in encryption but in tunneling. From my point of view they could introduce a non-encrypted service level, because at the end the traffic is outside the encrypted tunnel anyway after it leaves the tunnel endpoint on the other side.
The other disadvantage is that changing the tunnel endpoint is not that easy. You have to configure it on the UCG. However, you change it for all clients at the same time without the need for changing it on each client separately.
