Overview
Readers will learn how to set up an L2TP VPN server on the USG and UDM models using RADIUS authentication.
- Applicable to the latest firmware on all USG and UDM models.
- The L2TP VPN is designed to only work on WAN1 on the USG models, but it can use both WAN1 and WAN2 on the UDM-Pro.
- More information on the USG/UDM RADIUS server can be found in the Configuring RADIUS Server article.
Table of Contents
- Frequently Asked Questions (FAQ)
- Configuring the L2TP Server
- Setting up the L2TP Client
- Troubleshooting L2TP Connection or Routing Issues
- Related Articles
Frequently Asked Questions (FAQ)
Do I need to manually create firewall rules for the L2TP VPN?
Firewall rules are automatically created to allow the VPN users to connect (authenticate) and route traffic over the VPN. It is not necessary to manually add firewall rules for L2TP. |
What is RADIUS and how does the RADIUS Profile work?
RADIUS is a protocol that is used to authenticate and authorize users. Username and passwords are stored in a database and this database is consulted when a remote VPN client tries to connect. If the credentials provided by the remote VPN client match the ones in the database, the client is allowed to connect. |
How does L2TP interact with UPnP?
On the latest UniFi Network releases, you can configure both L2TP and UPnP on the same device and they will not interfere with each other. |
Do I need to manually create routes on the clients to connect to LAN devices behind the USG/UDM?
Windows and macOS computers both have an option to route all traffic over the VPN (default gateway). This is the default on Windows computers, but it has to be manually enabled on macOS computers using the Send all traffic through the VPN connection option in the System Preferences > Network > VPN L2TP > Advanced section.
C:\WINDOWS\system32> route print -4 IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 172.16.1.1 172.16.1.100 281 > 10.0.0.0 255.0.0.0 10.255.255.0 10.255.20.1 26 > 10.255.20.1 255.255.255.255 On-link 10.255.20.1 281 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331 127.255.255.255 255.255.255.255 On-link 127.0.0.1 331 172.16.1.0 255.255.255.0 On-link 172.16.1.100 281 172.16.1.1 255.255.255.255 On-link 172.16.1.100 26 172.16.1.100 255.255.255.255 On-link 172.16.1.100 281 172.16.1.255 255.255.255.255 On-link 172.16.1.100 281 224.0.0.0 240.0.0.0 On-link 127.0.0.1 331 224.0.0.0 240.0.0.0 On-link 172.16.1.100 281 224.0.0.0 240.0.0.0 On-link 10.255.20.1 281 255.255.255.255 255.255.255.255 On-link 127.0.0.1 331 255.255.255.255 255.255.255.255 On-link 172.16.1.100 281 255.255.255.255 255.255.255.255 On-link 10.255.20.1 281 =========================================================================== |
Can I use an L2TP VPN if my USG/UDM is behind NAT?
Yes, but it is necessary to forward UDP port 500 and UDP port 4500 on the upstream router/modem to the WAN address of the USG/UDM. |
Configuring the L2TP Server
The diagram below shows an example setup where the ISP provided modem/router is running in a bridged mode and the UDM-Pro is using a public IP address on the WAN interface.
After connecting to the L2TP VPN server running on the USG/UDM and authenticating to the built-in RADIUS server, the remote VPN clients will be allowed to communicate with the devices on the LAN.
Follow the steps below to configure the L2TP VPN server and RADIUS server on the USG/UDM models:
Use this option if you quickly want to set up a Basic L2TP VPN server. Use the Advanced setup instead if you want to customize the settings.
- Open the UniFi Network application.
- Select the Settings option, then choose Networks > Add Networks.
- Name the Network.
- Select the Remote Access VPN type (L2TP is recommended).
- Create a Pre-shared Secret Key for clients.
- Specify the WAN address you want to use. If you have a Dynamic WAN please note that this address can change, possibly breaking VPN connections.
- Create a Radius server for clients. You can use the default server and the same key used in step 5.
