UniFi Site Magic: How to Connect Two Business Locations (2026)
Step-by-step guide to setting up UniFi Site Magic for site-to-site VPN between business locations. Covers IP planning, topology, and non-UniFi alternatives.
Running UniFi at two business locations means two separate networks — each independently managed, with no built-in connection between them. A printer at headquarters is invisible to the branch. The shared file server isn't reachable from the other office. Security cameras across both sites can't be monitored from a single Protect console — not without a site-to-site link tying the two networks together.
UniFi Site Magic is that link. It uses the UniFi Site Manager dashboard to automatically establish an encrypted tunnel between your gateways — no manual VPN configuration, no additional hardware, and no ongoing software fee. Before the setup takes five minutes, three things need to be sorted: confirming your gateways are compatible, making sure the two networks use different IP address ranges, and deciding whether you want a mesh or hub-and-spoke layout.
This guide works through each of those in order, then walks through the Site Magic setup process step by step.
Affiliate Disclosure: This article contains affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you.
Prerequisites at a Glance
Before opening Site Manager, confirm all of the following:
- UniFi Network Application: 9.0.108 or newer
- Gateway firmware: 4.1.3 or newer
- Compatible gateways: UDM Pro, UDM SE, UDM Pro Max, UCG Max, UCG Ultra, UCG Fiber, Dream Router 7, UXG Enterprise, or UXG Pro
- Account ownership: All participating gateways adopted under the same UI account owner
- Public IP: At least one site must have a publicly routable IP address (not CGNAT)
- Non-overlapping subnets: Each site must use a unique IP address range
What Does UniFi Site Magic Do?
UniFi Site Magic is an included SD-WAN feature that automatically builds and routes encrypted WireGuard tunnels between compatible UniFi gateways.
Site Magic is managed through the UniFi Site Manager dashboard (unifi.ui.com) and uses OSPF (Open Shortest Path First) as its dynamic routing protocol. If a WAN connection goes down, traffic reroutes automatically. Once the tunnels are active, devices across all connected locations can communicate as if they share a local network — cross-site printing, shared file servers, and unified UniFi Protect camera feeds all become accessible without additional configuration.
Which UniFi Gateways Support Site Magic?
Current UniFi Cloud Gateways and Independent Gateways support Site Magic, including the UDM Pro, UDM SE, UDM Pro Max, UCG Max, and Dream Router 7.
The legacy USG family (USG-3P, USG-Pro-4) does not support Site Magic. Additionally, not every supported gateway can serve every role — hardware capability determines whether a device can act as a hub or only as a spoke:
Hub-capable gateways (can serve as the central connection point in a hub-and-spoke topology):
- Enterprise Fortress Gateway (EFG)
- UDM Pro Max
- UDM Pro
- UDM SE
- UXG Enterprise
Spoke/mesh-only gateways (participate in Site Magic but cannot serve as hub):
- UCG Max ($279 — 2.5 Gbps throughput, ideal for branch offices)
- UCG Ultra
- UCG Fiber
- UCG Industrial
- Dream Router 7
- UXG Pro
UCG Ultra: Supported, But Not as a Hub
The Cloud Gateway Ultra supports Site Magic as of current firmware, but only as a spoke or mesh node. It cannot serve as the hub in a hub-and-spoke design. If your primary office runs a UCG Ultra and you need it to serve as the central connector for branch locations, upgrade to a UCG Max or UDM Pro. For a simple two-office mesh where neither site needs to be a hub, two UCG Ultras work fine.
Hardware recommendations for most SMB deployments:
For branch locations where spoke-only is acceptable, the UCG Max ($279) offers solid throughput and integrated NVMe storage for Protect. For primary locations that need full hub capability, the UDM Pro ($379) is the standard choice for South Florida SMB deployments we configure.
If you're unsure whether your current equipment qualifies, the UniFi hardware overview covers the full lineup. For specs on the UCG Fiber and Dream Router 7, see the UniFi gateway comparison, or see our budget 2.5 Gbps UniFi network guide for entry-level expansion advice.
