- Problem: Many IoT/OT devices, servers and legacy systems do not support agents (e.g. Cloudflare WARP), or Cloudflare Magic WAN is used to ramp up locations.
- Solution: IPSec tunnels from UniFi gateways to Cloudflare via Magic WAN to centrally inspect and filter HTTP/HTTPS traffic - without an agent on the endpoint.
- Added value: Unified SSE security controls (web filtering, threat protection, DLP, CASB), consistent egress IP handling, easy rollout and high availability via CLoudflare .
Architecture in 60 seconds
- UniFi gateway (HA cluster here) establishes an IPSec tunnel to the Anycast IP from Cloudflare and automatically connects to the nearest DC. Anycast automatically takes over the fallback from Cloudflare.
- Policy-Based Routing (PBR) on the Ubiquiti routes defined traffic (e.g. IoT VLANs → Web) into the tunnel (i.e. as a transparent proxy), internal destinations (RFC1918) and Cloudflare WARP traffic is bypassed.
- Cloudflare SSE inspects/processes the traffic according to the policies.
- Depending on resilience and performance requirements, any number of tunnels can be connected to Cloudflare via any ISP.
Requirements (checklist)
1. cloudflare configuration
- Create a new IPSec tunnel under Networking > Magic WAN > Configuration > Tunnels
- The tunnel configuration can be viewed here .
- Then create a static route under Networking > Magic WAN > Configuration > Routes and select the desired traffic (source).
2. ubiquiti configuration: VPN
- Ubiquiti Network → Settings → VPN → Site-to-Site VPN → Create New.
- VPN Type: IPSec, VPN Method: Route-Based.
- Remote IP/Hostname: Enter Cloudflare Anycast IP (162.159.75.138).
- Key Exchange: IKEv2
- AES-256 / SHA256, DH group 20, PFS active, SA-Lifetime IKE 86400s / ESP 28800s
- Tunnel IP: /31 according to UniFi mask (default in screenshot).
- Remote Networks: leave empty.
- Local Authentication ID: Use the value from the Cloudflare Dashboard (FQDN ID).
- Route Distance (metric): smaller value = preferred (e.g. 30 for primary).
4. ubiquiti configuration: Policy Based Routes (PBRs)
- Bypass Cloudflare WARP IPs.
- ANY → Tunnel for the predefined source VLANs/networks (IoT/OT/Server).
- Then check whether the tunnel is "Online".
- UniFi cannot (yet) reorder PBR rules. Create them in the correct order specific → general and build placeholder rules for different use cases, which should be updated later if necessary.
- For exclusions, the exception and ANY rule must have the same source
- The kill switch can optionally be activated in the exception (which means that traffic is blocked if the VPN cannot be reached)
Verification & operation
- Check egress IP in Cloudflare (log).
- Test SSE policies (URL filter, DLP, upload controls, SSL inspection).
- Monitoring: Tunnel status, latency to the DC, MTU/MSS clamp (in case of fragmentation).
- Key hygiene: rotate PSK regularly, audit admin access.
Best practices from projects
- VLAN-based onboarding: dedicated IoT/OT VLANs via PBR in the tunnel - minimizes blast radius.
- Cleanly separate "web only": Do not tunnel internal services (e.g. OT HMIs) to the internet; RFC1918 bypass helps.
- Schedule a change window: SSL inspection or DLP can have app side effects; start with a pilot group.
- Maintain documentation: PBR exceptions, forwarded VLANs, emergency rollback.
Conclusion
With IPSec Ubiquiti → Cloudflare, non-agent-capable IoT/OT assets and servers can be connected to modern SSE controls easily, scalably and cost-effectively - without interfering with the end device. The combination of two DC tunnels, clean PBR and consistent policy checking quickly delivers measurable security gains - exactly where agents don't fit.
