How to configure an L2TP VPN on a Ubiquiti Edge Router

In this tutorial we will explain how to configure an L2TP VPN with local authentication on a Ubiquiti Edge Router. The Edge Router device has a GUI, but the VPN wizard is missing features and it is not compatible with ConfigTree or the CLI. That means that if you create your config with the VPN wizard, then you won’t be able to modify it through the CLI or the GUI. For this reason, we strongly recommend to use the CLI for the setup.

configure VPN on Ubiquiti Edge Router

In order to create the configuration for your VPN tunnel on the EdgeRouter log into the device using SSH and then proceed with the following steps.

First, we are going to get into the config mode typing:

configure

Firewall rules

The next step is to create the Firewall rules, to allow the VPN tunnel establishment and the VPN traffic to go through the Router. Copy and paste the following commands, note that you may need to change the rule names, depending on the rules that you already have in place.

set firewall name WAN_LOCAL rule 19 action accept
set firewall name WAN_LOCAL rule 19 description ike
set firewall name WAN_LOCAL rule 19 destination port 500
set firewall name WAN_LOCAL rule 19 log disable
set firewall name WAN_LOCAL rule 19 protocol udp
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 description esp
set firewall name WAN_LOCAL rule 20 log disable
set firewall name WAN_LOCAL rule 20 protocol esp
set firewall name WAN_LOCAL rule 21 action accept
set firewall name WAN_LOCAL rule 21 description nat-t
set firewall name WAN_LOCAL rule 21 destination port 4500
set firewall name WAN_LOCAL rule 21 log disable
set firewall name WAN_LOCAL rule 21 protocol udp
set firewall name WAN_LOCAL rule 22 action accept
set firewall name WAN_LOCAL rule 22 description l2tp
set firewall name WAN_LOCAL rule 22 destination port 1701
set firewall name WAN_LOCAL rule 22 ipsec match-ipsec
set firewall name WAN_LOCAL rule 22 log disable
set firewall name WAN_LOCAL rule 22 protocol udp

Configure the authentication

Then we are going to configure the authentication, here you need to replace the pre-shared-secret key with some strong password.

set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <some_strong_password>

Create a user

Now, we will create a user, repeat this steps several times if you have more users.

set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username australtech password <password_for_the_user>

Assign the IP range

Now, we are going to assign the IP range for the SNAT Pool. This is a range of IP addresses on your network that will be used for DHCP to assign internal IP addresses to the users. As an example we will use 192.168.2.30-192.168.2.130, which means we have enough IP addresses for 100 users. Our DNS Server in our Network is 192.168.2.2, replace with yours.

set vpn l2tp remote-access client-ip-pool start 192.168.2.30
set vpn l2tp remote-access client-ip-pool stop 192.168.2.130
set vpn l2tp remote-access mtu 1492
set vpn l2tp remote-access dns-servers server-1 192.168.2.2

Select the interface

We will select the interface where will allow the VPN Tunnel to be established, this is your Internet facing interface. In our example eth2

set vpn ipsec ipsec-interfaces interface eth2
set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0

We will finally commit and save the configuration.

commit ; save

Windows 10 setting

Following these steps the VPN tunnel should be established without issues. If your Windows 10 users are having connection fails, make sure you enable MSCHAPv2 on the VPN adapter as this is required for L2TP tunnels with Ubiquiti EdgeRouter to work as shown below:

ms chapv2

We hope this guide helps you with your VPN deployment. Here at Austral Tech we are VPN experts and we have experience setting up VPN tunnels with F5 Products, Checkpoint, Ubiquiti and Cloud providers (AWS, Azure and Google). So if you need help with your VPN deployment, don’t hesitate to contact us!