Skip to content

added Ubiquiti documentation for Magic WAN #25972

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: production
Choose a base branch
from
Open

added Ubiquiti documentation for Magic WAN #25972

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
127 changes: 127 additions & 0 deletions src/content/docs/magic-wan/configuration/manually/third-party/ubiquiti.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
---
pcx_content_type: integration-guide
title: Ubiquiti
reviewed: 2025-10-02
---

Connect a Ubiquiti UniFi Gateway to Cloudflare's network using Magic WAN. These steps use the Cloud Gateway Max (UCG-Max) but work with other UniFi gateways supporting route-based IPsec VPNs, like the Dream Machine series.


## Prerequisites

- Cloudflare account with Magic WAN enabled (contact your account team)
- UniFi Cloud Gateway or Dream Machine with IPsec support
- UniFi Network Application (self-hosted or cloud)
- Static public IP from your ISP
- Admin access to both Cloudflare and UniFi
- Gather a **Magic Anycast IPv4** address from the **Leased IPs** section in the dashboard **IP addresses** > **Leased IPs** (Contact your account team if you do not see any IPs listed)

## Step 1: Configure Magic WAN

1. In the [Cloudflare dashboard](https://dash.cloudflare.com), go to **Magic WAN** > **Configuration**
2. Under **Select tunnel type**, select **IPsec Tunnel** and click **Next**
3. Under **Tunnels**, click **Create**:
- Name: `unifi-gw-primary`
- IPv4 Interface Addess: `10.252.2.28/31` or referer to the [Tunnel endpoints Documentation](/magic-wan/configuration/manually/how-to/configure-tunnel-endpoints/)
- Customer Endpoint: Your UniFi Gateway's WAN IP (e.g., `203.0.113.10`)
- Cloudflare Endpoint: `One of the IPv4 addresses gathered from Leased IPs`
4. Under **Tunnel Health checks**:
- Health check rate: `set to desired level`
- Health check type: `Request`
- Health check direction: `Bidirectional`
- Health check target: `Default`
5. Under **Pre-shared key**:
- Leave **Add pre-shared key later** selected (this key will be given during the Unfi site-to-site VPN configuration)

## Step 2: Configure Site-to-Site VPN on UniFi

1. In UniFi Network, go to **Settings** > **VPN** > **Site-to-Site VPN**
2. Click **Create New**
3. Configure:
- **VPN Type:** `IPsec`
- **Name:** `Cloudflare-MagicWAN`
- **Preshared Key:** Copy this key for use in the Magic Wan Tunnel Configuration created in `Step 1`.
- **Local IP:** Select the WAN interface (e.g., `WAN1`)
- **Remote IP:** Cloudflare endpoint IP from `Step 1`
- **VPN Method:** Route Based
- **Tunnel IP:** `10.252.2.29/31` or referer to the [Tunnel endpoints Documentation](/magic-wan/configuration/manually/how-to/configure-tunnel-endpoints/)
- **Remote Networks:** Inside Cloudflare tunnel address (e.g., 10.252.2.28/31) and other remote subnets to access through Magic WAN
4. Set Advanced settings:
- Key Exchange Version: IKEv2
- IKE Encryption: AES-256
- IKE Hash: SHA256
- IKE DH Group: 14
- IKE Lifetime: 28800
- ESP Encryption: AES-256
- ESP Hash: SHA256
- ESP DH Group: 14
- ESP Lifetime: 28800
- PFS: Enabled
- Local Authentication ID: `Auto`
- Remote Authentication ID: Uncheck `Auto`, enter the Cloudflare endpoint IP from `Step 1`
- MTU: 1436
5. Click **Apply**

## Step 3: Add Preshared Key to Cloudflare

1. Go to **Magic WAN** > **Tunnels** and edit your tunnel
2. Paste the preshared key from Step 2
3. Click **Save**

## Step 4: Configure Routes and Health Checks

1. Go to **Magic WAN** > **Static Routes** > **Create**:
- Prefix: Your local network (e.g., `192.168.1.0/24`)
- Tunnel: Select your tunnel
- Priority: `100`
2. Go to **Health Checks** > **Create**:
- Name: `UniFi-Health-Check`
- Type: `ICMP Ping`
- Endpoint: Customer endpoint address from Step 1
- Rate: Low frequency
3. Edit your tunnel and enable the health check

## Verification

Wait a few minutes, then check:
- **Cloudflare:** Magic WAN > Tunnels shows **Healthy**
- **UniFi:** Settings > VPN shows connected status

## Troubleshooting

**Tunnel down:**
- Verify Peer IP, preshared key, and IPsec settings match on both sides
- Check ISP isn't blocking UDP ports 500/4500

**Traffic not routing:**
- Verify Remote Subnets setting in UniFi VPN config
- Check firewall rules aren't blocking VPN traffic

**Health check fails:**
- Allow ICMP from Cloudflare to the customer-side tunnel IP
- Target should be the `/31` interface IP, not your LAN gateway

## Policy-Based Routing

To route only specific devices through Cloudflare (UniFi Network Application):

1. Remove necessary routes from Remote Subnets in your VPN config
2. Go to **Settings** > **Policy Table** under Policy Engine > **Create New Policy**:
- Select `Route`
- Name: Provide a name for the policy
- Type: Policy-Based
- Interface/VPN Tunnel: Select the VPN Tunnel (e.g., `Cloudflare-MagicWAN`)
- Kill Switch: Enabled (recommended)
- Source: Select `Device/Network` and then choose the Device(s) or Networks(s)
- Destination: Any
- Interface: Your VPN tunnel

## Next Steps

- Use [Magic Firewall](https://developers.cloudflare.com/magic-firewall/) for network policies
- Configure a second tunnel for redundancy
- Monitor traffic in the Magic WAN dashboard

---

You're now routing traffic through Cloudflare's global network with enterprise-grade security and performance.