You’re working from your favourite coffee shop when you realise you need to access files on your home NAS. Or maybe you’re travelling and want secure access to your office printer without exposing your entire network to the internet. Sound familiar?
Don’t worry, this is a common issue we see frequently. The good news is that if you’ve got a UniFi router, you can set up a free VPN with UniFi Router using UniFi Identity’s One-Click VPN feature. No expensive subscriptions, no complicated configuration files, and definitely no PhD in networking required.
We’ll walk you through how to set this up in plain English. You don’t need to be technical; that’s our job. By the end of this guide, you’ll have secure remote access to specific resources on your network while keeping everything else locked down tight.
Key Takeaways
- UniFi Identity’s free version includes a one-click VPN that uses WireGuard encryption without manual client configuration
- You’ll need a UniFi Cloud Gateway and public IP address for the VPN to work reliably (or use Teleport VPN as a fallback)
- Split tunnelling is enabled by default, so your web browsing uses your local internet, while work traffic goes through the VPN
- Firewall rules let you control exactly what VPN users can access, from specific devices to entire network segments
- Setup takes minutes for admins, seconds for end users just install an app and click a link
Why Choose UniFi Identity Over Other VPN Solutions?
Let’s be honest, VPN setup has traditionally been a headache. You’ve probably heard of OpenVPN, TeleportVPN, or even paid services that charge monthly fees.
Here’s why UniFi Identity’s approach is different.
The Problem with Traditional VPN Options
Built-in TeleportVPN gives you quick access to your remote network, but it’s got two big limitations. First, it exposes your entire internal network to anyone connected. Second, it doesn’t support split tunnelling, so all your internet traffic gets routed through your home connection—even when you’re just browsing Facebook.
OpenVPN offers split tunnelling and robust security, but you’ll need to manually install and configure it on every device. Every new user means generating certificates, pushing configuration files, and providing tech support. We see this all the time with small businesses; it’s unsustainable.
Paid VPN services provide strong privacy, but they won’t give you access to your internal network resources, such as printers or NAS devices.
What Makes UniFi Identity One-Click VPN Special
UniFi Identity’s One-Click VPN delivers the best of all worlds:
- Split tunnelling by default means Netflix still works at full speed while you access your work files
- Automated setup through email invitations—users just click and connect
- Centralised management from your UniFi dashboard
- WireGuard protocol running behind the scenes for modern encryption and performance
- Granular firewall controls to lock down exactly what remote users can reach
Most problems can be fixed within an hour, and this VPN setup is no exception.
Prerequisites: What You’ll Need to Set Up a Free VPN with UniFi Router
Before we dive into the configuration steps, let’s make sure you’ve got everything sorted.
Essential Hardware Requirements
UniFi Cloud Gateway is absolutely required. This could be a Dream Machine, Dream Machine Pro, Dream Machine SE, or similar device. Without a Cloud Gateway, the Identity features simply won’t be available in your dashboard.
A public IP address is necessary for reliable operation. Check with your ISP to confirm you’re not on CGNAT (Carrier-Grade Network Address Translation). If you’re using Starlink or certain mobile broadband services, you may have a private IP address, which means you’ll need to either set up port forwarding on an upstream router or use Teleport VPN as a fallback option.
Software and Network Considerations
You’ll want to update your UniFi network controller to the latest firmware. The One-Click VPN feature has improved significantly in recent updates, particularly around split tunnelling support.
Your firewall rules should be relatively clean before starting. If you already have complex custom rules in place, take a moment to document them. We’ll be adding new VPN-specific policies, and you don’t want conflicts.
For end users, they’ll need to download the UniFi Identity app on their Windows desktop, laptop, or smartphone. It’s available for all major platforms and takes seconds to install.
If you’re managing remote IT support for your team, this setup will make your life considerably easier.
How to Set Up a Free VPN with UniFi Router: Admin Configuration
Right, let’s get your VPN server configured. This is the admin side. You’ll do this once, and then users can connect with minimal effort.
Step 1: Enable Identity and Endpoints
Log in to your UniFi console dashboard and navigate to the Identity section. You might need to enable Identity features if this is your first time using them.
Once you’re in, head to Settings and look for the Endpoints option. Enable it. This activates the infrastructure that manages VPN connections and user credentials.
Here’s a pro tip: disable automatic invitation sending initially. You can turn it on later, but for your first setup, it’s better to manually control when invitations go out. This gives you time to configure firewall rules before users start connecting.