- Click Create New Users. Add their username and choose the credentials they will use.
- Select Apply Changes. A pop up message will appear, if you need any info on the VPN clients click Read More.
1. Navigate to the Settings > Services > Radius section to enable the RADIUS server.
2. Enable the RADIUS server from the Server tab and specify the RADIUS Secret.
3. Apply the changes.
4. Add a new RADIUS user from the Users tab.
Name: user1
Password: <user1-password>
VLAN: None
Tunnel Type: 3 - Layer Two Tunneling Protocol (L2TP)
Tunnel Medium Type: 1 - IPv4 (IP version 4)
5. Apply the changes.
6. Add more RADIUS users if necessary. Each user needs to use a unique name.
7. Navigate to the Settings > Networks > Create New Network section to add the L2TP server.
8. Select Remote User VPN and add the following information:
Name: l2tp
Purpose: Remote User VPN
VPN Type: L2TP Server
Pre-Shared Key: <shared-secret>
Gateway IP/Subnet: 192.168.2.1/24
Name Server: Auto
WINS Server: Unchecked
Site-to-Site VPN: Unchecked
RADIUS Profile: Default
MS-CHAP v2: Unchecked
9. Save the changes.
Setting up the L2TP Client
After configuring the L2TP VPN server in the section above, add the L2TP VPN client configuration to your computer. Follow the steps below depending on your operating system:


1. Add a new VPN connection in the Network & Internet settings.
Settings > Network & Internet > VPN > Add a VPN connection
VPN Provider: Windows (built-in)
Connection name: l2tp
Server name: <ip address or hostname of usg/udm>
VPN Type: L2TP/IPsec with pre-shared key
Pre-shared key: <shared-secret>
Type of sign-in info: User name and password
User name: user1
Password: <user1-password>
2. Navigate to the Windows 10 network connections to change the allowed security protocols.
Settings > Network & Internet > Status > Change Adapter Options > L2TP Adapter properties
3. Select the Security tab and set the authentication method to MS-CHAP v2.
Security > Allow these protocols > Microsoft CHAP Version 2 (MS-CHAP v2)
4. After connecting to the VPN, you can verify the routing table from a Command Shell (CMD) or PowerShell window by running the following command:
C:\WINDOWS\system32> route print -4 IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 172.16.1.1 172.16.1.100 4506 > 0.0.0.0 0.0.0.0 On-link 192.168.2.1 26 127.0.0.0 255.0.0.0 On-link 127.0.0.1 4556 127.0.0.1 255.255.255.255 On-link 127.0.0.1 4556 127.255.255.255 255.255.255.255 On-link 127.0.0.1 4556 192.168.2.1 255.255.255.255 On-link 192.168.2.1 281 172.16.1.0 255.255.255.0 On-link 172.16.1.100 4506 172.16.1.1 255.255.255.255 On-link 172.16.1.100 4251 172.16.1.100 255.255.255.255 On-link 172.16.1.100 4506 172.16.1.255 255.255.255.255 On-link 172.16.1.100 4506 224.0.0.0 240.0.0.0 On-link 127.0.0.1 4556 224.0.0.0 240.0.0.0 On-link 172.16.1.100 4506 224.0.0.0 240.0.0.0 On-link 192.168.2.1 26 255.255.255.255 255.255.255.255 On-link 127.0.0.1 4556 255.255.255.255 255.255.255.255 On-link 172.16.1.100 4506 255.255.255.255 255.255.255.255 On-link 192.168.2.1 281 ===========================================================================
5. Note that reachability to the UniFi LAN network is accomplished by the installation of a secondary default route. This is the default behavior on Windows computers.
6. If you want to use 'split tunneling' instead of routing all traffic over the VPN, see the FAQ above. The installation of the default gateway can be controlled by checking or unchecking the Use default gateway on remote network option in the Networking > Internet Protocol Version 4 (TCP/IPv4) > Properties > Advanced section. Afterwards, verify the routing table on the client again and add the needed routes.