WireGuard throughput expectations by gateway class:
WireGuard is CPU-bound on UniFi hardware — there's no dedicated encryption offload chip. Throughput scales with the gateway's processor performance. The table below reflects community-reported figures from real site-to-site deployments; Ubiquiti does not publish official VPN throughput specs.
| Gateway | Class | Approx. WireGuard Throughput |
|---|---|---|
| UDM Pro Max | Hub-capable | 600–800 Mbps |
| UDM Pro / UDM SE | Hub-capable | 500–650 Mbps |
| UCG Max | Spoke/mesh | 500–650 Mbps |
| UCG Ultra | Spoke/mesh | ~500–600 Mbps |
| Dream Router 7 | Spoke/mesh | ~300–400 Mbps |
For most business internet connections (which top out at 1 Gbps symmetrical even on fiber), any of the above gateways will comfortably handle Site Magic throughput. One important caveat: if IDS/IPS is running simultaneously on the same gateway, throughput can drop significantly on the standard UDM Pro (to roughly 250–500 Mbps under load) because WireGuard and IDS/IPS both compete for the same CPU. The UDM Pro Max uses dedicated hardware offloading to maintain throughput even with IDS/IPS active, which is the main reason it's the preferred hub for high-traffic deployments where deep packet inspection is non-negotiable.
Site Magic Is IPv4-Only
Site Magic tunnels operate exclusively over IPv4. If a branch location has an IPv6-only WAN connection — increasingly common with some ISPs and cellular providers — Site Magic will not be able to establish a tunnel from that site. IPv4 connectivity is required at every participating location. Ubiquiti has acknowledged IPv6 support as a planned addition, but no release timeline has been published as of April 2026.
Verify Your IP Address Plan Avoids Subnet Overlap
Every connected location must use a unique local IP address range. Before opening Site Manager, pull up the DHCP settings at both sites, note the ranges in use, and renumber any site whose range conflicts with another — the conflict must be resolved at the network level, not inside Site Manager.
A simple two-site plan:
| Site | Network | Default Gateway | Usable Range |
|---|---|---|---|
| Main Office (HQ) | 10.0.1.0/24 | 10.0.1.1 | 10.0.1.2–10.0.1.254 |
| Branch Office | 10.0.2.0/24 | 10.0.2.1 | 10.0.2.2–10.0.2.254 |
For sites running multiple VLANs — a common setup when corporate, IoT, and guest traffic are segmented — extend the plan so each VLAN at each site has a unique subnet:
| Site | VLAN | Network |
|---|---|---|
| Main Office | Corporate | 10.0.1.0/24 |
| Main Office | IoT | 10.0.3.0/24 |
| Main Office | Guest | 10.0.5.0/24 |
| Branch | Corporate | 10.0.2.0/24 |
| Branch | IoT | 10.0.4.0/24 |
| Branch | Guest | 10.0.6.0/24 |
If both sites currently use 192.168.1.x, one will need to be renumbered before Site Magic can be configured. That means updating static IPs, DHCP reservations, printer configurations, and any device with a hardcoded address. In our experience working with South Florida businesses acquiring a second location, the new site almost always arrives with a default 192.168.1.0/24 setup from the previous tenant. Plan for 2–4 hours to renumber it cleanly before starting.
Clean IP planning is still the recommended approach — it keeps routing transparent, simplifies troubleshooting, and avoids connectivity constraints down the line.
Auto-Scale and NAT Spoke VPNs: A Workaround for Overlapping Subnets
If renumbering a site is not immediately feasible, UniFi's "Auto-Scale and NAT Spoke VPNs" option (available in hub-and-spoke configurations) applies a Source NAT rule to translate spoke traffic into a unique /24 subnet before routing it to the hub. This lets Site Magic establish tunnels even when subnets overlap.
Two important limitations apply:
- Hub-and-spoke only — this feature is not available in mesh topologies, which require non-overlapping address spaces.
