UniFi OS Consoles Wi-Fi Switching Camera Security Phone System Door Access Accessories UISP
Support Resources
Store
Support Resources
UniFi OS Consoles Wi-Fi Switching Camera Security Phone System Door Access Accessories UISP Store

UniFi Gateway - L2TP VPN Server

L2TP is a traditional VPN server found in the Teleport & VPN section of your Network application that allows you to connect to the UniFi network from a remote location.

Requirements

Should I use L2TP?

On Next-Gen UniFi gateways, there are much better options available such as Teleport and Wireguard.

  • For mobile users, we strongly recommend to use Teleport instead of L2TP. Teleport is faster, more secure, and requires zero configuration. 
  • For desktop and laptop users, we strongly recommend to use Wireguard instead of L2TP. Wireguard is faster, more secure, and requires less configuration.

How does it work?

After enabling L2TP, add a User and share the Pre-Shared Key and user credentials with your desired recipient. If available, the recipient can use the built-in L2TP VPN on their choice of operating system. 

Note: On Windows, it is required to modify the L2TP adapter Security settings and change the authentication method to MS-CHAP v2.

Caveats

There are several caveats associated with using L2TP. These are not specific to the UniFi gateway and associated with the protocol itself. 

  • L2TP is losing support on several different operating systems. Android versions that still support L2TP require the usage of the Weak Ciphers option.
  • L2TP encounters issues when the UniFi gateway is behind NAT, even when forwarding the ports on the upstream router. On Windows clients, it is required to modify the registry.
  • Using the standard options available on the client's built-in L2TP VPN may not lead to a successful connection.
    • On Windows, the authentication method needs to be manually changed to MS-CHAP v2.
    • On macOS, the option to send all traffic over the VPN is not enabled by default.
  • L2TP cannot push any routes to clients. Split tunneling requires static routes to be manually added on each client.

Frequently Asked Questions

1. Should I use Teleport, Wireguard or L2TP?

Using Teleport or Wireguard is highly recommended. L2TP is a traditional VPN that is losing support on several different operating systems. In addition, L2TP has several caveats and encounters issues when the server is behind NAT.
2. Is L2TP secure?

L2TP is less secure than Teleport and Wireguard. In addition, Android versions that still support L2TP require lowering the security by using the Weak Ciphers option.
3. How does L2TP compare with other VPNs, and can you use them simultaneously?

L2TP provides less throughput than more modern VPNs such as Wireguard. L2TP can be used alongside other VPNs.
4. Can L2TP be used when the UniFi gateway is behind NAT?

If the UniFi gateway is behind NAT, then UDP port 500 and 4500 need to be forwarded by the upstream router. On Windows clients, it is also required to modify the registry.

We recommend to use L2TP on a UniFi gateway that has access to a public IP address. Any performance or port forwarding issues on the upstream router can cause the VPN to disconnect.
5. Which clients support L2TP?

L2TP is supported on many different clients, however it is losing support. See the documentation for each operating system for more information.
Was this article helpful?
1 out of 7 found this helpful