Compare Teleport, UniFi VPN, and port-forward approaches for secure remote admin and user access.
VPN and Remote Access with UniFi
Remote access should be encrypted — avoid exposing admin ports to the open internet.
Options overview
| Method | Best for | Notes |
|---|---|---|
| UniFi Teleport (where supported) | Quick user VPN on gateways that offer it | Easy mobile setup |
| UniFi VPN / L2TP / IPsec | Site-to-site or road warriors | Configure on gateway |
| WireGuard / third-party | Advanced users | May run on separate appliance |
| Port forward to controller | Not recommended | High risk — use VPN instead |
Your hosted i2unifi controller is already remote — admins use HTTPS to i2unifi. Site VPN is for reaching on-site LAN resources (files, cameras, RDP to PCs).
Teleport (if available on your gateway)
- Enable in UniFi OS gateway Teleport settings.
- Invite users via app / email.
- Test access to a LAN resource (printer IP, file share).
Site-to-site VPN
- Connect branch office to HQ gateway.
- Ensure no overlapping subnets (both sides using 192.168.1.0/24 fails).
- Document Phase 1/2 or WireGuard keys outside UniFi for disaster recovery.
Accessing UniFi controller remotely
- Use your i2unifi controller URL — no need to port-forward UniFi ports to the internet.
- Protect admin accounts with strong passwords and 2FA.
Security practices
- Deny WAN → LAN admin ports in firewall.
- Use RADIUS or SSO for WiFi where scale requires it.
- Revoke VPN users when staff leave.
Troubleshooting
- VPN connects but no LAN access: check firewall rules and DNS pushed to clients.
- Double NAT breaks VPN — bridge ISP modem when possible.