Setup L2TP over IPSec VPN server on EdgeRouter
An L2TP over IPSec VPN server will securely allow access to the local LAN from remote locations. This guide will walk you through configuring and setting up the VPN server on a Ubiquiti EdgeRouter. Which will allow for client VPN connections using the built-in VPN client software that's already included in Windows, Mac, Linux, iOS, and Android.
This configuration can be useful in the following scenarios:
- It'll allow employees a secure method of working from home by enabling them to connect to the local LAN from remote locations.
- Network Administrators can use this VPN to remotely administer devices on the local LAN. Such as setting up scanning profiles on an office copier.
In some instances, L2TP over IPSec may not be feasible for a remote connection. For example, a user may run into issues connecting to the VPN from select public locations. Such as airports, cafes, etc. This is due to third party administration that's in place disallowing or restricting the services necessary for the L2TP over IPSec VPN to establish. As a result, the less secure PPTP VPN server setup can be configured as an alternative.
Additionally, the nature of L2TP over IPSec VPN doesn't usually allow for two separate connections from two different client computers connecting from the same public IP address. The above guide for setting up a PPTP VPN server can resolve this issue in this case as well, but if multiple clients are expected to take place remotely from the same location with the same public IP address, it'll be more ideal to configure a site-to-site VPN to connect these two networks together.
Step 1: Obtain access to the router's command line interface
This can be done in one of two ways. The Ubiquiti EdgeRouters have a virtual SSH utility that's built into the web interface for the router. You'll see the shortcut to launch this virtual SSH utility at the top right of the router's web interface after logging in.
The other method of obtaining access to the router's command line interface is by using a third party SSH application. Such as PuTTy. The IP address you'll enter into the SSH client for the connection is usually the entry that you have for the workstation's default gateway.
Step 2: Enter Configuration Mode on the router
Before we can issue any commands to configure the VPN server, we must first issue the command to enter the EdgeRouter's configuration mode. This is done by issuing the command configure into the command line interface. We'll know that we're in configuration mode when the suffix in the prompt changes from a dollar sign ($) to a hashtag (#) symbol.
ubnt@EdgeRouter:~$ configure
[edit]
ubnt@EdgeRouter#
Step 3: Issue the IPSec commands
The following IPSec commands will set the IPSec WAN interface, allow all NAT networks to pass through the IPSec interface, and enable NAT traversal to ensure that the VPN connection stays open across networks that use NAT. You'll replace [WAN INTERFACE] in the command below with the interface on the EdgeRouter that's configured as the WAN interface. If you've used one of the setup wizards during the initial setup of the EdgeRouter, this interface will likely be the eth0 interface.
set vpn ipsec ipsec-interfaces interface [WAN INTERFACE]
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable
Step 4: Enable local authentication & set a username and password
Issue the following commands to enable local authentication mode for the L2TP over IPSec VPN configuration on the EdgeRouter. This is an alternative to RADIUS configuration that'll be discussed in a later article.
The second command below creates an initial user in the local authentication database. A single user is required when performing the initial setup of the L2TP over IPSec VPN configuration. Although you can issue this command multiple times to setup a number of different users, it may be easier to use the Config Tree from the web interface that'll be discussed later in this guide. You'll replace [USERNAME] and [PASSWORD] in the command below with the respective username and password of the user that needs to be setup.
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username [USERNAME] password [PASSWORD]
Step 5: Set the L2TP over IPSec VPN IP address pool
This address pool is the range of IP addresses assigned to the users that'll connect with the L2TP over IPSec VPN server. Each user will be assigned one of these IP addresses when they're connected. It's recommended that this pool be large enough to accommodate the total number of users that'll be connected to the VPN server at any given time. This pool should also be created so that it doesn't conflict with any other IP address pools, such as the DHCP server, or any statically assigned devices to avoid IP address conflicts.
The EdgeRouter allows you to use IP addresses in this pool that are part of its local LAN interface. The commands below assume that we have a local LAN subnet of 192.168.5.0/24 and we're setting an IP address pool for this VPN server that ranges from 192.168.5.190 to 192.168.5.199. Making a total of 10 IP addresses available to VPN clients.
set vpn l2tp remote-access client-ip-pool start 192.168.5.190
set vpn l2tp remote-access client-ip-pool stop 192.168.5.199
Step 6: Set the DNS servers that'll be assigned to VPN clients
The commands below will set the DNS server addresses that'll be assigned to clients connecting to the L2TP over IPSec VPN server. If you have a domain environment, it's recommended to set the domain controller's IP address as [DNS SERVER 1] below. This will allow clients to resolve hostnames of computers while connected to the VPN.