- Spoke-initiated sessions only — because traffic is translated via SNAT, the hub cannot initiate new sessions to devices on a NAT'd spoke. Any service at the branch that needs to be reached from headquarters (network printers, local servers, cameras) will not be accessible until the spoke side re-initiates the connection.
Auto-Scale NAT is a practical stopgap, not a replacement for proper IP planning.
Proper IP planning ensures your Site Magic tunnels and local network routing remain clean as you add locations.
Choose Between Mesh and Hub-and-Spoke Topologies
Use a mesh topology when all sites need to communicate directly with each other. Use hub-and-spoke when branches primarily need access to central resources at headquarters.
Mesh topology: Every site connects directly to every other site. Traffic flows site-to-site without passing through a central bottleneck. Best for retail chains or distributed organizations where Location B and Location C need to share data directly. Supports up to 20 sites (requires UniFi Network Application 9.0.108+ and Gateway firmware 4.1.3+ — earlier firmware versions capped mesh at 15 sites).
Hub-and-spoke topology: Branch locations establish tunnels only to the hub. Branches can still communicate with each other, but all traffic must route through the HQ gateway rather than flowing directly site-to-site — a pattern sometimes called "hairpinning" or "tromboning." This is best for businesses where branches primarily need access to central resources — a warehouse connecting to accounting servers, a satellite office connecting to the primary file server — since routing heavy branch-to-branch traffic through headquarters will consume bandwidth and CPU cycles at the hub. Site Magic supports up to 1,000 tunnels in hub-and-spoke mode, though practical capacity depends heavily on the hub gateway's CPU headroom. The Enterprise Fortress Gateway (EFG), with its 18-core processor, is built for high tunnel density at scale; a UDM Pro Max handles large SMB deployments comfortably, while a standard UDM Pro is best suited for smaller hub configurations.
A useful framing question: does Location B need to communicate directly with Location C, or only with Location A?
- If direct branch-to-branch communication is needed → Mesh
- If branches primarily need HQ access (and any branch-to-branch traffic can tolerate routing through the hub) → Hub-and-spoke
For most small businesses with two or three locations and no strict branch-isolation requirement, mesh is simpler — no hub designation needed, and the tunnel count stays manageable. Hub-and-spoke becomes the right architecture when branch hardware is spoke-only (UCG Max, UCG Ultra) and the HQ has a hub-capable gateway.
Spoke Isolation in Hub-and-Spoke
Site Manager includes a built-in "Isolate Spoke Networks" option in hub-and-spoke configurations. Enabling it prevents spokes from routing traffic to each other through the hub — only spoke-to-hub traffic is permitted. This is useful when branch locations should not have visibility into each other's networks even indirectly.
High Availability (Shadow Mode) Compatibility
If the primary hub gateway runs in a Shadow Mode (VRRP) high-availability pair, Site Magic tunnels are maintained through a failover event. The shadow gateway inherits the primary's configuration and network identity, so active tunnels do not need to drop and re-negotiate when the shadow assumes the primary role.
How to Configure Site Magic in UniFi Site Manager
Log into UniFi Site Manager, select Site Magic, choose your topology, select the participating sites, and click Connect to build the tunnels.
Minimum requirements before starting:
- UniFi Network Application: version 9.0.108 or newer
- UniFi Gateway firmware: version 4.1.3 or newer
- All gateways adopted under the same UI account owner
- At least one gateway with a publicly routable IP address (see CGNAT section below)
- Non-overlapping subnets at all participating sites
Setup steps:
-
Log in to unifi.ui.com using the account that owns all participating gateways.
-
Select Site Magic from the left sidebar. If a site is missing from the interface, that gateway isn't adopted under this account — confirm ownership before continuing.
-
Click Get Started and select your topology (Mesh or Hub-and-Spoke).
-
Name the SD-WAN group. Something descriptive: "HQ-Branch-Miami" or "Warehouse-HQ." This name appears in dashboards and monitoring.
