This article describes how to set up L2TP VPN using the USG as a RADIUS Server.
|Note: This feature appears in UniFi Controller v5.5.5+ which is currently in Beta. Beta features are not supported by our livechat, but answers can be found via the UniFi Beta Forum. If you are interested in testing this and other new features, follow this article to sign up for the Beta Program. We also appreciate any feedback about our beta-related articles, such as this one. Send yours by clicking on the Give Feedback button at the bottom of this page.|
Table of Contents
1. Configure the USG as a RADIUS server. You may follow our How to Implement RADIUS Authentication article for guidance.
2. Navigate to Settings > Networks > Create New Network in the UniFi Controller.
3. Fill out necessary fields as shown in the image above:
- Purpose: Remote User VPN
- VPN Type: L2TP Server
- Pre-Shared Key: known as the pre-shared secret, will be entered along with the username and password (created in RADIUS users) on L2TP clients.
- Gateway/Subnet: will need to be non-conflicting with any other networks present on the controller.
- Name server and WINS servers: can be left auto / blank, unless further customizing the configuration is desired.
- Site-to-Site VPN: expose this VPN as a site-to-site VPN by marking the checkbox.
4. Choose a RADIUS Profile from the dropdown.
5. Click SAVE.
- If desired, some clients such as iOS devices have the option to route "all" traffic through the VPN, not just the networks located on the USG.
- L2TP doesn't have a route distribution method, if the setting on the client to route "all" traffic through the tunnel is not used, it will be necessary to add the routes on the client, to point to the USG's local networks.
- Setting up L2TP will auto add firewall rules to WAN Local in Settings > Routing & Firewall, no manual rules are required on the user end.
- L2TP remote access VPN will not work if there are already one or more site-to-site IPsec VPNs configured.