If you don't have a domain environment, using Google's public DNS servers or your ISP's DNS servers will be sufficient here. Replace [DNS SERVER 1] with the primary DNS server and [DNS SERVER 2] with the secondary DNS server in the commands below.
set vpn l2tp remote-access dns-servers server-1 [DNS SERVER 1]
set vpn l2tp remote-access dns-servers server-2 [DNS SERVER 2]
Step 7: Set the authentication mode to use a pre-shared-secret
The pre-shared-secret is a shared secret key that'll be used by all users connecting with the L2TP over IPSec VPN server. This will be different from the unique username and password combination that'll be assigned to each user later on in this guide. Configuring the connection client software will require that a user have both this secret key and their username and password to successfully establish a connection.
Enter the following commands into the command prompt. The first command will enable use of the pre-shared-secret in the L2TP over IPSec VPN configuration and the second command will set the pre-shared-secret that'll be used. Replace [PRE-SHARED-SECRET] in the command below with a secure string that'll be used as the secret key in this configuration.
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret [PRE-SHARED-SECRET]
Step 8: Set the listening addresses or the DHCP interface
The last step of the command line configuration is to set the listening interface for the L2TP over IPSec server. This will be the WAN interface on your router that'll accept these inbound connections from the Internet. How you configure this listening interface will depend on whether or not you have a static or dynamic IP address with your ISP.
The following commands are used if you have a static IP address with your ISP. Replace [WAN IP ADDRESS] in the command below with your usable public IP address or the IP address assigned to your router's WAN interface. Replace [WAN DG ADDRESS] in the command that follows with the WAN default gateway that was provided to you by your ISP.
set vpn l2tp remote-access outside-address [WAN IP ADDRESS]
set vpn l2tp remote-access outside-nexthop [WAN DG ADDRESS]
If you have a dynamic IP address with your ISP or an IP address that you obtain from your ISP via DHCP, then you'll use the command below to configure the listening interface instead. Replace [WAN INTERFACE] in the command below with the WAN interface that's configured on your EdgeRouter. If you've used the wizard during the initial configuration of the EdgeRouter, then this interface should be eth0.
set vpn l2tp remote-access dhcp-interface [WAN INTERFACE]
Step 9: Commit and save the VPN server configuration
Now that all of the commands have been entered in the previous steps, the changes to the configuration will need to be committed and saved. This is done by entering the two commands below. You should receive additional output after the commit command is issued. Stating that services for the VPN server are starting. If you've received any errors after issuing this command, double check that you've completed all of the prior steps and then attempt the command again. Otherwise, continue with issuing the save command to save the EdgeRouter's running configuration to the startup configuration.
ubnt@EdgeRouter# commit
ubnt@EdgeRouter# save
Step 10: Add firewall rules required to accept VPN connections
Now that the L2TP over IPSec VPN server is configured, the firewall on the EdgeRouter must be configured to allow incoming connections to the VPN server. Assuming that you've used the setup wizard during the initial configuration, you should have a firewall policy named WAN_LOCAL. This is the policy that you'll be editing to add these additional rules to. Perform the following steps to add the appropriate rules:
- Log into the web interface of the EdgeRouter.
- Click the Firewall/NAT and then Firewall Policies in the sub-tabs.
- Click Edit Ruleset under the Actions dropdown for the WAN_LOCAL policy
- Select the Add New Rule button.
- On the Basic tab, enter
Allow L2TPin the Description field, select Accept as the action, and UDP as the Protocol. - On the Destination tab, enter
500,1701,4500in the Port field. Leave all of the other fields blank. - Save this rule and then select Add New Rule again to add another.
- On the Basic tab, enter
Allow L2TP ESPin the Description field, select Accept as the action, and Choose a protocol by name. - Select ESP as the protocol in the drop down that appears and then save the rule.
- Drag and drop the two new rules so that they're above the two default rules Allow established related and Drop invalid state. Then select the button to Save Rule Order.