-
Select the participating sites. In hub-and-spoke, designate the hub site at this step.
-
Select which networks to share. Site Magic lets you advertise specific VLANs or subnets across the tunnel — you don't have to expose everything. Sharing corporate VLANs while excluding guest networks is the standard starting point.
-
Resolve any subnet conflicts. Site Manager flags overlapping ranges before proceeding. You cannot complete setup until conflicts are resolved.
-
Click Connect. Site Manager provisions the WireGuard tunnels automatically. Green status indicators in the Site Magic dashboard confirm active tunnels with per-tunnel throughput graphs.
-
Test from each location. From a device on the branch subnet, ping a device on the HQ subnet:
ping 10.0.1.X. Test access to a shared resource — a network printer, a mapped drive, a camera feed in Protect. Verify traffic flows in both directions.
UniFi Site Magic: Official Setup Overview
How Do You Fix Common Site Magic Connection Errors?
The most common Site Magic errors are caused by overlapping IP subnets, gateways adopted to different accounts, or firewalls blocking the WireGuard handshake.
Missing gateway in the interface: The gateway at that site was adopted under a different UI account owner. Even if it's the same organization, a gateway adopted to a personal account rather than the business account won't appear. Transfer ownership to the primary admin account via the UI Account settings.
Tunnel status showing "Degraded": Degraded status means one side initiated the WireGuard handshake but tunnel traffic is being dropped. Check for upstream firewalls or ISP modems blocking UDP ports 500 and 4500. This is common on business-class ISP connections where the provider-supplied modem has a strict firewall policy enabled by default. Putting the ISP modem in bridge mode resolves this in most cases.
Subnet overlap after tunnel attempts: If Site Manager didn't flag this before setup, it will surface as failed routing after tunnels appear active. Traffic destined for the remote site routes locally instead. Verify DHCP ranges at both sites and renumber any overlap.
ISP reliability and failover: Site Magic reconnects automatically when a WAN connection recovers, but users experience an outage during the gap. For locations where ISP reliability is a concern, adding a 5G failover connection before deploying Site Magic provides continuity during primary WAN failure. The 5G failover setup guide covers this configuration.
Does Site Magic Work Over Starlink or Cellular (CGNAT)?
Site Magic can traverse carrier-grade NAT, but only if at least one gateway in the group has a publicly routable IP address — that site acts as the anchor for all others.
Starlink and most cellular carriers use CGNAT, meaning the WAN address assigned to a gateway is shared with other subscribers and is not directly reachable from the internet. Site Magic requires at least one endpoint in the group to be publicly addressable in order to broker the initial WireGuard connection.
| Scenario | Site Magic Result |
|---|---|
| HQ has public IP, branch is on Starlink/CGNAT | ✅ Works — HQ anchors the tunnel |
| Both sites have public IPs (static or dynamic) | ✅ Works — standard mesh or hub-and-spoke |
| Both sites are on Starlink or cellular CGNAT | ❌ Fails — no public anchor available |
| HQ has public IP, branch has dynamic public IP | ✅ Works — Site Magic detects the IP change and re-keys the tunnel automatically, typically within seconds to a minute depending on the ISP's reconnection speed |
When all sites are behind CGNAT, Site Magic cannot establish tunnels. In that scenario, Tailscale is a practical alternative — it is specifically designed to traverse CGNAT from both ends using its coordination server infrastructure, with no public IP required at either site.
Failover behavior with a backup WAN: In hub-and-spoke configurations, you can configure multiple tunnel paths per spoke to provide redundancy across WAN interfaces. If the primary ISP (fiber with a public IP) goes down and the failover is a CGNAT cellular link, the tunnel may not re-establish until the primary WAN recovers — unless the hub site also has a public IP on the failover interface.
Do Firewall Rules Apply to Site Magic Traffic?
Yes. Site Magic tunnel traffic is subject to the standard firewall rules on the destination gateway. Site Magic does not bypass local security policies.
