This is where Ubiquiti UniFi remote site VPN setup becomes essential. Over the past three years, we've configured secure networks for more than 18,000 devices across Johannesburg businesses, and we've learned exactly what works and what doesn't in our local environment. Load shedding, unpredictable internet provisioning, and the need for rapid failover have taught us that generic VPN solutions simply don't cut it. You need something built for distributed teams.
UniFi's remote site VPN capability—integrated directly into their Dream Machine and UDR appliances—solves this in a way that's both technically robust and remarkably straightforward to implement. This guide walks through what it actually looks like to deploy secure remote connectivity in Johannesburg, from site assessment through ongoing management.
What Remote Site VPN Actually Does
Remote site VPN, sometimes called site-to-site VPN, creates an encrypted tunnel between your main office network and remote locations—or between remote locations and each other. Unlike traditional client VPN where individual devices tunnel in, site VPN makes entire networks appear as if they're directly connected.
The practical difference matters enormously. A designer working from a Sandton home office doesn't need to manually connect to a VPN client. They simply switch to the office network as their default route. Files sync faster. Database queries respond instantly. Video conferencing doesn't stutter because traffic doesn't bounce through unnecessary encryption layers.
In our workshop, we've seen businesses waste thousands on bandwidth optimisation and redundancy upgrades when their actual problem was inefficient VPN architecture. Unifi's implementation—running IPSec tunnels through either the UDR or Dream Machine—lets us build exactly the right level of encryption without the performance penalty you'd get from consumer-grade solutions.
Assessment and Site Requirements
Every Johannesburg business has different infrastructure. We start every project with a technical assessment, which we offer from R599. This isn't guesswork—we need actual data about your existing internet connectivity, firewall rules, and network topology before recommending hardware.
What we're checking for: your current internet service provider (many businesses have Vumatel, Frogfoot, or Starlink in different locations), whether you have static IP addresses at each site, what your existing firewall is doing, and whether your remote locations have the power and space to host UniFi hardware. Load shedding means we also consider battery backup—a UPS system becomes non-negotiable for reliable failover.
The assessment identifies whether you need a full Dream Machine installation (which includes router, security gateway, and switch in one unit) at each location, or whether you can deploy a lighter UDR (Dream Router) in some locations. For businesses with three or fewer remote sites, the UDR is typically sufficient. Larger deployments may need multiple Dream Machines.
We also verify that your existing network doesn't have conflicting IP ranges—a surprisingly common problem when multiple sites have independently configured networks. POPIA compliance is another critical check: UniFi's local storage options mean we can keep South African customer data within our jurisdiction, which is essential for regulated industries.
Installing and Configuring the UniFi VPN Tunnel
The actual hardware installation is straightforward. Your Dream Machine or UDR connects to your internet link—whether that's your ISP gateway in bridged mode or directly patched into fibre. The unit sits between your modem and your local network switch.
Configuration happens through the UniFi Network Application, either cloud-hosted or running locally on a UDR Pro. This is where the elegance of the system becomes obvious. Rather than configuring IPSec manually with complex encryption parameters, you simply:
Select the remote site you're connecting to from the cloud controller. Specify the local network range at your current site (for example, 192.168.1.0/24). Confirm the remote site's network range. Enable the tunnel. UniFi handles the encryption algorithms, key exchange, and tunnel establishment entirely behind the scenes.
Each tunnel negotiates automatically. If your internet connection drops—which happens more often than we'd like in Johannesburg—the VPN simply re-establishes when connectivity returns. We've tested this extensively, and failover typically takes 30 to 60 seconds, which is acceptable for most business applications.
One critical detail many installers miss: ensuring your internet service provider isn't blocking UDP ports 500 and 4500, which IPSec uses for tunnel negotiation. We've encountered this multiple times with certain ISPs, and it's the kind of issue that leaves your network appearing configured but non-functional. Our assessment includes this check.
Load Shedding, Failover, and Local Resilience
Johannesburg's power situation demands failover planning that businesses in stable-grid countries simply don't need. We routinely recommend load shedding–aware WAN failover: if your primary internet circuit drops during peak loadshedding, UniFi can automatically trigger a secondary connection—typically a 4G backup circuit—and bring the remote site VPN through that alternative path.
This requires a second internet service at your remote locations, but the cost is modest compared to business continuity if your primary circuit becomes unavailable. We've seen businesses lose entire days of productivity when they assumed their single ISP circuit would always be available.
The UDR Pro includes dual SIM slots, making 4G failover particularly elegant. Configuration takes minutes: set the primary WAN as your primary ISP, the secondary WAN as the cellular backup, and configure automatic failover threshold. When the primary drops, the backup activates. Your remote site VPN tunnel reconnects through the 4G circuit within a minute or two.
