Important: Free Tier signup is temporarily disabled for new users June 7th - June 16th

How to setup UniFi Teleport VPN

Published onby Iron (edited on )

UniFi Teleport is a simple VPN built into UniFi gateways. It’s designed for remote access to your home networ, even when you're behind CGNAT and can’t port forward. It uses WireGuard under the hood, so it’s fast and reliable. But it’s also opinionated and limited compared to site-to-site VPNs.

Here’s how it works, how to set it up, and what to watch out for.

Lets dive in!

🚨 Before we dive in, please don't self-host your UniFi Controller if you take care of client networks. Sooner or later this will cause issues! It's fine for home users, but definitely not recommended for IT service businesses and MSPs. If you want secure, reliable and a scalable hosting solution check out UniHosted.

Table of Contents

Rather watch a video?

Our own Fernando created a video that shows you how to UniFi Teleport VPN. If you don't want to read:

Let's continue!

How Teleport VPN works

Teleport VPN is UniFi’s personal VPN service. It runs on your UniFi gateway and uses your UI account to generate a secure peer-to-peer WireGuard tunnel between a remote device and your home network. No manual port forwarding or IP config required.

It creates a virtual subnet (usually 100.64.2.0/24 or similar) and gives your remote device a VPN IP. Then you can access your LAN as if you're on the local network.

You connect using the WiFiman app or desktop client, with a 24-hour invite link generated by your controller.

What you’ll need

Before you can use Teleport:

  • You need a UniFi gateway (UDM, UDR, UXG, etc.)
  • Remote access must be enabled in your controller
  • You need a UI account (https://unifi.ui.com)
  • WiFiman installed on your client device (Mac, Windows, iOS, Android, Linux)

Step-by-step: setting up Teleport VPN

  1. Enable remote access

    Go to: 
    UniFi Console → Settings → Console Settings → Remote Access
    Sign in with your UI account and enable remote access. This links your console to the cloud.

  2. Activate Teleport

    Go to: 
    Settings → Teleport & VPN → Teleport
    Toggle on “Enable Teleport VPN.” You’ll now be able to generate invite links.

  3. Create a VPN invite link

    Still under Teleport settings, click “Create invite.” Copy the link—it’s valid for 24 hours.

  4. Connect the remote device

    On your remote device:
    • Open WiFiman (desktop or mobile)
    • Paste the invite link
    • Click “Connect”
    The device should appear in your client list after a few seconds.

Testing VPN access

From the VPN client, test connectivity:

  • Ping internal devices
  • Load internal web apps (like an Apache server)
  • Mount file shares (e.g., SMB share from a domain controller)

Note: Teleport doesn’t let you choose the VPN subnet. That’s one downside—it uses an internal range like 100.64.2.0/24, and you can’t change it via the GUI. It’s possible through MongoDB edits via SSH, but that’s risky and not officially supported.

Restricting access with firewall rules

By default, Teleport VPN gives access to all LAN resources. If you want to lock that down:

  1. Go to: 
    Settings → Firewall → Rules
  2. Add a rule:
    • Type: “LAN In”
    • Source: VPN (Teleport subnet or “VPN” zone)
    • Destination: LAN
    • Action: Block
  3. Move that rule to the top. Firewall rules process top-down.

Now your VPN client can’t access anything.

  1. Add specific allow rules above the block:
    • Allow HTTP to your web server IP
    • Allow SMB to your file server IP
    • Ports can be filtered too (e.g., allow TCP 445 for SMB)

Test each rule as you go. Ping will likely still fail unless you explicitly allow ICMP.

What to watch out for

  • The VPN zone might look empty in the GUI—that’s normal for Teleport. The traffic is still handled correctly.
  • Rules only apply if ordered correctly (allow rules must be above the block).
  • No GUI option to control subnet or address pool.
  • You can't create site-to-site tunnels or persistent VPN users with Teleport—it’s link-based only.

Final Thoughts

Teleport VPN is a fast, easy way to access your home network remotely without dealing with port forwarding or dynamic DNS. It’s great for personal use and quick setups. But it lacks advanced control.

If you need more customization or persistent tunnels, you’ll want to look into traditional site-to-site VPNs instead.

We’ve tested Teleport VPN extensively at UniHosted. It’s a handy tool, especially when paired with hosted controllers for clients who just need occasional access.

And if you're still looking for a UniFi hosting solutions, check out UniHosted. Whether for easier remote access or for managing multiple sites, we’ve got you covered. If you would like me to personally walk you through UniHosted, you can schedule a call with me here.

We host UniFi Controllers in the Cloud

Are you ready to take your UniFi Network to the next level? Deploy a UniFi Cloud Controller in minutes and manage your network from anywhere.

Deploy Now

Free tier available

Get the best support

Join 1660+ customers

No credit card required