1. Add a VPN connection in the Network settings.
System Preferences > Network > "+"
Interface: VPN
VPN Type: L2TP over IPSec
Service name: l2tp
2. Adjust the settings of the newly created L2TP over IPsec interface.
System Preferences > Network > L2TP over IPsec Interface
Configuration: Default
Server Address: <ip address or hostname of usg/udm>
Account Name: user1
3. Select Authentication Settings... to add the pre-shared secret and the user password.
User Authentication > Password: <user1-password>
Machine Authentication > Shared Secret: <shared-secret>
4. Select Advanced... to add send all traffic through the VPN connection.
Options > Session Options: Send all traffic over VPN connection (checked)
5. After connecting to the VPN, you can verify the routing table from a Terminal window by running the following command:
:~ root$ netstat -nr -f inet Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire > default link#7 UCS 28 0 ppp0 default 172.16.1.1 UGScI 4 0 en0 10.255.255.0 192.168.2.1 UH 0 0 ppp0 127 127.0.0.1 UCS 0 0 lo0 127.0.0.1 127.0.0.1 UH 1 130 lo0 169.254 link#5 UCS 0 0 en0 ! 192.168.1.1 link#7 UHWIi 8 265 ppp0 192.168.2 ppp0 USc 1 0 ppp0 172.16.1 link#5 UCS 1 0 en0 ! 172.16.1.1 ab:cd:ab:cd:ab:cd UHLWIir 5 484 en0 1199 172.16.1.100/32 link#5 UCS 0 0 en0 ! 224.0.0/4 link#7 UmCS 2 0 ppp0 224.0.0/4 link#5 UmCSI 0 0 en0 ! 224.0.0.251 link#7 UHmW3I 0 0 ppp0 3576 239.255.255.250 link#7 UHmW3I 0 8 ppp0 2511 255.255.255.255/32 link#7 UCS 0 0 ppp0 255.255.255.255/32 link#5 UCSI 0 0 en0 !
6. Note that reachability to the UniFi LAN network is accomplished by the installation of a secondary default route. This is the result of checking the Send all traffic over VPN connection option in step 4 above.
7. Uncheck this option if you want to use 'split tunneling' instead of routing all traffic over the VPN, see the FAQ above. Afterwards, verify the routing table on the client again and add the needed routes.
Troubleshooting L2TP Connection or Routing Issues
Refer to the troubleshooting steps below if the VPN client is not able to connect to the VPN or is not able to route traffic over the VPN. A common error message that will be logged by the VPN client is that the server is not responding, the connection failed or that there is a 'processing error'.
Unable to Connect to the L2TP VPN Server
Possible Cause #1 - The USG/UDM is located behind NAT and does not have a public IP address.
In this scenario, the USG/UDM is located behind another router/modem that uses NAT. A sign of this setup is that the device is using a private (RFC1918) or CGNAT (RFC6598) IP address on the WAN interface. Your USG/UDM is located behind NAT if it is using an IP address on the WAN interface that is inside one of the ranges below:
|
Possible Cause #2 - The USG/UDM is forwarding either UDP port 500 or UDP port 4500 to another device.
In this situation, the ports required for the L2TP VPN server are forwarded to a device on the LAN. To fix this issue, check if the port forwarding rules exist in the section and remove them. |
Possible Cause #3 - The VPN client is using an incorrect pre-shared key, username, password, or authentication method.
In this situation, the L2TP VPN client and server are not using a matching pre-shared key or authentication method or credentials (username/password). NOTE: See the How to Establish a Connection Using SSH article for more information on how to connect using SSH.
1. Open a SSH session using your favorite SSH/Telnet client program (for example PuTTY or the macOS/Linux Terminal). CLI: Access the Command Line Interface on the USG/UDM using SSH.
