Multi-Path Room - Connect to a UniFi Gateway Console
This article explains how to connect a UniFi Gateway Console VPN (Virtual Network) to a Tehama Multi-Path Room.
Overview
What is a Tehama Multi-Path Room?
A Multi-Path Room is a short way of referring to a Tehama Room that has network access type "Multi-Path". This network access type is capable of securely connecting to networks through IPSec. Multi-Path Rooms support many such connections.
See the Multi-Path Room Connectivity User Guide for more details about Multi-Path Rooms.
Currently, only Standard Rooms support the "Multi-Path" network access type. Domain Join Rooms do not, as yet, support it.
Find out what your Room's network access type is from the Room's connection page. See section View a Room's network access setting in the Room/Desktop Connectivity - Types, Status and Settings guide for details.
What is a UniFi Gateway Console?
A UniFi Gateway Console, is a Ubiquiti Gateway device that runs the proprietary UniFi Network Application The UniFi Gateway Console manages all UniFi devices on a network. UniFi provides an interface to enable site-to-site IPsec VPN communication between the UniFi Gateway Console and other networks. See the Ubiquiti Support page for more information about Ubiquiti products.
Assumptions
- You have a Tehama organization and are an Admin or Org Manager user in that organization.
- You have a Ubiquiti UniFi Gateway Console that which is connected to company resources, data, etc., that you want to access, securely, from a Tehama Room.
The process to connect a private network that has a UniFi Console (version UniFi OS 3.0.18+) is divided into three parts:
-
Create a Tehama Multi-Path Room
(optional - you can also make a connection to an existing Multi-Path Room.) - Add and Configure a New Connection
- Check the Status of the Connection
Create a Tehama Multi-Path Room
If you want to connect your private network to one of your existing Tehama Multi-Path Rooms, simply note the Room's name and skip to the next step.
Either:
- Create a new Tehama Multi-Path Room by following the steps found in the Getting Started with Tehama Room Creation guide, under section 'Create and connect a Standard Room', selecting 'Multi-Path' as the Room's Network Access type.
or
- Convert one of your existing Rooms with 'Tehama Gateway' or 'Internet-Only' network access to use 'Multi-Path' network access, by following the steps found in the Room/Desktop Connectivity - Types, Status and Settings guide, under section 'Change a Room's Network Access setting'.
Take note of your Multi-Path Room's name, for use in the creation of your connection.
Information gathered in this step:
- The name of your Multi-Path Room.
Add and Configure a New Connection
Add and configure a connection to your private network, through UniFi, from your Tehama Multi-Path Room as follows:
First, gather some information about your private network.
Next, add a connection between your Multi-Path Room and your UniFi Gateway.
- B) Tehama - Create a New Connection in Your Multi-Path Room
- C) Unifi - Create and Configure a New VPN Connection on your UniFi Gateway Console
Finally, update your Multi-Path Room's firewall rules (and optionally its DNS Filtering) to allow access to resources in your private network from your Room's Tehama Desktops.
Let's get started with step A.
A: UniFi Console: Find Your Private Network Info
In this step, we will use the UniFi Console's Web Interface to look up your public network IP Address, and also determine which Network(s) subnets you wish to connect to your Multi-Path Room. You will need to know how to access your UniFi Console Web Interface. (Ask your IT dept for assistance, if necessary.)
Required information for this step:
- Your UniFi Console Web Interface login info.
1. Log in to your UniFi, via the Web Interface, as an administrator
- See the UniFi Help Article which provides information about connecting to the UniFi Console.
2. From the applications tab, click Network
- Take note of your WAN IP (Public IP Address) listed in the top right corner of the Network screen
3. From the main navigation menu on the left, click on Settings (gear icon) at the bottom of the menu
- Next, click Networks
- Take note of your Network and/or Virtual Network Subnets you wish to connect to from a Tehama desktop
- You may choose a single or multiple target subnets to connect to through Tehama
Information gathered/confirmed in this step:
- Your private network's subnet.
- Your private network's public IP address (the UniFi Console's WAN IP)
B: Tehama WebUI: Create a New Connection in Your Multi-Path Room
In this step, we create a new connection in your Multi-Path Room. This generates the pre-shared key for the connection. This key is needed for the next step, in the UniFi interface.
Required information for this step:
- Your Tehama corporate portal login info.
- Your Multi-Path Room's name.
- Your private network's subnet, from step A.
- Your private network's public IP address, from step A.
- A meaningful name for your new connection.
- A description for your new connection.
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Multi-Path Room you want to connect to your UniFi Gateway. You will see the page for the Room.
- Click on the Room's CONNECTION tab, if you are not already on this tab.
- Click the ADD CONNECTION button. You will see the form for creating a new connection.
- In the new connection form:
- Name - enter a meaningful name for your new connection.
- Description (optional) - enter a description for your new connection.
