UniFi - USG/UDM: Configuring L2TP Remote Access VPN


This article describes how to set up an L2TP VPN using the UniFi Security Gateway (USG) as a RADIUS Server. This article applies for all USG models, as well as all UniFi Dream Machine models (UDM and UDM-Pro).

  • L2TP VPN is designed to only work on WAN 1 for the USG.
  • L2TP VPN works on both WAN and WAN2 for the UDM-Pro.
  • Please complete the prerequisite configuration found in theUniFi - USG: Configuring RADIUS Server article before following this guide's instructions.
  • Devices used in this article: UniFi Switch, UniFi Security Gateway.

Table of Contents

  1. UniFi Network Controller Setup
  2. Windows Setup
  3. macOS Setup
  4. Additional Notes & Considerations
  5. Related Articles

UniFi Network Controller Setup

Back to Top

Configure the L2TP Network

1. Navigate to Settings > Networks > Create New Network in the UniFi Network Controller (or Edit an existing one).

2. Fill out the necessary fields as shown in the image above:

  • Purpose: Remote User VPN
  • VPN Type: L2TP Server
  • Pre-Shared Key: Known as the pre-shared secret, will be entered along with the username and password (created in RADIUS users) on L2TP clients.
  • Gateway/Subnet: Will need to be non-conflicting with any other networks present on the controller.
  • Name Server: Can be left Auto, unless further customization of the configuration is desired.
  • WINS Servers (if visible in your configuration): Can be left unchecked, unless further customizing the configuration is desired.
  • Site-to-Site VPN (if visible in your configuration): If you're using the "Auto" VPN type to connect sites, the L2TP VPN subnet will be included in those automatic routes if this option is selected.

3. Choose the Default RADIUS Profile from the drop-down.

4. Click SAVE.

Windows Setup

Back to Top

If using a Windows machine to connect to L2TP, follow these steps to set it up:

Windows 10

1. Go to Settings

2. VPN > Add VPN connection

3. See the following screenshot and fill the information requested.


Windows Authentication Setup

  1. Go to Control Panel > Network & Sharing settings > Change Adapter Settings.
  2. Right-click the L2TP adapter, then go to Properties > Security.
  3. Under Type of VPN, select  Layer 2 Tunneling Protocol with IPsec.
  4. Click Advanced Settings. Select preshared key for authentication and enter it.
  5. Make sure to have the option of Allow these protocols enabled and mark the checkbox for Check Microsoft CHAP Version 2 (MS-CHAP v2), as shown in the screenshot below.


User Tip:Windows requires a registry tweak in order to use L2TP w/ PSK. Open Command Prompt as Administrator, add the following key, and then reboot:
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f

macOS Setup

Back to Top

The macOS setup is more straightforward and no authentication modifications are needed.

1. Simply go to System Preferences > Network on your computer.

2. Click the + button.

2.1 Interface: VPN

2.2 VPN Type: L2TP over IPsec


3. In Authentication settings enter the preshared key.


Additional Notes & Considerations

Back to Top

  • Please always update to the latest firmware.
  • L2TP doesn't have a route distribution method. If the setting on the client device to route "all" traffic through the tunnel is not enabled, it will be necessary to add the manual routes on the client, to point to the USG's local networks. Search in each specific client device's documentation on how to enable sending all traffic over the VPN connection.
  • Setting up L2TP will auto add firewall rules to WAN Local in Settings > Routing & Firewall, no manual rules are required on the user end.
  • If your USG's WAN is behind NAT and has a private IP, it is necessary to configure port forwarding on the upstream router to forward UDP ports 500, 1701, and 4500 to the USG's WAN address.
  • In UniFi Network Controller versions prior to 5.7.22, if UPnP is configured on the USG, an ACL will need to be created to deny UDP ports 500/4500. See this Community post for more. This community post is in the Early access section of our Community, see this article to learn How to Sign Up for Early Access.

Related Articles

Back to Top

UniFi - USG: Configuring RADIUS Server

UniFi - USW: Configuring Access Policies (802.1X) for Wired Clients

Was this article helpful?
25 out of 45 found this helpful
Can't find what you're looking for?
Visit our worldwide community of Ubiquiti experts for more answers
Visit the Ubiquiti Community
Can't find what you're looking for?