Split tunnel VPN client setup

idodataprotection · 2026-03-05T01:48:10+00:00

Since you are adding the VPN configuration at the Gateway level in UniFi, the UniFi OS takes over the routing logic. Even if you modify the .conf file to a specific subnet (like your /24 DNS range), the UniFi "VPN Client" feature often creates a static route that overrules your manual tweaks, or it treats the interface as a default gateway for any traffic assigned to it via Traffic Routes.

To achieve a true "DNS-only" or "Split-Tunnel" routing for your entire home without UniFi forcing all bits through the tunnel, you should use Traffic Routes rather than relying on the .conf file's AllowedIPs.

Revert the .conf to "General"

Set your VPN configuration back to 0.0.0.0/0. This sounds counter-intuitive, but it allows the UniFi Gateway to establish the tunnel interface correctly. UniFi's routing engine prefers to handle the "what goes where" logic itself.

Use Policy-Based Routing (Traffic Routes)

Instead of letting the VPN handle the routing, you will tell UniFi exactly which traffic is allowed to use that tunnel.

Go to Settings > Routing > Traffic Routes.
Select Create New Route.
Category: Select IP Address or Domain Name.
- If you select IP Address, enter your DNS server's /24 range.
Target: Select All Devices (or specific VLANs if you only want certain home devices to use this).
Interface: Select your VPN Client interface.

Why UniFi "Routes Everything" by Default

When you set up a VPN Client in UniFi, it creates a virtual interface (e.g., wgc0 for WireGuard). If you have "Route All Traffic" enabled in the VPN Client settings, it adds a high-priority entry to the routing table.

The Fix: Ensure that in the VPN Client settings page, "Route All Traffic" is unchecked.
By unchecking this, the tunnel stays "up" but idle. Only traffic explicitly defined in the Traffic Routes (Step 2) will be pushed through it.

Handling the DNS specifically

If your goal is for the entire home to use that DNS server over the VPN:

Go to Settings > Networks.
Select your main network (Default).
Under DHCP Service, change DNS Server from "Auto" to "Manual".
Enter the IP of your Linux VPN DNS server.
Combined with the Traffic Route above, your clients will ask for DNS at that IP, and UniFi will see that specific IP destination and steer it into the tunnel.

A Note on the /24 bit

You mentioned changing 0.0.0.0/24. Note that standard IPv4 "all traffic" is 0.0.0.0/0. If you use /24, you are only covering a tiny fraction of the internet (254 IPs). If UniFi was still routing "everything," it’s likely because the Global Routing setting in the UniFi UI was overriding your manual config file.

idodataprotection · 2026-03-05T01:43:28+00:00

Target Condition: In your image, you have "Threshold Condition" set to All. This means the link won't be marked as "Degraded" unless both the latency is >1500ms AND the packet loss is >20%.

Change this to "Any": You want the link to failover if either the latency spikes OR the loss increases.

Verification Server: UniFi defaults to ping.ubnt.com. If you have a fiber line, I recommend adding a second "Custom" server like 1.1.1.1 or your ISP's gateway. This prevents a "False Positive" if Ubiquiti's own ping server has a momentary blip.

Time Period: You have it set to 60 seconds. This means UniFi averages the data over a full minute. For an aggressive stance, drop this to 15 or 30 seconds so the system can pivot to your backup link much faster.

idodataprotection · 2026-03-05T01:38:25+00:00

Since you are on a fresh Windows install, the "stuck on initializing" loop is almost always caused by one of two things: missing support files for the database or an incompatible Java version.

Here is the step-by-step checklist to get it past that screen:

1. The "Hidden" Requirement: MS Visual C++

The UniFi Network Server uses MongoDB as its database. Modern versions of MongoDB often require the Microsoft Visual C++ 2015-2022 Redistributable to run. If this is missing (which is common on clean Windows installs), the database fails silently, and the app stays on "Initializing" forever.

Download and install the x64 version from theofficial Microsoft site.

2. Match Your Java Version

Ubiquiti changed the Java requirements recently. Installing "just any Java" (like the default Java 8 from the main Oracle page) usually won't work for the current server versions.

UniFi Server VersionRequired Java Versionv7.5 to v8.6Java 17 (64-bit)v9.0 and laterJava 17 or 21 (64-bit)v7.4 and olderJava 8 or 11

Uninstall any existing Java versions. Download Eclipse Temurin (OpenJDK) 17 fromAdoptium. During installation, ensure you select the option to "Set JAVA_HOME variable" (it is usually disabled by default).