This is a detail that surprises many administrators during initial setup. Site Magic establishes the tunnel and handles routing, but once traffic arrives at the destination site, the receiving gateway evaluates it against its existing firewall rules. If that gateway has a broad inter-VLAN block rule — which is common in segmented network designs — cross-site traffic will be dropped even though the tunnel is active.
How to configure access correctly:
Modern UniFi Network versions use a Zone-Based Firewall. For Site Magic traffic, create an Allow policy from the VPN zone to your target Internal zone (or specific VLAN), specifying the remote site's subnet as the source.
On older configurations using LAN In rules, create an Allow rule where:
- Source: the remote site's subnet (e.g.,
10.0.2.0/24) - Destination: your local subnet (e.g.,
10.0.1.0/24) - Action: Accept
Place the Allow rule above any existing Drop rules. If a block-all inter-VLAN or RFC1918 block rule sits higher in the list, incoming Site Magic traffic will be evaluated against it first and dropped before the Allow rule is reached.
Site Magic Only Shares What You Select
During setup, Site Manager lets you choose which networks to advertise across the tunnel. Selecting only the corporate VLAN (and not IoT or guest) limits which traffic can route between sites at the tunnel level. Any traffic from non-selected networks is blocked before it reaches the firewall rule stage.
What Are the Best Alternatives If You Don't Have UniFi at Every Location?
If a site runs non-UniFi hardware, the best alternatives are Tailscale subnet routing, NordLayer, or manual WireGuard on compatible third-party hardware.
Site Magic cannot bridge connections to Cisco, Meraki, Netgear, or ISP-provided routers. For mixed-vendor environments, three options are worth considering:
Option A: Tailscale as a Subnet Router
Install Tailscale on any always-on device at the non-UniFi site — a cheap mini PC, an existing Windows server, or a NAS. That device advertises the branch subnet to the Tailscale mesh, making the entire local network reachable from other Tailscale nodes and subnet routers.
Cost: $8/user/month on the Standard plan (as of April 2026 — Tailscale renamed and repriced its business tiers). A free Personal plan covers up to 6 users and 100 devices, which works for some smaller setups.
Limitation: Requires a device at the non-UniFi site to stay powered on at all times. Authentication depends on Tailscale's coordination infrastructure. See tailscale.com/pricing for current plan details.
Option B: NordLayer Site-to-Site
A software overlay that works on any hardware. Appropriate when you want remote worker VPN and site-to-site covered under one subscription rather than separate tools. See the NordLayer business VPN review for a detailed breakdown.
Cost: $8/user/month (annual billing) on the Lite plan. Note the 5-seat minimum — you're billed for at least five seats regardless of headcount. Get NordLayer
Option C: Manual WireGuard
If the non-UniFi router supports WireGuard — pfSense, OPNsense, and most Mikrotik devices do — configure a persistent WireGuard tunnel from the UniFi gateway to the third-party device. Higher setup complexity, zero recurring cost. The multi-location business networking guide covers WireGuard planning alongside other SD-WAN alternatives.
A Note on Policy-Based Routing (PBR) with Site Magic
Administrators sometimes ask whether Site Magic tunnels can be used as a PBR target — for example, routing traffic from a specific VLAN or device through the tunnel while the rest of the site uses the local WAN. The short answer is: not reliably. Site Magic tunnels are designed to advertise internal subnets between sites, not to serve as general-purpose routable interfaces. Users who attempt this frequently encounter MTU/MSS fragmentation issues that cause streaming services, speed tests, and secure web connections to fail.
If selective routing over a site-to-site link is a requirement, the more reliable path is a manual WireGuard tunnel between the two gateways (configured in Settings → VPN → Site-to-Site, separate from Site Magic), then applying a standard Traffic Route in the Policy Engine to point the desired source — a specific VLAN or device — at that manual tunnel interface.
