UniFi Gateway - L2TP VPN Server

L2TP is a traditional VPN server found in the Teleport & VPN section of your Network application that allows you to connect to the UniFi network from a remote location. A UniFi Gateway or UniFi Cloud Gateway is required.

Should I Use L2TP?

On Next-Gen UniFi gateways, there are much better options available such as Teleport and Wireguard.

  • For mobile users, we strongly recommend to use Teleport instead of L2TP. Teleport is faster, more secure, and requires zero configuration. 
  • For desktop and laptop users, we strongly recommend to use Wireguard instead of L2TP. Wireguard is faster, more secure, and requires less configuration.

How Does it Work?

After enabling L2TP, add a User and share the Pre-Shared Key and user credentials with your desired recipient. If available, the recipient can use the built-in L2TP VPN on their choice of operating system.

Compatibility and Limitations

There are several caveats associated with using L2TP. These are not specific to the UniFi gateway and associated with the protocol itself. 

  • L2TP is losing support on several different operating systems. Android versions that still support L2TP require the usage of the Weak Ciphers option.
  • L2TP encounters issues when the UniFi gateway is behind NAT, even when forwarding the ports on the upstream router. On Windows clients, you must modify the registry.
  • Windows clients must be configured to enable MS-CHAP v2. See here:
    image (2).png
  • MacOS clients must be configured to send all traffic over the VPN. See here:
    Screenshot 2023-10-18 at 1.06.31 PM.png
  • L2TP cannot push any routes to clients. Split tunneling requires static routes to be manually added on each client.

Frequently Asked Questions

1. Should I use Teleport, Wireguard or L2TP?
Using Teleport or Wireguard is highly recommended. L2TP is a traditional VPN that is losing support on several different operating systems. In addition, L2TP has several caveats and encounters issues when the server is behind NAT.
2. Is L2TP secure?
L2TP is less secure than Teleport and Wireguard. In addition, Android versions that still support L2TP require lowering the security by using the Weak Ciphers option.
3. How does L2TP compare with other VPNs, and can you use them simultaneously?
L2TP provides less throughput than more modern VPNs such as Wireguard. L2TP can be used alongside other VPNs.
4. Can L2TP be used when the UniFi gateway is behind NAT?
If the UniFi gateway is behind NAT, then UDP port 500 and 4500 need to be forwarded by the upstream router. On Windows clients, it is also required to modify the registry.

We recommend to use L2TP on a UniFi gateway that has access to a public IP address. Any performance or port forwarding issues on the upstream router can cause the VPN to disconnect.
5. Which clients support L2TP?
L2TP is supported on many different clients, however it is losing support. See the documentation for each operating system for more information.
6. Why won't my clients connect to the VPN?
Many operating systems are removing support for L2TP VPNs. Please refer to our Compatibility and Limitations section above to learn how different clients should be configured.
Was this article helpful?
20 out of 54 found this helpful