Readers will learn how to set up an L2TP VPN server on the USG and UDM models using RADIUS authentication.
- Applicable to the latest firmware on all USG and UDM models.
- The L2TP VPN is designed to only work on WAN1 on the USG models, but it can use both WAN1 and WAN2 on the UDM-Pro.
- More information on the USG/UDM RADIUS server can be found in the Configuring RADIUS Server article.
Table of Contents
- Frequently Asked Questions (FAQ)
- Configuring the L2TP Server
- Setting up the L2TP Client
- Troubleshooting L2TP Connection or Routing Issues
- Related Articles
Frequently Asked Questions (FAQ)
Do I need to manually create firewall rules for the L2TP VPN?
What is RADIUS and how does the RADIUS Profile work?
How does L2TP interact with UPnP?
Do I need to manually create routes on the clients to connect to LAN devices behind the USG/UDM?
Can I use an L2TP VPN if my USG/UDM is behind NAT?
Configuring the L2TP Server
The diagram below shows an example setup where the ISP provided modem/router is running in a bridged mode and the UDM-Pro is using a public IP address on the WAN interface.
After connecting to the L2TP VPN server running on the USG/UDM and authenticating to the built-in RADIUS server, the remote VPN clients will be allowed to communicate with the devices on the LAN.
Follow the steps below to configure the L2TP VPN server and RADIUS server on the USG/UDM models:
Use this option if you quickly want to set up a Basic L2TP VPN server. Use the Advanced setup instead if you want to customize the settings.
- Open the UniFi Network application.
- Select the Settings option, then choose Networks > Add Networks.
- Name the Network.
- Select the Remote Access VPN type (L2TP is recommended).
- Create a Pre-shared Secret Key for clients.
- Specify the WAN address you want to use. If you have a Dynamic WAN please note that this address can change, possibly breaking VPN connections.
- Create a Radius server for clients. You can use the default server and the same key used in step 5.
- Click Create New Users. Add their username and choose the credentials they will use.
- Select Apply Changes. A pop up message will appear, if you need any info on the VPN clients click Read More.
1. Navigate to the Settings > Services > Radius section to enable the RADIUS server.
2. Enable the RADIUS server from the Server tab and specify the RADIUS Secret.
3. Apply the changes.
4. Add a new RADIUS user from the Users tab.
Tunnel Type: 3 - Layer Two Tunneling Protocol (L2TP)
Tunnel Medium Type: 1 - IPv4 (IP version 4)
5. Apply the changes.
6. Add more RADIUS users if necessary. Each user needs to use a unique name.
7. Navigate to the Settings > Networks > Create New Network section to add the L2TP server.
8. Select Remote User VPN and add the following information:
Purpose: Remote User VPN
VPN Type: L2TP Server
Pre-Shared Key: <shared-secret>
Gateway IP/Subnet: 192.168.2.1/24
Name Server: Auto
WINS Server: Unchecked
Site-to-Site VPN: Unchecked
RADIUS Profile: Default
MS-CHAP v2: Unchecked
9. Save the changes.
Setting up the L2TP Client
After configuring the L2TP VPN server in the section above, add the L2TP VPN client configuration to your computer. Follow the steps below depending on your operating system:
1. Add a new VPN connection in the Network & Internet settings.
Settings > Network & Internet > VPN > Add a VPN connection
VPN Provider: Windows (built-in)
Connection name: l2tp
Server name: <ip address or hostname of usg/udm>
VPN Type: L2TP/IPsec with pre-shared key
Pre-shared key: <shared-secret>
Type of sign-in info: User name and password
User name: user1
2. Navigate to the Windows 10 network connections to change the allowed security protocols.
Settings > Network & Internet > Status > Change Adapter Options > L2TP Adapter properties