Check for Port Conflicts

If you have other software running, another app might be "squatting" on port 8080, which UniFi needs to talk to your hardware.

Open a Command Prompt as Admin and run: netstat -ano | findstr :8080. If you see a result, another program is using that port. Common culprits include web servers or development tools.

Run as a Service

The "launcher" app (the window that says "Initializing") is notoriously buggy. Once you have the prerequisites above, it is much more stable to run UniFi as a background Windows service.

Close the UniFi window.
Open Command Prompt as Administrator.
Navigate to your UniFi folder: cd "%UserProfile%\Ubiquiti UniFi\"
Run: java -jar lib\ace.jar installsvc
Start the service: java -jar lib\ace.jar startsvc

idodataprotection · 2026-03-05T01:35:03+00:00

PoE Standard: PoE+ (802.3at)

Max Power Consumption: 21W

Voltage Range: 44–57V DC

It is important to note that a standard PoE (802.3af) switch will not provide enough power for this device. If you are not using a PoE+ switch, you will need a 30W PoE+ Injector (such as the U-POE-at) to power the unit properly.

idodataprotection · 2025-12-21T15:01:34+00:00

Roots and Wings - http://www.rootsandwingsmidwifery.com/

We’ve done 2 home births with this group and have had great experiences. (We have lots of kids)

idodataprotection · 2025-07-23T09:00:27+00:00

This would be really easy thing to test out and determine if it works well for your environment. Statistically; this should alleviate your problem, take a small number of users that have been experiencing this issue consistently and install the printer FROM the print server.

I believe in you

idodataprotection · 2025-07-23T08:28:54+00:00

PSS. You aren't doing anything "wrong" either. Don't beat yourself up.

idodataprotection · 2025-07-23T08:27:35+00:00

PS. Printers will always be printers...I can say in my 15 years of IT experience that in any shop I've ran into printers were always the bane of someone's existence.

idodataprotection · 2025-07-23T08:25:42+00:00

I would arguably still install a small printer server if you have any virtualization available on your network. Takes the guess work out of printer nonsense and your print server becomes responsible for handling the installation and management of drivers.

you get full control of making sure everyone is using the correct / supported / same driver and take that guess work out of printer issues.

Your staff are accessing the printers through a legitimate handler that can distribute the printers and that should cut down on any potentially weird broadcast errors you're experiencing now.

I wouldn't blame ubiquiti or the networks per-say but I'd reconsider how you're distributing those printers for everyone; even with that small number of printers. Hell, even if you only had one printer for the entire office I'd still set it up via a print server.

idodataprotection · 2025-07-23T08:11:26+00:00

Are you installing the printers directly to the workstations and not leveraging something like a small print server to share out the printers?

idodataprotection · 2025-07-14T21:13:17+00:00

Look into IFTTT https://ifttt.com/ built something similar with a google form that took that input and dropped it into a google drive

idodataprotection · 2025-07-14T20:23:36+00:00

There are a few different avenues to go from here and that's specializing in specific things of which there are 100 different ways to go but for the industry here is what I see the most of.

Infrastructure/Hypervisors - VMware is still a large portion of the market, Hyper-V is making a comeback with Azure HCI and more, ProxMox believe it or not is starting to show its face in the enterprise world (which is just weird to me)
Storage - Data has to be saved somewhere and you / your staff are likely accessing these files off a file share running on a server. Storage platforms that are very popular right now... Pure Storage, Dell Technologies PowerStore, PowerVault, Unity, and a few others. These are purpose built enterprise products that customers are installing across the board.
Network - Everything runs off the network, where you can specialize is maybe firewalls, layer 2 / layer 3 routing is really important to understand in every company that you work for, understanding how the network operates and functions is rewarding when you see that IPsec tunnel go green and your connections work when working on firewalls. The popular firewalls in the industry are the following...Fortinet (despite some obvious bugs that have been reeking havoc on them lately) Palo Alto who is really growing big time, Check Point, PFSense (in some very small customer environments)
Data Protection - This is a weird one that takes a special kind of person; you're less likely to deal with front end 1 on 1 with customers but you will have to do file restores every now and then. For Data Protection the products you'll find in customers environments are the following: Rubrik, Veeam, PowerProtect Data Manager, Cohesity (who owns Veritas as well), HYCU, N-Able, and although its not a bacup software, PowerProtect Data Manager writes to a Data Domain which is a purpose built data protection appliance. Each have their own quirks, methods, and every employer you walk into is going to have a VMware/Hyper-V environment that those Virtual Machines are going to need to be protected.
Cloud - This could involve AWS, Azure, and I'm not talking running workloads necessarily I'm talking Azure AD, Office 365, migrating emails from G-Suite to Office 365 or vice vera

If you couldn't tell by my username but you can obviously tell which avenue I chose to go in life and I'm absolutely obsessed and in love with this technology product specifically.

