Ubiquiti
Connect a Ubiquiti UniFi Gateway to Cloudflare's network using Cloudflare WAN (formerly Magic WAN). These steps use the Cloud Gateway Max (UCG-Max) but work with other UniFi gateways supporting route-based IPsec (Internet Protocol Security) VPNs (Virtual Private Networks), like the Dream Machine series.
- Cloudflare account with Cloudflare WAN enabled (contact your account team)
- UniFi Cloud Gateway or Dream Machine with IPsec support
- UniFi Network Application (self-hosted or cloud)
- Static public IP from your ISP
- Admin access to both Cloudflare and UniFi
- Gather a Magic Anycast IPv4 address from the Leased IPs section in the dashboard
- Go to Address space
- Contact your account team if you do not see any IPs listed.
- Log in to Cloudflare One, and go to Networks.
- Go to Connectors > Cloudflare WAN, and select Create.
- Select IPsec tunnel > Next, and fill in the following settings:
- Name:
unifi-gw-primary
- IPv4 Interface Address:
10.252.2.28/31or refer to the Tunnel endpoints documentation
- Customer Endpoint: This should be your UniFi Gateway's WAN IP (for example,
203.0.113.10)
- Cloudflare Endpoint: This should be one of the IPv4 addresses gathered from Leased IPs.
- Under Tunnel Health checks, select:
- Health check rate: Set to desired level
- Health check type: Request
- Health check direction: Bidirectional
- Health check target: Default
- Under Pre-shared key:
- Select Add pre-shared key later. This key will be given during the UniFi site-to-site VPN configuration.
- Name:
- In UniFi Network, go to Settings > VPN > Site-to-Site VPN.
- Select Create New.
- Configure the following settings:
- VPN Type:
IPsec.
- Name:
Cloudflare-Magic-WAN.
- Pre-shared key: Copy this key. You need it for the Cloudflare WAN tunnel.
- Local IP: Select the WAN interface (for example,
WAN1).
- Remote IP: Enter the Cloudflare endpoint IP from Step 1.
- VPN Method: Route Based.
- Tunnel IP:
10.252.2.29/31or refer to the Tunnel endpoints documentation.
- Remote Networks: Inside Cloudflare tunnel address (for example,
10.252.2.28/31) and other remote subnets to access through Cloudflare WAN.
- VPN Type:
- Set Advanced settings:
- Key Exchange Version: IKEv2.
- IKE Encryption: AES-256.
- IKE Hash: SHA256.
- IKE DH Group: 14.
- IKE Lifetime: 28800.
- ESP Encryption: AES-256.
- ESP Hash: SHA256.
- ESP DH Group: 14.
- ESP Lifetime: 28800.
- PFS: Enabled.
- Local Authentication ID: Auto.
- Remote Authentication ID: Uncheck Auto, and enter the Cloudflare Endpoint IP from Step 1.
- MTU: 1436.
- Select Apply
- Log in to Cloudflare One, and go to Networks.
- In WAN tunnels, find the IPsec tunnel you have just created.
- Select your tunnel and then Edit.
- Paste the preshared key from Step 2.
- Select Save.
- Log in to Cloudflare One, and go to Networks.
- Go to Routes > WAN routes > Create.
- Enter the following settings:
- Prefix: Your local network (for example,
192.168.1.0/24).
- Tunnel/Next hop: Select your tunnel.
- Priority:
100.
- Prefix: Your local network (for example,
- Select Add routes to add your static route.
Wait a few minutes, then access both Cloudflare and UniFi to verify the tunnel's status:
Cloudflare
- Log in to Cloudflare One, and go to Insights.
- Go to Network visibility > WAN connector health.
- Find the tunnel you have just created and make sure its status shows Up. Refer to Check tunnel health in the dashboard for more information.
UniFi
Go to Settings > VPN, and make sure the status is Connected.
Tunnel down:
- Verify Peer IP, pre-shared key, and IPsec settings match on both sides
- Check that the ISP is not blocking UDP ports
500/
4500
Traffic not routing:
- Verify Remote Subnets setting in UniFi VPN configuration
- Check firewall rules are not blocking VPN traffic
Health check fails:
- Allow ICMP from Cloudflare to the customer-side tunnel IP
- Target should be the
/31interface IP, not your LAN gateway
To route only specific devices through Cloudflare (UniFi Network Application):
- Remove unnecessary routes from Remote Subnets in your VPN configuration.
- Go to Settings > Policy Table.
- Under Policy Engine select Create New Policy with the following settings:
- Select
Route.
- Name: Provide a name for the policy.
- Type: Policy-Based.
- Interface/VPN Tunnel: Select the VPN Tunnel (for example,
Cloudflare-Magic-WAN).
- Kill Switch: Enabled (recommended).
- Source: Select
Device/Networkand then choose the Device(s) or Network(s).
- Destination: Any.
- Interface: Your VPN tunnel.
- Select
- Use Cloudflare Network Firewall for network policies.
- Configure a second tunnel for redundancy.
- Monitor traffic in the Cloudflare WAN dashboard.
You are now routing traffic through Cloudflare's network using Cloudflare WAN.