Step 2: Configure Service Settings for Split Tunnelling
This is crucial. Navigate to Service Settings within the Identity area.
You’ll see an option for Split Tunnelling; make absolutely sure this is enabled. Split tunnelling ensures that when your users connect to the VPN, only traffic destined for your internal network actually routes through the tunnel. Everything else (web browsing, streaming, video calls) uses their local internet connection.
Without split tunnelling enabled, users will experience slower internet speeds, and you’ll waste bandwidth on your network connection.
Step 3: Create and Invite Users
In the Identity section, you can now create users. Add their email addresses and assign them appropriate permissions.
For each user, you’ll see an option to enable One-Click VPN permission. Toggle this on. The system automatically generates credentials and prepares a WireGuard VPN configuration in the background.
When you’re ready, send the invitation. Users will receive an email with a credential load link, making setup incredibly simple on their end.
Set the invitation expiration to a reasonable period; seven days is a good default. This prevents old invitation links from becoming a security risk.
Step 4: Customise Your VPN Site Name and Subnet
Under advanced settings, you can customise how your VPN appears to users. Instead of a generic “VPN” label, give it a meaningful name, such as “Home Office VPN” or “Company Network.”
You can also assign a custom subnet for VPN clients. For example, configuring VLAN 100 with a subnet such as 10.10.100.0/24 makes it easy to identify VPN-connected devices in your logs and firewall rules.
This isn’t mandatory, but it makes administration cleaner over time.
If you’re experiencing Wi-Fi issues alongside VPN setup, our team can help resolve both simultaneously.
End-User Experience: Connecting in Seconds
Let’s switch perspectives and look at what your users actually experience. Spoiler: it’s refreshingly simple.
Installing the UniFi Identity App
When users receive their invitation email, they’ll see clear instructions to download the UniFi Identity app for their device, whether that’s an iPhone, Android phone, Windows laptop, or Mac.
The app is free and available in all the standard app stores. Installation takes about 30 seconds.
Loading Credentials and Connecting
Once the app is installed, users open it and tap the credential load link from their invitation email. The app automatically imports all the necessary VPN configuration.
They’ll see a VPN tile or toggle within the app. One tap, and they’re connected. That’s it. No server addresses to type, no ports to remember, no certificates to manage.
The app displays their connection status as clearly connected or disconnected. Simple.
Controlling Split Tunnelling from the User Side
Here’s something brilliant: users can toggle split tunnelling on or off directly from the app.
By default, it’s on, which means their internet traffic stays local while work resources route through the VPN. But if they want all their traffic to go through your network (perhaps for additional security when on public Wi-Fi), they can disable split tunnelling with one tap.
This gives users direct control without requiring admin intervention every time.
For businesses managing remote computer repair and support, this level of simplicity dramatically reduces support tickets.
Security Hardening: Firewall Rules That Actually Protect You
Right, here’s where we separate a basic VPN setup from a secure one. By default, VPN users might have access to your entire internal network. That’s not ideal.
Let’s lock it down properly with firewall rules.
Creating a Block-All-VPN-to-Internal Rule
First, we’re going to create a blanket deny rule. In your UniFi dashboard, navigate to Firewall & Security and then Rules.
Create a new rule with these settings:
| Setting | Value |
|---|---|
| Name | Block VPN to All Internal |
| Action | Block |
| Source | VPN Zone |
| Destination | Internal Zone |
| Protocol | Any |
This rule blocks all traffic from VPN-connected devices to your internal network. Yes, this means the VPN won’t work yet—but that’s the point. We’re going to selectively allow only what’s needed.
Adding Specific Allow Rules for Approved Resources
Now create exception rules for the resources you actually want VPN users to access. Let’s say you want to allow access to a NAS device at IP address 192.168.1.100.
Create a new rule:
| Setting | Value |
|---|---|
| Name | Allow VPN to NAS |
| Action | Allow |
| Source | VPN Zone |
| Destination | 192.168.1.100 (or create a network object) |
| Protocol | Any (or specific ports like SMB/445) |
You can create similar rules for printers, specific servers, or defined network segments.
Rule Ordering Matters
This is critical: the Allow rule must appear above the Block rule in your firewall policy list. Firewall rules are processed top-to-bottom, so if the Block rule comes first, it’ll catch everything before the Allow rule ever gets evaluated.
Drag and drop your rules so that specific Allow policies sit above the general Block policy.