Decision table:
| Scenario | Recommended Option |
|---|---|
| Non-UniFi router, can add an always-on device | Tailscale subnet router |
| Non-UniFi site + remote worker access needed | NordLayer |
| pfSense / OPNsense / Mikrotik, technical team | Manual WireGuard |
| Want simplest long-term path | Replace with UCG Max, use Site Magic |
Should You Use Site Magic, Tailscale, or UniFi Identity Endpoint?
Use Site Magic for free, automated connections between UniFi hardware. For remote workers connecting to those sites, you have two primary options: UniFi Identity Endpoint (native) or Tailscale (overlay).
UniFi Identity Endpoint (formerly Teleport):
- Pros: 100% native to the UniFi ecosystem, free, and managed directly from the same dashboard as your Site Magic tunnels.
- Cons: It suffers from the "multi-hop" routing problem. If a remote worker connects to the Headquarters gateway, they can access HQ servers perfectly. However, if they need to access a resource at the Branch Office, that traffic must hop to HQ and then traverse the Site Magic tunnel. UniFi often drops this transit routing by default.
Tailscale ($8/user/month, Standard plan):
- Pros: Solves the multi-hop problem natively. The remote worker's device acts as a mesh node and connects directly to Subnet Routers at both HQ and the Branch simultaneously. It also traverses Carrier Grade NAT (CGNAT) without requiring a public IP at the endpoints, and works with non-UniFi hardware.
- Cons: Requires a recurring per-user subscription and an always-on subnet router device (like a mini-PC, NAS, or server) at each site.
Some businesses use Site Magic for office-to-office links and Tailscale (or Identity Endpoint) for individual remote workers — both tools running in parallel without conflict. A 12-person company with three offices and four employees working remotely, for example, could use Site Magic for inter-office connectivity at no recurring cost while running Tailscale Standard for those four remote users ($32/month). For a broader look at remote worker VPN alternatives beyond Tailscale, see our dedicated guide.
For all-UniFi networks, Site Magic is the practical choice for fixed locations. Identity Endpoint is perfect for simple remote access to a single site, while Tailscale makes more sense when there is non-UniFi hardware, CGNAT limitations, or complex multi-site routing requirements for remote workers.
For a broader look at multi-site connectivity — including WireGuard planning, MPLS alternatives, and other SD-WAN overlays — see the multi-location business networking guide.
Related Resources
- Multi-Location Business Networking Guide — The strategic comparison guide this article feeds into: SD-WAN options, WireGuard planning, and MPLS alternatives for growing businesses.
- Connecting Multiple Business Locations Guide — Plain-English overview for business owners still deciding which approach fits; read this before committing to Site Magic if the decision isn't made yet.
- UniFi Business Network Guide — Full hardware orientation for businesses building or expanding a UniFi deployment.
- UniFi Gateway Comparison: UDR7, UX7, UCG Fiber — Detailed look at current UniFi gateway options for new location hardware decisions.
- NordLayer Business VPN Review — Full review of NordLayer for businesses with mixed hardware or bundled remote access requirements.
- 5G Failover Setup Guide — Adding a backup WAN connection at locations where ISP reliability is a concern before deploying Site Magic.
Frequently Asked Questions
Related Articles
More from UniFi Networks
Meraki to UniFi Migration Guide: Cost Comparison and Step-by-Step Replacement Path
A practical migration guide for IT managers moving from Cisco Meraki to UniFi. Includes hardware mapping, 5-year cost comparison, pre-migration checklist, and weekend cutover plan.
15 min read
UniFi vs Cisco Meraki: Small Business Network Cost Comparison
Comprehensive WiFi 7 cost comparison between UniFi and Cisco Meraki for small businesses. 5-year TCO analysis, feature comparison, ROI calculator, and migration guide.
23 min read
UniFi Cloud Gateway Max (UCG-MAX) Review: Specs, Performance, and Comparisons
Complete UCG-MAX review updated February 2026. Comparing Dream Router 7, UCG Fiber, Express 7, and 5G Max. Specs, benchmarks, security, and deployment recommendations.
16 min read