2. Run the command listed below. This command will print the L2TP VPN log output directly to the screen when a client tries to connect (cancel with CTRL+C). sudo swanctl --log
10[ENC] parsed INFORMATIONAL_V1 request 4065021879 [ HASH D ]
06[ENC] invalid ID_V1 payload length, decryption failed? 5. If there is no output at all, the client is unable to reach the IP address of the USG/UDM or is using certificate authentication instead of a pre-shared key. One possible reason as to why the client is not able to reach the L2TP server, is that the UDM/USG is behind NAT. See Cause #1 above. |
Possible Cause #4 - The VPN client is trying to connect from the LAN or other non-working location.
In this situation, the L2TP VPN client is trying to connect to the L2TP server from the LAN behind the USG/UDM or from a location that does not allow VPN connections. To fix this issue, try connecting from a different wired/wireless network or location. You can also try connecting over a mobile network, for example by creating a tethered Wi-Fi network (hotspot) on a mobile device. |
Possible Cause #5 - There is another issue affecting the VPN client that is preventing the L2TP connection from establishing.
To fix this issue, try using a different client or operating system. You can also check if there are any updates available for your device that may have fixes for the VPN client feature. |
Unable to Route over the L2TP VPN Connection
Possible Cause #1 - The VPN Client does not have the needed routes installed in the routing table.
In this situation, the VPN client is able to connect to the VPN but is not able to reach any of the hosts on the LAN network.
C:\WINDOWS\system32>route print -4 IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 172.16.1.1 172.16.1.100 281 > 10.0.0.0 255.0.0.0 10.255.255.0 10.255.20.1 26 > 10.255.20.1 255.255.255.255 On-link 10.255.20.1 281 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331 127.255.255.255 255.255.255.255 On-link 127.0.0.1 331 172.16.1.0 255.255.255.0 On-link 172.16.1.100 281 172.16.1.1 255.255.255.255 On-link 172.16.1.100 26 172.16.1.100 255.255.255.255 On-link 172.16.1.100 281 172.16.1.255 255.255.255.255 On-link 172.16.1.100 281 224.0.0.0 240.0.0.0 On-link 127.0.0.1 331 224.0.0.0 240.0.0.0 On-link 172.16.1.100 281 224.0.0.0 240.0.0.0 On-link 10.255.20.1 281 255.255.255.255 255.255.255.255 On-link 127.0.0.1 331 255.255.255.255 255.255.255.255 On-link 172.16.1.100 281 255.255.255.255 255.255.255.255 On-link 10.255.20.1 281 =========================================================================== |
Possible Cause #2 - The VPN Client is routing over the VPN, but the traffic is not allowed.
In this situation, the VPN client is able to connect to the VPN but is not able to reach any of the hosts on the LAN network. |
Possible Cause #3 - The VPN Client does have the needed routes and there is nothing blocking the traffic.
You can determine if there is actually traffic going over the VPN by accessing the Command Line Interface (CLI) on the USG/UDM using SSH and running a tcpdump packet capture. NOTE: See the How to Establish a Connection Using SSH article for more information on how to connect using SSH.
1. Open a SSH session using your favorite SSH/Telnet client program (for example PuTTY or the macOS/Linux Terminal). CLI: Access the Command Line Interface on the USG/UDM using SSH.
2. The command listed below will print all traffic that is going over the L2TP VPN directly to the screen (cancel with CTRL+C). sudo tcpdump -i l2tp0 -n
sudo tcpdump -i l2tp0 -n icmp
IP 192.168.2.1 > 192.168.1.100: ICMP echo request, id 1, seq 5, length 40
IP 192.168.2.1 > 192.168.1.100: ICMP echo request, id 1, seq 9, length 40
|
Possible Cause #4 - The VPN Client and VPN server are using the same LAN network range.
In this situation, the VPN client is able to connect to the VPN but is not able to reach any of the hosts on the LAN network. This is caused by the fact that the LAN network used by the client and the UniFi LAN are the same (192.168.1.0/24 for example). |
Related Articles
UniFi - USG: Configuring RADIUS Server
Intro to Networking - Virtual Private Networks & Tunneling
Intro to Networking - How to Establish a Connection Using SSH