Optional: Blocking VPN Access to the Internet
If you want to ensure VPN users can only access internal resources and can’t use your network connection for general internet browsing, create another rule:
| Setting | Value |
|---|---|
| Name | Block VPN to Internet |
| Action | Block |
| Source | VPN Zone |
| Destination | Internet/WAN |
| Protocol | Any |
This prevents scenarios where users disable split tunnelling and route all their traffic through your connection.
These firewall constructs also work if you’re managing network setup for small businesses across London, Berkshire, and Surrey.
Troubleshooting Common Issues When You Set Up a Free VPN with UniFi Router
Even with a straightforward setup, you might hit a snag. Don’t worry—we see these all the time.
VPN Won’t Connect: Public IP Issues
The most common problem is not having a proper public IP address. If your ISP uses CGNAT (common with mobile broadband and some fibre services), the VPN server can’t accept incoming connections.
Solution: Contact your ISP and request a public IP address. Some providers charge a small fee; others provide it free. Alternatively, set up port forwarding if you have a router upstream of your UniFi gateway, or use Teleport VPN as a fallback (though you’ll lose the granular firewall controls).
Users Can’t Access Internal Resources
If users connect successfully but can’t reach your NAS or printer, check your firewall rules first. Make sure:
- The Allow rule is above the Block rule
- The destination IP or network object is correct
- You haven’t accidentally blocked the specific ports needed (SMB uses 445, for example)
You can verify connectivity by checking the Traffic section in your UniFi dashboard to see if packets are being blocked.
Split Tunnelling Not Working
If all user traffic is routing through the VPN despite split tunnelling being enabled, double-check the Service Settings in the Identity section. The toggle must be on at the server level.
Also, verify that users haven’t manually disabled split tunnelling in their app settings.
Invitation Links Expired
If users wait too long to accept their invitation, the credential load link expires. Simply regenerate and resend the invitation from your dashboard. Consider extending the expiration period to 14 days if your users aren’t particularly quick to respond.
For persistent issues, our remote desktop support services can quickly diagnose and resolve problems often within an hour.
Advanced Considerations and Use Cases
Once you’ve got the basics sorted, there are some advanced scenarios worth considering.
Multi-Site VPN: When You Need Site-to-Site Connectivity
If you’re managing two separate office locations and need them to communicate securely, One-Click VPN isn’t the right tool. Instead, you’ll want to configure a site-to-site VPN using UniFi’s Site Magic feature.
Site-to-site VPN creates a permanent, encrypted tunnel between two UniFi networks, allowing devices at each location to communicate as if they were on the same local network. This is ideal for sharing resources like file servers or centralised databases.
The firewall rule principles we covered still apply—you can restrict which devices at Site A can access which resources at Site B.
Using Teleport VPN as a Fallback
If you absolutely can’t get a public IP address, Teleport VPN works with CGNAT and services like Starlink. The trade-off is that you lose some of the granular firewall visibility and control that One-Click VPN provides.
Teleport doesn’t consistently display in zone-based firewall interfaces, though you can still identify connected device IPs and apply rules accordingly.
Enterprise Version Capabilities
UniFi offers a UID Enterprise version with additional features beyond the free tier[4]. While the free version is perfectly adequate for most small businesses and home users, enterprise environments might benefit from enhanced policy controls and management features.
The core VPN functionality remains the same—the enterprise version just adds administrative capabilities for larger deployments.
Custom VLAN Assignment for VPN Clients
Assigning VPN clients to a specific VLAN (e.g., VLAN 100) simplifies network management. You can easily identify VPN-connected devices in logs, apply VLAN-specific firewall rules, and even implement quality-of-service policies if needed.
This is particularly useful if you’re managing VPN access for different user groups. Contractors might be assigned VLAN 100 with restricted access, while full-time employees are assigned VLAN 101 with broader permissions.
If you’re setting up business IT support infrastructure, these advanced features can save considerable time.
Comparing UniFi Identity VPN to Other Solutions
Let’s put this in context with a quick comparison table:
| Feature | UniFi Identity One-Click VPN | TeleportVPN | OpenVPN | Commercial VPN Service |
|---|---|---|---|---|
| Cost | Free | Free | Free (self-hosted) | £5-15/month |
| Split Tunnelling | Yes | No | Yes | Yes |
| Setup Complexity | Very Easy | Very Easy | Complex | Easy |
| Granular Firewall Control | Excellent | Limited | Excellent | None (external) |
| Public IP Required | Yes | No | Yes | No |
| Access to Internal Resources | Yes | Yes | Yes | No |
| User Management | Dashboard | Dashboard | Manual | Account-based |
| Protocol | WireGuard | Proprietary | OpenVPN | Various |
For most users wanting secure remote access to specific internal resources, UniFi Identity One-Click VPN hits the sweet spot.