-
Target Subnet - enter your private network's subnet value, from step A.
The form allows you to enter more than one target subnet. Click on + Add more to bring up additional target subnet fields. - Public IP Address - enter your private network's public IP address (UniFi's WAN IP), from step A.
Take note of the Tehama Room Information details available on the New Connection form. They are needed in Step C
- Copy the Pre-shared key value.
- Copy the Room IP value.
- Copy the Room subnet value.
- Click CONNECT.
If you forget to copy the values before initiating the connection, you can get to them from the CONNECTION page for the Room:
- Click on the name of your connection in the Connections table. You will see information page for the connection.
- Click the EDIT button. You will see the edit page for the connection.
- Copy the values.
Information gathered in this step:
- Your Multi-Path Room's new connection's pre-shared key.
- Your Multi-Path Room's Room IP.
- Your Multi-Path Room's Room subnet.
- The name of your new connection in your Multi-Path Room.
C: UniFi Console: Create and Configure a Site-to-Site VPN Connection
In this step, you will create and configure a new Site-to-Site VPN connection, on your UniFi Console to connect to your Multi-Path Room.
Required information for this step:
- Your Multi-Path Room's Room subnet, from step B.
- Your Multi-Path Room's Room IP value, from step B.
- Your Multi-Path Room's new connection's Pre-shared key, from step B.
- Your private network's subnet, from step A.
- Your private network's public IP address (UniFi's WAN IP), from step A.
- Meaningful names for the UniFi site-to-site VPN configuration
1. Log in to your UniFi, via the Web Interface, as an administrator
- See the UniFi Help Article which provides information about connecting to the UniFi Console.
2. From the applications tab, click Network
3. From the main navigation menu on the left, click on Settings (gear icon) at the bottom of the menu
-
- Next, click Teleport & VPN
- In the resulting screen, scroll down to the Site-to-Site VPN section
- Click Create Site-to-Site VPN
- You may choose a single or multiple target subnets to connect to through Tehama
- More details on Site-to-Site VPN can be found on the UniFi Gateway - Site-to-Site IPsec VPN guide
Set up your new site-to-site VPN to have the following configuration:
Name: tehama-room VPN Protocol: Manual-IPsec
Pre-shared Key: AAAAAA
Server Address: BBBBBB
Shared Remote Subnets: CCCCCC < be sure to click the Add Button
Advanced Settings: Manual
IPsec Profile: Customized
Key Exchange Version: IKEv2
Encryption: AES-256
Hash: SHA256
IKE DH Group: 14
ESP DH Group: 14
Perfect Forward Secrecy (PFS): Enable is checked
Route-Based VPN: Enable is checked
Route Distance: 45
Legend:
- tehama-room: A meaningful name for the IPsec tunnel.
- Manual IPsec: Tunnel protocol
- AAAAAA: Your Multi-Path Room's new connection's Pre-shared key.
- BBBBBB: Your private network's public IP address (the UniFi Gateway external IP).
- CCCCCC: Your Multi-Path Room's Room subnet
- Advanced: displays additional configuration options
- Customized: allows for manual IPsec tunnel configuration
Information gathered/confirmed in this step:
- N/A.
D) Update Firewall Rules/DNS Filtering
Finally, this last step is to update your Multi-Path Room's firewall rules to allow access to resources in your private network from your Room's Tehama Desktops.
If you wish to completely open access to everything in your private network, add custom firewall rules to your Multi-Path Room allowing access to the entire subnet for your private network. Otherwise, add more granular rules.
See instructions on how to add firewall rules in section Add Custom Firewall Rule in the Firewall Rules User Guide.
You can optionally add an extra layer of access control on top of firewall rules through the Room's DNS Filtering feature. See the DNS Filtering guide for more details.
Check the Status of the Connection
Check the Status of the UniFi VPN connection you configured between your private network and your Multi-Path Room.
Check connection status in Tehama
Required information:
- Your Tehama corporate portal login info.
- Your Multi-Path Room's name.
- The name of your new connection in your Multi-Path Room, from step B.
- Your network's public IP address (the UniFi Gateway WAN IP) from step A.
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Multi-Path Room you connected to your UniFi Console. You will see the page for the Room.
- Click on the Room's CONNECTION tab, if you are not already on this tab.
- Find the connection in the connection table, (identify by name, from step B, or by your private network's WAN IP value, from step A).
- Verify that the connection status is green.
Troubleshoot connection status in Router
If the status in the Tehama Web UI is not green, you can view the UniFi Connection Status for the connection through the UniFiOS CLI:
Required information for this step:
- Your UniFi Console Remote login info.
- Log in to your UniFi Console, via the CLI, in as root (or a user with Sudo privileges)
- To confirm the tunnel is running, type
sudo ipsec statusall
See additional information on Support files and Logs on a UniFi console
See the UniFi - Connect with SSH guide for help setting up UniFi OS for SSH capibilities