Step 11: Add additional VPN users via the Config Tree
If additional users are required for login to the L2TP over IPSec VPN server, instead of adding them via the command prompt as we did in step 4 with the setup of the initial user, it may be easier to accomplish this process via the Config Tree tab that's located in the web interface of the EdgeRouter. If you don't see this tab, you may need to update the firmware on your EdgeRouter to a later version. Follow the steps below to add additional users via the Config Tree:
- Log into the EdgeRouter's web interface and open the Config Tree tab.
- Expand VPN -> L2TP -> Remote-Access -> Authentication -> Local-Users -> Username.
- Click the Add button to add as many users that are needed and enter the applicable usernames.
- Click the Update List button and then select the newly created users in the pane on the left.
- Set a secure and unique password to each user account that was created.
- Click the Preview button at the bottom and then Apply Now to save the configuration
Step 12: Configure VPN client on the computer
Now that the L2TP VPN server is setup, the VPN client software on the client computer can be configured to establish the connection. This will be the computer that a user will use to connect with the remote network to access a host or service on the EdgeRouter's local LAN. The instructions below will outline the steps to configure the VPN client on most Windows and Mac operating systems.
Windows:
- Press the Windows logo key and the letter R simultaneously on the keyboard.
- Type
control.exe /name Microsoft.NetworkAndSharingCenterin the Run Command window and click the OK button. - Click the link to Set up a new connection or network.
- Select the option to Connect to a workplace.
- If prompted to use a connection that you already have, select No and click the Next button.
- Click on Use my Internet connection (VPN)
- Enter the EdgeRouter's WAN interface address in the Internet Address field and set the Destination Name to a friendly name for the connection. This can be whatever you'd like.
- Click the Create button to create the connection and return to the Network and Sharing Center.
- From the Network and Sharing Center window, click Change adapter settings in the left hand column.
- Locate the VPN connection that you've just created by the friendly name that was assigned to it in the previous steps. Right click this connection and select Properties from the context menu.
- On the Security tab, select the Allow these protocols radio button and make sure that Microsoft CHAP Version 2 (MS-CHAP v2) is checked.
- Select Layer 2 Tunneling Protocol with IPSec (L2TP/IPsec) for the type of VPN and then click the Advanced Settings button.
- Select the option to Use preshared key for authentication and enter the key that you had configured in step 7.
- Click OK on the Advanced Properties window and OK again on the VPN connection properties to save the configuration.
Mac:
- Click the Apple logo in the menu bar and select System Settings.
- Select Network in the left navigation.
- Click on the midline ellipsis towards the bottom right. Mouse over Add VPN configuration and then click the option for L2TP over IPSec.
- A setup windows will appear requesting the configuration information.
- Display Name can be set a friendly name of your choosing.
- Enter the EdgeRouter's WAN interface IP address in the Server address field.
- Input the user's VPN username and password that was created in step 11 in the Account Name and Password fields respectively. Leaving the User Authentication field set to Password.
- Set Machine Authentication to Shared Secret and then enter the preshared key that was configured in step 7 in the Shared Secret field that's provided.
- Click the Create button to save the configuration.
- Return to the System Settings window and select Control Panel in the left navigation.
- Scroll down to VPN and select the option to Show in Menu Bar.
Step 13: Establishing connection to the VPN network
Connecting with the VPN network is an easy process once the client is configured. Both Windows and Mac have shortcuts available via their system trays to establish a connection with the VPN. The icon in Windows will appear differently depending on whether your local network is connected via Ethernet or Wifi. Windows 11 also has a subsection for VPN that'll be available to the user once they've clicked on this same network icon. The Mac operating system has this shortcut hidden by default. So be sure to complete all of the items in the configuration process that were outlined in the previous step to enable this option.
Connecting with the VPN is a self explanatory process in both Windows and Mac. Once the user has clicked on the applicable shortcut, the VPN connection will be displayed as the friendly name that was assigned to it in step 12. Windows will prompt the user to enter the username and password upon the initial connection. Mac users will not see this prompt due to their credentials being added as part of the configuration process. Once the VPN connection is established, the user will then be connected with the EdgeRouter's local LAN and can proceed with accessing any applicable resources on the EdgeRouter's local LAN. Such as connecting with their office workstation via a Remote Desktop application.