Real-World Use Cases: Who Benefits Most?
Remote Workers Accessing Office Resources
Your team works from home three days a week and needs access to the company file server and printer. With One-Click VPN, users connect in seconds, access exactly what they need, and keep browsing fast thanks to split tunnelling.
Dental Practices and Medical Offices
Healthcare providers often need secure access to patient management systems from multiple locations. UniFi Identity VPN provides the security required to protect sensitive data while maintaining GDPR compliance through robust access controls.
Legal Firms and Estate Agents
Professional services firms frequently work with confidential documents. Firewall rules ensure remote staff can access case files on the office NAS without exposing the entire network. Perfect for legal firm IT support scenarios.
Home Users with NAS Devices
You’ve invested in a home NAS for photo storage and media streaming. One-Click VPN lets you securely access your files from anywhere, without exposing your NAS to the public internet via port forwarding.
Small Businesses with Mixed Devices
Your team uses a mix of Windows laptops, MacBooks, and smartphones. The UniFi Identity app works across all platforms, so you can manage everyone from a single dashboard, regardless of their device.
Best Practices for Ongoing Management
Once your VPN is up and running, follow these practices to keep it secure and efficient:
Regularly audit firewall rules – Every quarter, review which resources VPN users can access. Remove access to decommissioned servers or resources that are no longer needed.
Manage user access promptly – when employees leave or contractors complete projects, disable their VPN access immediately in the dashboard.
Monitor connection logs – Check your UniFi dashboard’s traffic logs periodically to spot unusual access patterns or connection attempts from unexpected locations.
Keep firmware up to date – UniFi regularly improves VPN functionality and security. Update your Cloud Gateway firmware when new stable releases are available.
Use reasonable invitation expiration – Seven days is usually sufficient. Shorter periods improve security; longer periods reduce support requests.
Apply the principle of least privilege – Only grant access to resources users actually need. Start restrictive and add access as required, rather than starting permissive and trying to lock things down later.
Encourage split tunnelling – Educate users to keep split tunnelling enabled unless they need all traffic routed through the VPN for security reasons.
With 17+ years of experience, we’ve seen that proactive management prevents most VPN issues before they become problems.
Conclusion: Your Next Steps to Set Up a Free VPN with UniFi Router
You’ve now got everything you need to set up a free VPN with UniFi Router using UniFi Identity’s One-Click VPN feature. Let’s recap the essential steps:
- Verify prerequisites – Confirm you have a UniFi Cloud Gateway and a public IP address
- Enable Identity and Endpoints in your UniFi dashboard
- Configure split tunnelling in Service Settings
- Create users and send invitations with One-Click VPN permission enabled
- Implement firewall rules to control exactly what VPN users can access
- Guide users through app installation and credential loading
The beauty of this solution is that it’s genuinely free, remarkably simple for end users, and gives you professional-grade security controls through firewall policies.
Ready to Get Started?
If you’re comfortable with the UniFi dashboard, you can implement this setup yourself in under an hour. Most problems can be fixed within an hour, and VPN configuration is no exception.
However, if you’d prefer expert assistance or would like someone to handle the entire setup, we’re here to help. We serve clients across London, Berkshire, and Surrey, with same-day service available. No call-out fees, and you only pay if we fix it.
Our rates start from £80/hour, and we’ll explain everything in plain English, no jargon, no making you feel silly for asking questions.
Whether you need help with router setup, network security, or broader IT support for a small business, we have 17+ years of experience solving these kinds of challenges.
Your network security matters. With remote work here to stay in 2026, secure VPN access is essential, not optional. UniFi Identity makes it accessible to everyone, not just enterprise networks with dedicated IT teams.
Get your VPN configured properly, lock down those firewall rules, and give your team secure access to exactly what they need—nothing more, nothing less.
Need a hand? Book an appointment, and we’ll sort it together.
Nomi
https://nmaqsood.com/Noman Maqsood (Nomi) is a Senior IT Engineer with 7+ years in cloud, networking, and hybrid infrastructure. Azure certified. He writes about practical IT solutions, no jargon, just what actually works.