UniFi Express VPN & Network Management#

What Was Established#

• Methodology for configuring ProtonVPN WireGuard on UniFi Express.
• Kill switch implementation to prevent IP/DNS leaks when the VPN drops.
• Best practices for managing Netgear managed switches via dedicated subnets and secure ports.

Key Decisions#

• WireGuard Protocol: Selected over OpenVPN for superior speed and efficiency on UniFi Express.
• Kill Switch Pattern: Default-deny WAN traffic; only allow forwarding through the wg0 interface.
• Netgear Management: Restrict switch web GUI access to a dedicated management VLAN/subnet using HTTPS.

Current Configuration#

• VPN Client: ProtonVPN (WireGuard)
• Endpoint: us-123.protonvpn.net:51820 (example high-speed server)
• ProtonVPN DNS: 10.2.0.1
• Allowed IPs: 0.0.0.0/0 (full tunnel)
• Netgear Switch Management Ports:
  • HTTP: 80 (insecure, avoid)
  • HTTPS: 443 (secure web GUI)
  • SSH: 22 (CLI access)
  • SNMP: 161 (monitoring)

Historical Notes#

• Conversation dated 2025-04-14.
• Gateway device referred to as UniFi Express (infrastructure list notes “UCG Express ‘Olorín’ at 192.168.1.1”).
• Netgear MS308E is the managed switch in the homelab.
• Kill switch and DNS leak prevention rely on iptables/nftables or UniFi OS firewall rules.

Open Questions#

• Does UniFi Express support native WireGuard kill switch in the GUI, or is manual CLI firewall configuration required?
• Specific UniFi OS version and exact GUI paths for VPN/kill switch implementation.
• Whether split tunneling is needed for specific homelab services.

Related Pages#

• Network Infrastructure & VLANs
• VLAN Configuration: OPNsense & Netgear MS308E
• Cloudflare Integration: SSL & DNS

Uptime Kuma - Configuration & Integrations