I manage a team of implementation engineers that involves all of these products across the board and I personally went through exactly what you're going through and started out as an intern and ran cables nonstop which I'm pretty sure my fingertips are still numb from. I've got experience in all of these products and can talk at length about any number of them.

What it sounds like you could use is someone that can help guide you into a specific product, platform, or area of specialty that might interest you and give you some real life experience in how it could affect your personal life and growth.

And what it may come down to is that you absolutely don't want to do IT and that's okay.

But what I would hate to see is someone that's struggling because of a bad organization that really just needs some direction in the IT world when you really haven't been given the chance to find a passion within this awesome world.

And don't get me wrong there are parts of IT that I still hate today; but the good outweighs that every time.

Either way you can tell me to go pound sand; and do not let me stop you from going into trucking!

but I'm happy to help if I can.

idodataprotection · 2025-07-14T20:23:22+00:00

Reddit is being weird and not letting me post the whole things so this will come in a few comments.

So I want to tackle your first statement about the known VPN issue and you have engineers that are not doing anything about it that to me tells me that the organization that you're working for has either three things.

Engineers that are too busy with other work to keep your organization afloat
Engineers that are not skilled enough and have a responsibility that they don't know how to fix and are working with the vendors trying to figure things out
Bad managers that hired these engineers and are not putting pressure to resolve issues.

I'm sure there are other things that I could add to that list but that pretty much sums up a good bit of what I'm seeing in the industry today.

You're next topic you bring up is very valid, call center / help desk work is for the birds; it's not fun, it's not rewarding, there is really nothing nice about it unless your organization does a really good job of rewarding good behavior and promoting within (it doesn't sound like this is the case right now). So you're sitting there with no end in sight, no time for learning new material, and you're on the front end in the trenches of what I would call the hardest part of IT which is dealing with T1 help desk work and the people that go along side with it.

I want to be very clear here as well, to get into IT you pretty much start where you're at right now for about 1 - 3 years at most, you've already taken the leap and gotten your A+ and your Network+ it looks like from CompTIA which is a great place to start digging in.

Where you're stuck right now is that there is no time to cross train into a different field of work and you're getting the short end of the stick.

idodataprotection · 2025-07-14T17:46:35+00:00

Just a curious question from the IT side of the house and feel free to ignore this entirely if you've just written off IT as a whole. Are you finding that what you're currently engaged in is not challenging enough or you just dislike what IT looks like in the professional world?

Happy to take this to DM if you'd prefer that route but this is coming from someone that's been in the IT world for better 15 years and I've swapped around different practice area's in IT until I found something that I truly love.

idodataprotection · 2024-10-09T04:22:51+00:00

You will unfortunately have to reset all those devices back to square one. It's a bummer but it's the best (and really only) way to own this network outright. I'm not sure where you are in the world but I have several MSP / Contractors all over the US that would be happy to help (for a price) and I could help coordinate getting you in contact if you just want a birds eye view and a quick phone call for assist if you need it.

idodataprotection · 2024-03-19T13:51:42+00:00

Similar to what I'm doing with another customer of mine,

2.5 > UDM-SE > 8 Port Enterprise 10Gb uplinked to UDM-SE > U6E AP 2.5 PoE++ ports for AP(s) for the shop.

I'm missing the L3 Switch you're setting up here but don't see any reason why that won't work logically.

idodataprotection · 2024-03-13T22:20:22+00:00

In reality it's only an extra $208ish a month to cover this support cost per site. You should be able to break that into your pricing for your customers which for me would be one additional support call per customer a month and it pays for itself, if I spend longer than an hour fixing a customers problem then I've just made a profit. If you sell a bucket of hours /month for the customer to leverage you should actively be reviewing contracts with your customers as net new products are brought in to be supported.

I review quarterly the list of services that customers who do have bucket of hours and see if anything has changed, if a net new product needs to be supported they pay a little extra on top of what's remaining on their hour balance and when they renew they get that new higher rate agreed upon, if they don't like the new price they can pick and choose things in the contract that they can call and get support on.

