We have a Unifi setup in the States with a Cloud Gateway Ultra, and we are planning on doing the same at a home in Mexico. We want to use the built-in VPN client/server function to connect the network in Mexico to back home in the States, but I don’t know which VPN protocol to go with, and I can’t tell the difference while testing.
Some information:
Our internet speed in the States: 1000/1000 fiber
Mexico speed w/ Starlink: 200-300 down / 50 up
We plan on having streaming services readily available, so we need to use the US IP Address at all times. I’ve heard really good things about WireGuard, and that looks like the best option, but I want to get a personal opinion before I pull the trigger.
WireGuard is what I would go with.
On your CGU in the US, make a WireGuard VPN server.
On your CGU in Mexico, make a WireGuard client, import the config from your US based CGU. You then need make a routing policy to route the traffic over the VPN.
I do this exact thing, except my travel router is a Beryl AX. My home CGU has WireGuard server running, wherever I get to where I am going, I plug in my Beryl AX and it makes the connection back home and we use our streaming services, and it thinks we are at home.
edit: I should also note that even tho you have 1000/1000 fiber at your home in the US, the CGU is only rated for 500 Mbps with WireGuard. Which is plenty for what you are wanting to do.
I’d need a static IP address for both ends, correct me if I am wrong. Starlink doesn’t do any static IPs.
Nah, you can just use aggressive mode. You just need one side with a static IP and the whole thing will work via NATT.
Set quad zeros on the SA and then use static/dynamic routing to allow traffic across without having to reconfigure the tunnel.
I’ve not configured a dynamic crypto on a unifi bit I can’t imagine that they’ve missed that.
Wireguard is great for some things, I’ve used it for remote access stuff and it’s good for that but I’ve found it fiddly if you need to start routing network blocks that may change/grow over time.
No, the magic site to site vpn doesn’t need static IP addresses, just one site that isn’t double NATed (the other may even have double NAT!!!)