3. Select the Security tab and set the authentication method to MS-CHAP v2.
Security > Allow these protocols > Microsoft CHAP Version 2 (MS-CHAP v2)
4. After connecting to the VPN, you can verify the routing table from a Command Shell (CMD) or PowerShell window by running the following command:
C:\WINDOWS\system32> route print -4 IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 172.16.1.1 172.16.1.100 4506 > 0.0.0.0 0.0.0.0 On-link 192.168.2.1 26 127.0.0.0 255.0.0.0 On-link 127.0.0.1 4556 127.0.0.1 255.255.255.255 On-link 127.0.0.1 4556 127.255.255.255 255.255.255.255 On-link 127.0.0.1 4556 192.168.2.1 255.255.255.255 On-link 192.168.2.1 281 172.16.1.0 255.255.255.0 On-link 172.16.1.100 4506 172.16.1.1 255.255.255.255 On-link 172.16.1.100 4251 172.16.1.100 255.255.255.255 On-link 172.16.1.100 4506 172.16.1.255 255.255.255.255 On-link 172.16.1.100 4506 184.108.40.206 240.0.0.0 On-link 127.0.0.1 4556 220.127.116.11 240.0.0.0 On-link 172.16.1.100 4506 18.104.22.168 240.0.0.0 On-link 192.168.2.1 26 255.255.255.255 255.255.255.255 On-link 127.0.0.1 4556 255.255.255.255 255.255.255.255 On-link 172.16.1.100 4506 255.255.255.255 255.255.255.255 On-link 192.168.2.1 281 ===========================================================================
5. Note that reachability to the UniFi LAN network is accomplished by the installation of a secondary default route. This is the default behavior on Windows computers.
6. If you want to use 'split tunneling' instead of routing all traffic over the VPN, see the FAQ above. The installation of the default gateway can be controlled by checking or unchecking the Use default gateway on remote network option in the Networking > Internet Protocol Version 4 (TCP/IPv4) > Properties > Advanced section. Afterwards, verify the routing table on the client again and add the needed routes.
1. Add a VPN connection in the Network settings.
System Preferences > Network > "+"
VPN Type: L2TP over IPSec
Service name: l2tp
2. Adjust the settings of the newly created L2TP over IPsec interface.
System Preferences > Network > L2TP over IPsec Interface
Server Address: <ip address or hostname of usg/udm>
Account Name: user1
3. Select Authentication Settings... to add the pre-shared secret and the user password.
User Authentication > Password: <user1-password>
Machine Authentication > Shared Secret: <shared-secret>
4. Select Advanced... to add send all traffic through the VPN connection.
Options > Session Options: Send all traffic over VPN connection (checked)
5. After connecting to the VPN, you can verify the routing table from a Terminal window by running the following command:
:~ root$ netstat -nr -f inet Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire > default link#7 UCS 28 0 ppp0 default 172.16.1.1 UGScI 4 0 en0 10.255.255.0 192.168.2.1 UH 0 0 ppp0 127 127.0.0.1 UCS 0 0 lo0 127.0.0.1 127.0.0.1 UH 1 130 lo0 169.254 link#5 UCS 0 0 en0 ! 192.168.1.1 link#7 UHWIi 8 265 ppp0 192.168.2 ppp0 USc 1 0 ppp0 172.16.1 link#5 UCS 1 0 en0 ! 172.16.1.1 ab:cd:ab:cd:ab:cd UHLWIir 5 484 en0 1199 172.16.1.100/32 link#5 UCS 0 0 en0 ! 224.0.0/4 link#7 UmCS 2 0 ppp0 224.0.0/4 link#5 UmCSI 0 0 en0 ! 22.214.171.124 link#7 UHmW3I 0 0 ppp0 3576 126.96.36.199 link#7 UHmW3I 0 8 ppp0 2511 255.255.255.255/32 link#7 UCS 0 0 ppp0 255.255.255.255/32 link#5 UCSI 0 0 en0 !
6. Note that reachability to the UniFi LAN network is accomplished by the installation of a secondary default route. This is the result of checking the Send all traffic over VPN connection option in step 4 above.
7. Uncheck this option if you want to use 'split tunneling' instead of routing all traffic over the VPN, see the FAQ above. Afterwards, verify the routing table on the client again and add the needed routes.
Troubleshooting L2TP Connection or Routing Issues
Refer to the troubleshooting steps below if the VPN client is not able to connect to the VPN or is not able to route traffic over the VPN. A common error message that will be logged by the VPN client is that the server is not responding, the connection failed or that there is a 'processing error'.
Unable to Connect to the L2TP VPN Server
Possible Cause #1 - The USG/UDM is located behind NAT and does not have a public IP address.
Possible Cause #2 - The USG/UDM is forwarding either UDP port 500 or UDP port 4500 to another device.
Possible Cause #3 - The VPN client is using an incorrect pre-shared key, username, password, or authentication method.
Possible Cause #4 - The VPN client is trying to connect from the LAN or other non-working location.
Possible Cause #5 - There is another issue affecting the VPN client that is preventing the L2TP connection from establishing.
Unable to Route over the L2TP VPN Connection
Possible Cause #1 - The VPN Client does not have the needed routes installed in the routing table.
Possible Cause #2 - The VPN Client is routing over the VPN, but the traffic is not allowed.
Possible Cause #3 - The VPN Client does have the needed routes and there is nothing blocking the traffic.
Possible Cause #4 - The VPN Client and VPN server are using the same LAN network range.