Omada Pro Logo official website Vigi Logo official website
Contact Us
Baltic / English

Controller v6.2 VPN Overview

Knowledgebase
Configuration Guide
BookmarksCopy Link
03-10-2026
118

Contents

Introduction

Requirements

Configuration

Configuration for VPN Server

Configuration for VPN Client

Configuration for Site-to-Site VPN

Configuration for SSL VPN

SSL VPN Verification

Conclusion

Introduction

The previous VPN interfaces were somewhat scattered. To simplify the complexity of VPN configuration, the interface logic has been redesigned starting from Controller version 6.2. This document will provide a step-by-step introduction.

Before configuration, please note the changes to the VPN pages:

1. VPN Configuration Page Changes:

  • Navigate to Network Config > VPN > VPN page. The VPN configuration page is divided into three tabs: VPN Server, VPN Client, and Site-to-Site VPN. The VPN pages have been reorganized based on scenarios and VPN types.
  • The SSL VPN within the VPN Server has been migrated and adjusted from the VPN > SSL VPN page, while the Wireguard Server page has been newly added.
  • Additionally, WireGuard Client page has been added to the VPN Client page.
  • Auto WireGuard has been added to the Site-to-Site VPN section, while Manual WireGuard has been relocated from the VPN > WireGuard page.
  • VPN user information can be viewed under the VPN Server page when server entries exist.
  • IPsec failover has been merged into the VPN Configuration page.
  • SSL VPN's Resource Management, User Group, etc., are now located on the User Management page.

2. VPN Status Page Changes:

Navigate to Network Config > VPN Status, where three tabbed pages will be displayed: VPN Server, VPN Client, and Site-to-Site VPN.

Requirements

  • Omada Controller v6.2 and above
  • Omada Gateway

Configuration

Configuration for VPN Server

Step 1. Log in to the controller, navigate to Site view > Network Config > VPN > VPN Configuration page. The VPN Configuration page is divided into three tabs: VPN Server, VPN Client, and Site-to-Site VPN. Go to VPN Server page and click Create New VPN Server.

Display the location where the new VPN server is created.

Available VPN types include WireGuard, OpenVPN, IPsec, SSL VPN, L2TP, and PPTP. Select the VPN type you need to configure. Some information will be auto-filled; modify and supplement as needed, then click Apply to create the entry.

Display the page for creating a WireGuard VPN server.

There are two methods to add clients to a WireGuard server: Auto and Manual. You may obtain the VPN client configuration either by scanning the QR code or downloading the file.

Display the page for adding clients.

Step 2. For OpenVPN, L2TP, or PPTP using local authentication, you need to configure a VPN user. Navigate to VPN Server > User Management page and click Create New User.

Then, create a Username and Password. Select the desired VPN Type, choose the corresponding VPN Server, and click Confirm to create a VPN user.

Show the page for creating VPN users.

Step 3. After configuration, you can select the desired VPN type on the Network Config > VPN > VPN Status > VPN Server page to view VPN tunnel status.

Show the VPN server tunnel page.

In the WireGuard VPN Server tunnel entry, click the Details button in the CLIENTS column to view detailed information.

Display details page.

Configuration for VPN Client

Step 1. Go to Network Config > VPN > VPN Client page and click Create New VPN Client, then select VPN Type to create an entry.

Display the location for creating a VPN client.

Available VPN types include WireGuard, OpenVPN, L2TP, and PPTP. WireGuard VPN Client configuration can be completed by uploading a configuration file or manually configuring settings.

Show the page for uploading the configuration file.

Display the manual configuration page.

Step 2. After configuration, go to VPN > VPN Status > VPN Client and select the corresponding VPN type to view the VPN tunnel status.

Show the VPN client tunnel page.

In the WireGuard VPN Client tunnel entry, click the Details button in the SERVER column to expand detailed information.

Expand details page.

Configuration for Site-to-Site VPN

Step 1. Go to Network Config > VPN > Site-to-Site VPN page and click Create New Site-to-Site VPN, then select VPN Type to create an entry.

Show the position for creating site-to-site VPN.

Available VPN types include WireGuard and IPsec. There are two configuration modes: Auto and Manual.

Display the WireGuard site-to-site VPN manual configuration page.

Controller v6.2 integrates IPsec Failover configuration into IPsec Manual mode and simplifies the configuration process. The Backup WAN refers to the WAN interface of the Secondary VPN entry. The IPsec Failover switch corresponds to the status of the Secondary VPN entry. Automatic Failback corresponds to the failover configuration.

Display the IPsec site-to-site VPN manual configuration page.

Step 2. After configuration, go to VPN > VPN Status > Site-to-Site VPN and select the corresponding VPN type to view the VPN tunnel status.

Show the location of the site-to-site VPN tunnel.

In manual mode, WireGuard VPN displays tunnel information as interface entries. For Auto mode, tunnel details appear under “AUTO_WIRE_GUARD_INTERFACE”. Click the Details button in the PEERS column to expand the information.

Display the VPN tunnel configured in manual mode.

Display the VPN tunnel configured in auto mode.

Configuration for SSL VPN

Step 1. Go to the VPN Server page and click Create New VPN Server, select SSL VPN as the VPN Type. The page will automatically populate the default configuration information. You can select the Interface and modify the relevant settings, then click Apply to save the configuration.

Show the SSL VPN server configuration page.

Step 2. Then go to VPN Server > User Management > User Group page, click Resource Management in the upper-right corner to create a Tunnel Resource.

Display the location of resource management.

In the Resource Management page, click Create New Tunnel Resource. On this page, you can restrict resources by IP addresses and protocols, or by domain names.

Display the create tunnel resource page.

Show the tunnel resource entries created.

