UniFi Gateway + NordVPN + AdGuard: Domain-Based Routing Setup

🔐 Summary

If you're running a UniFi Gateway and want to route traffic for specific domains (like geo restricted streaming) through a NordVPN tunnel, while using AdGuard Home for DNS filtering, this guide walks you through the full configuration — from VPN client setup to DNS forwarding and policy-based routing. In this post, I'll use example.com to represent a domain that I want to route across a VPN tunnel.

Note: This method can work with any combination of VPN provider and External DNS.  If you're just using the Unifi GW for DNS, it's even simpler.

🧭 Overview

  • Goal: Route all traffic to example.com and its subdomains through NordVPN.
  • Tools Used:
    • UniFi Cloud Gateway (Next-Gen UniFi gateway or UniFi Cloud Gateway)
    • NordVPN (OpenVPN)
    • AdGuard Home (DNS filtering and conditional forwarding)

1. Configure NordVPN as a Client on UniFi Gateway

✅ UI-Based Setup (No SSH Required)

  1. Navigate to UniFi Network > Settings > VPN > VPN Client
  2. Click Add VPN Client
  3. Upload your .ovpn file from NordVPN
  4. Enter your NordVPN service credentials (username and password)

📷 See UniFi’s official guide with screenshots:
👉 UniFi Gateway – OpenVPN Client

2. Get NordVPN Service Credentials

NordVPN provides dedicated service credentials for manual configuration (different from your account login):

  1. Go to your Nord Account dashboard
  2. Navigate to Advanced Setup > Manual Configuration
  3. Copy the Service Username and Password

📷 Full instructions:
👉 NordVPN Manual Configuration Guide

3. Create Policy-Based Route (PBR) for Domain Routing

  1. Go to UniFi Network > Settings > Routing & Firewall > Policy-Based Routing
  2. Click Create New Route -> Type: Policy Based
  3. Configure:
    • Name: NordVPN-example.com
    • Source: Choose Any unless you want to restrict to specific sources. If so, choose LAN network or specific device and select your source.
    • Destination: example.com

🧠 Note: UniFi requires DNS resolution for PBR target domains to happen on the gateway itself for domain-based routing to work. If you are using external DNS like PiHole or AdGuard, you'll need to configure those solutions for conditional forwarding.  I have steps for AdGuard below.

4. Configure AdGuard Home for Conditional DNS Forwarding

If you're using AdGuard Home as your DNS resolver, forward DNS queries for example.com to the UniFi Gateway:

In your AdGuard DNS settings, add the below entry to your Upstream DNS servers. Make sure to change example.com to the actual domain you are sending across the VPN. This also assumes you are using the default IP for a Unif GW of 192.168.1.1, update the entry if you have changed it to something different.

[/example.com/]192.168.1.1
  • This ensures UniFi sees the DNS queries and can apply the PBR correctly.
  • Restart AdGuard DNS service to apply changes.

🗒 Final Notes

  • If you have issues getting content to load across the VPN, consider expanding your domain list to include CDN endpoints.  I like to use Chrome or Edge Dev Tools to look at the network traffic while accessing the website.

Comments

Post a Comment

Popular posts from this blog

Automating Azure AD B2B Invites with Approval Workflow

Image
The Problem Users want to collaborate with external parties. You have a few options to accomplish this: Share anonymously Share with any authenticated user Share with existing authenticated user Share with organization only None of these work well when security and scale are required. The best of both worlds would be to allow your end users to request access for an external user and then to kick off an approval workflow. If approved by the appropriate parties, a B2B invite will be automatically sent to the desired email address. Once invited, the user can then share with that account. This is assuming you have your org configured so sharing is only possible with existing external accounts. The Solution With an Office 365 subscription, you get a product called Microsoft Flow. Most people just equate this to being Microsoft’s attempt at creating an  IFTT  knock off. However, it’s so much more than that. You can, in essence, build out an entirely server-less API that you can inte...
Read more

Kill M365 Password Spraying: Why You Must Disable Exchange SMTP Basic Auth

🛡️ Summary Password spraying attacks thrive on legacy protocols like Basic Authentication. While Microsoft disabled Basic Auth for most Exchange Online endpoints in 2022, SMTP AUTH remains a critical exception—and a prime target. This post explains why, and how to audit, restrict, and shut it down. 🔍 What Are Exchange Authentication Policies? Exchange authentication policies are configuration objects in Exchange Online that allow administrators to disable Basic Authentication per protocol for specific users or groups. These policies operate at the protocol layer , preventing Basic Auth requests from ever reaching Microsoft Entra ID. This is different from Conditional Access, which evaluates sign-in attempts at the identity layer . Authentication policies are more effective for legacy protocol hardening because they cut off Basic Auth at the source . 🔓 Why Basic Authentication Is Dangerous Sends credentials in plaintext (Base64), easily intercepted. Doesn’t support M...
Read more