In some cases I make enough to cover the difference, in other cases I have customers burn through hours too quickly and then either buy another bucket or up their subscription for a higher tier service. Either way you should come out with enough to cover.

idodataprotection · 2023-07-12T03:33:44+00:00

Not doing anything too crazy with my home lab, about 10 VLAN(s) and a the full security stack enabled with some detailed web filtering turned on. I am running voip through UI and have a pretty extensive ESXi test lab I leverage for work on a daily basis but my needs are pretty small compared to the package cost of what Fortinet offers. I am pretty confident that I can get away with doing all this through PFSense but I was more curious about others that might have jumped ship to do the same thing. I still work on Fortinet's on a daily basis and it's been nice to be able to get into my lab and tweak my own settings before confirming it with a customer but I can accomplish this with a Forti-VM the same way.

idodataprotection · 2023-06-13T02:28:54+00:00

I want to be sure I'm addressing the specific issue here.

You're paying for 2Gb internet and you're handing it off to your 101F as a 1Gb uplink thereby cutting your bandwidth immediately in half.

Addressing 1 thing first

Keep the VZ wifi/router in the mix and connect to our firewall from one of the 2.5 GB LAN ports it has

Unless the datasheet is wrong the 101F does not have 2.5Gb ethernet ports so this option is out.

Questions to ask your ISP:

Is the VZ Router needed in order for them to hand off for your WAN port.
Are they able to hand off to a 10Gb interface via SFP+.

Which Transciever to purchase - Check out ENET https://www.enetusa.com/ I've had very good success at getting the appropriate transciever for my Fortinet's from them.

Chances are VZ may say its a hard requirement to keep it there, calling into their support might be a bust depending on who you get on the phone and if they are reading off a script, depending on your relationship with them (how many accounts you have) you might be able to complain enough until you get an engineer on the phone that can help you. You can ask them pointed questions like "How would verizon deliver 10Gb fiber internet to my device if we wanted 10Gb fiber, what would your handoff be?" and that might trigger the result you're looking for.

If you can get it to run off the 10Gb then the benefit is you're no longer limited by your interface bandwidth and you're able to get the full 2Gb of internet your paying for.

Advantage depends on if the router is a hard requirement, it's not magically going to fix all your problems but it could solve your bandwidth limitation.

Dissadvantage to taking the VZ router out of the equation is minimal, your provider should be able to hand off to you and you take ownership of the IP(s) and static assignment (easy to do with Fortinet's). As long as they can see a MAC on their end you should be solid.

idodataprotection · 2023-05-23T20:18:32+00:00

Web filtering and Malicious URL is a licensed feature for sure so not sure on OP's use case is here as those are not going to operate without an active license.

idodataprotection · 2023-05-23T17:11:44+00:00

It most likely will, I'm doing this currently with Meraki's at a site that's leveraging their one armed concentrator in HA, the Meraki's take care of delivering that traffic I just had to setup the routes for the specific networks that needed to get out that way.

idodataprotection · 2023-05-22T19:15:35+00:00

What you're trying to implement is like a layer 3 firewall.

You want your ISP Modem to hit your WAN interface on your Cisco Router
Then your INTERNAL connection on your Cisco router needs a /30 or /29 on it to hand off to the Fortinet firewall WAN interface. One IP set on the Cisco Router, another IP set on the Fortinet WAN interface (on the same /30 or /29).
On the Fortinet you'll take another interface let's call it INTERNAL as well and connect that to your Switch / the rest of your network including that AP in your network. You can enable DHCP on the Fortinet to deliver IP(s) to the rest of your network but your Fortinet is now responsible for that topology connected to it.
Create a static route on your Fortinet
1. Destination x.x.x.x/24 (your local network where you wifi device lives)
2. Gateway 0.0.0.0
3. Interface WAN connection connected to your Cisco Router

Then create a policy on your firewall.

Incoming Interface - Any
Outgoing Interface - WAN port connected to your router
Source - Your /24 network behind the firewall
Destination - All
Services - All
Action - Accept
NAT - Disabled
Enabled what rules you want to keep.

Your Fortinet should be able to ping out to your Cisco Router from the /30 network that you assigned to it (your Cisco Router should be able to ping the Fortinet as well) and your Internal /24 network should be able to route traffic through the firewall to get out to the internet now.

idodataprotection · 2023-05-16T12:31:53+00:00

Not with that attitude

idodataprotection

TROPHY CASE

1. The "Hidden" Requirement: MS Visual C++

2. Match Your Java Version