Then, click the Resource Group tab next to the Tunnel Resource, click Create New Resource Group, and apply the tunnel resources created to different resource groups.

Display the create resource group page.

Show the resource group entries created.

Note: There are two default resource groups:Group_LANandGroup_ALL. Group_LAN refers to all devices behind the Server, and Group_ALL also includes resources for accessing the Internet.

Step 3. Navigate to VPN Server > User Management > User Group page, then click Create New User Group in the upper-right corner.

Display the location for creating user group.

Display the create new user group page.

After configuration, click Confirm to save settings. The Radius Attribute is only effective in the Radius authentication mode. It maps the user group with radius grouping information (which is carried by the CLASS attribute 25).

Note: If you want to implement the proxy Internet access for clients, please select Group_ALL for the resource group.

Step 4. Switch to the User List page and click Create New User in the upper-right corner. Then configure the Username and Password, select SSL VPN as the VPN Type, set the user Expiration Date, and choose the User Group created.

Create new user for SSL VPN.

Display the create SSL VPN user page.

After creation, you can view the User list and repeat the previous steps to create multiple User entries.

Display the list of created users.

Step 5. Navigate to VPN Server > Server page and click the Export button to the right of the SSL VPN Server entry. After exporting, clients can use this certificate file to connect to the server.

Show the location of the export button.

Controller v6.2 removes the pop-up prompt for verifying the IP or domain name required to connect to the server in the certificate.

If “Custom Server” is selected, the configuration will use the custom server address entered. If not selected, the WAN IP selected in the entry will be used. If the WAN interface lacks an IP address, it will use 0.0.0.0.

When using OpenVPN without selecting “Custom Server” and without WAN IP address, the exported certificate will not include the server's IP address or domain name.

For other VPN configurations in controller mode, please refer to the following:

How to configure Wireguard VPN on Omada Gateway | TP-Link

How to configure OpenVPN on Omada Gateway via Omada Controller | TP-Link

How to set up Site-to-Site Manual IPsec VPN Tunnels on Omada Gateway via Omada Controller | TP-Link

How to set up PPTP & L2TP VPN Server with Omada Gateway in Controller Mode | TP-Link

How to set up PPTP & L2TP VPN client with Omada Gateway in controller mode | TP-Link

SSL VPN Verification

Use the OpenVPN GUI on the client to import the configuration file, enter the corresponding username and password to connect.

Account 1: VPN Client implements proxy Internet access through VPN Server.

Show the connection verification page.

After a successful connection, the server assigns the VPN client an IP address of 10.10.10.11. When the client accesses 8.8.8.8, the first hop is the VPN Tunnel. Because the data is encrypted, the corresponding IP address cannot be resolved. The second hop is the default gateway of the VPN Server, and all data of the client goes through the VPN Tunnel to realize proxy Internet access.

Show the tracert 8.8.8.8 page.

Navigate to Network Config > VPN > VPN Status > VPN Server page and click SSL VPN, client connection information will also be displayed here.

Display the SSL VPN tunnel.

Account 2: VPN Client can only access VLAN 20, but cannot access VLAN 30.

After a successful connection, the server assigns the VPN client an IP address of 10.10.10.12. The VPN client can ping the device in VLAN 20 (192.168.20.100), but cannot ping the device in VLAN 30 (192.168.30.100). At the same time, the management interface of the router can be accessed through 192.168.20.1.

Display ping test screenshot.

Show that the router can be accessed through 192.168.20.

Account 3: The VPN Client and the devices behind the Server can only interact through the ICMP protocol.

After a successful connection, the server assigns the VPN client an IP address of 10.10.10.13. The VPN client can ping the device in VLAN 20 (192.168.20.100) and the device in VLAN 30 (192.168.30.100). But the management interface of the router cannot be accessed through 192.168.20.1.

Show ping test screenshot.

The router cannot be accessed through 192.168.20.1.

Conclusion

Now you know about the updates on the VPN page. You can create VPN as needed.

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.

Please Rate this Document

Related Documents

How to Use the Speed Test Feature on the Omada Controller v6.2 and above

Configuration Guide
03-04-2026
2168

How to configure Portal Authentication on Omada Controller (v6.2 and above)

Configuration Guide
12-04-2025
8984

What changes are there in Omada Controller v6 compared to v5?

FAQ
11-01-2025
15125

Overview of Omada EAP Power Supply

FAQ
07-23-2024
16663

Router & OC Overview of Regulatory Compliance

User Guide
07-16-2020
7486

SubscriptionTP-Link takes your privacy seriously. For further details on TP-Link's privacy practices, see TP-Link's Privacy Policy.

Email Error

Follow Us

About
Press
Partners
Learning Center
TP-Link Omada Omada Pro VIGI
Baltic / English

©2026 TP-Link Polska Sp. z o.o. and its affiliated companies. All rights reserved.

This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy .

Your Privacy Choices

This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy .

Basic Cookies

These cookies are necessary for the website to function and cannot be deactivated in your systems.

TP-Link

SESSION, JSESSIONID, accepted_local_switcher, tp_privacy_banner, tp_privacy_base, tp_privacy_marketing, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType

Youtube

id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ

Zendesk

OptanonConsent, __cf_bm, __cfruid, _cfuvid, _help_center_session, _pendo___sg__.<container-id>, _pendo_meta.<container-id>, _pendo_visitorId.<container-id>, _zendesk_authenticated, _zendesk_cookie, _zendesk_session, _zendesk_shared_session, ajs_anonymous_id, cf_clearance

Analysis and Marketing Cookies

Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.

The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.

Google Analytics & Google Tag Manager

_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>

Google Ads & DoubleClick

test_cookie, _gcl_au