We also recommend UPS systems at each remote location, sized to maintain network hardware for at least 30 minutes. This keeps your VPN tunnel alive during load shedding events even if the rest of the office goes dark. For sites where business-critical operations depend on the network, two-hour battery systems are standard.
Monitoring, Updates, and Ongoing Management
After installation, the real work is ensuring the system stays healthy. UniFi's cloud controller provides real-time tunnel status, bandwidth usage per site, and packet loss metrics. We typically recommend checking these dashboards weekly and monitoring for patterns that suggest degradation—increasing latency, intermittent packet loss, or failed tunnel renegotiations.
Firmware updates roll out regularly for security and performance improvements. UniFi makes this painless—updates happen automatically if you enable automatic patching, or you can schedule them during maintenance windows. We've never seen a UniFi firmware update cause an outage, though we do recommend testing major versions in a non-production environment first if your site is particularly critical.
The system requires virtually no hands-on maintenance after installation. No certificates to renew manually—IPSec handles that through its negotiation process. No encryption keys to rotate—again, IPSec automation handles it. Your main responsibility is ensuring your firewall rules remain appropriate and monitoring those bandwidth dashboards for unusual spikes that might indicate a network compromise.
Pricing and Warranty in Johannesburg
Our complete remote site VPN setup starts at R599 for the initial site assessment. Hardware costs depend on your specific requirements—a UDR suitable for small remote sites runs around R8,900; a full Dream Machine for larger locations is approximately R12,500. Installation, configuration, and network validation typically costs R3,500 to R6,500 per site, depending on complexity.
All our installations come with a three-year warranty covering hardware defects and a one-year warranty on our configuration and installation work. That means if your VPN tunnel stops working due to a hardware failure in the Dream Machine or UDR, we replace it at no cost. If a misconfiguration causes the tunnel to fail, we diagnose and correct it free of charge during that first year.
For businesses needing ongoing support—monitoring, firmware updates, security reviews, and troubleshooting—we offer managed service packages starting at R1,200 per month per site.
Frequently Asked Questions
Q: Do I need a static IP address at each remote site for UniFi VPN to work?
No—UniFi uses dynamic DNS to handle sites with changing IP addresses. However, we do recommend static IPs where possible because they simplify troubleshooting and make firewall rules more predictable. Many ISPs offer static IP for a modest monthly fee—usually R150 to R300. If your ISP doesn't offer it, UniFi's dynamic DNS keeps the tunnel functional, though latency may spike slightly during IP changes.
Q: What happens to my VPN tunnel during load shedding?
If you have UPS backup at your remote sites, the tunnel stays active through the load shedding period—your equipment keeps running and the tunnel reconnects immediately when grid power returns. Without UPS, your equipment powers down, and the tunnel re-establishes within 60 seconds of power returning. We strongly recommend UPS systems, which cost R2,500 to R5,000 depending on battery capacity.
Q: Can I connect more than two sites through UniFi VPN?
Yes—UniFi supports hub-and-spoke topology, where your main office is the hub and multiple remote sites tunnel back to it, plus mesh topology where remote sites connect directly to each other. We typically recommend hub-and-spoke for businesses with more than two sites because it simplifies management and reduces complexity if any single link fails.
Q: Is UniFi VPN compliant with South African data protection regulations?
UniFi meets POPIA requirements for encryption in transit—the VPN tunnel itself is IPSec-protected. However, POPIA compliance also requires secure data storage. If you're processing personal information, ensure your data storage at each site also meets POPIA standards. We can advise on this during the assessment phase.
Q: How much bandwidth does the VPN tunnel itself consume?
The IPSec tunnel overhead is minimal—roughly 3 to 5 percent of your total traffic. A 100 Mbps circuit loses approximately 3 to 5 Mbps to encryption processing. In practice, this is negligible. What matters far more is ensuring your ISP circuits are sized correctly for your actual business traffic—not undersizing your internet links hoping the VPN overhead won't matter.
Q: What if one of my remote sites loses internet connectivity?
The VPN tunnel drops, and that site becomes isolated from the main network. If you've configured 4G failover with a secondary WAN, the tunnel re-establishes through the mobile circuit. Without failover, your remote site remains offline until the primary circuit returns. This is why we recommend failover planning during the assessment—it's far cheaper to add it during initial setup than to add it later.
Ready to secure your Johannesburg network? Book online at zasupport.com/book or WhatsApp us on 064 529 5863 to discuss your remote site VPN requirements.
