Running a Unifi Dream Machine (UDM) with several APs from a Rental Apartment where every LAN port is firewalled/on a seperate VLAN.

In a perfect world, if you move to an apartment and plug network devices into the wall, they are connect via a nice 10Gbps switch, and can directly talk to each other.

Unfortunately, I just moved into a new apartment, and this is not the case. I have no access to any of the hardware, but the situation looks like double NAT, and port forwarding, etc do not work. You get a DHCP from the LAN ports in the wall, and you cannot open any ports.

The solution looks something like this bad MSPAINT diagram:

Move the Tailscale from SRVR -> UDM

Step 1 — Install Tailscale on your UDM

This is pretty straightforward. First just enable SSH from the Console itself, which is via these screens:

Enable SSH on your Unifi Dream Machine / UDM

Then login (root/the password you set) and follow these instructions to install Tailscale:

GitHub - SierraSoftworks/tailscale-udm: Run Tailscale on your Unifi Dream Machine

Once you have done that, and logged in by copy/pasting the special link to your machine and adding it to your private network, you just need to expose port 8080, via the command tailscale serve --bg 8080

Step 2 — VPS

I used https://www.ovhcloud.com/ but any provider that will give you an IPv4 address should be fine — get a VPS, which will have a hostname, and login and install/authenticate tailscale again.

You will want to setup a Caddy reverse proxy, and I’ve used this /etc/systemd/system/caddy-api.service to run it:

# caddy-api.service
#
# For using Caddy with its API.
#
# This unit is "durable" in that it will automatically resume
# the last active configuration if the service is restarted.
#
# See https://caddyserver.com/docs/install for instructions.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy reverse-proxy --from http://<your_vps_host>:8080 --to https://<your_tailscale_prefix>.ts.net
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

Step 3 — Inform!

Now go back to your UDM -> Network settings and change the inform host to just the VPS hostname:

you just need the hostname here

Step 4 — Wait

Give it some time for the inform change to propagate from your current wired/meshed configuration to the end devices. After a half hour, you can unplug them and plug them into the wall where they’ll get nice new NATted IPs but also be able to talk back to the UDM mothership via the bridge you’ve just proxied.

You may want/need to reboot them.