This article describes how to set up L2TP VPN using the UniFi Security Gateway (USG) as a RADIUS Server.
Table of Contents
UniFi Controller Setup
1. Configure the USG as a RADIUS server. You may follow our How to Implement RADIUS Authentication article for guidance.
2. Navigate to Settings > Networks > Create New Network in the UniFi Controller.
3. Fill out necessary fields as shown in the image above:
4. Choose the Default RADIUS Profile from the dropdown.
5. Click SAVE.
If using a Windows machine to connect to L2TP, follow these steps to set it up:
1. Go to Settings
2. VPN > Add VPN connection
3. See the following screenshot and fill the information requested.
Windows Authentication Setup
- Go to Control Panel > Network & Sharing settings > Change Adapter Settings.
- Right click the L2TP adapter, then go to Properties > Security.
- Under Type of VPN, select Layer 2 Tunneling Protocol with IPsec.
- Click Advanced Settings. Select preshared key for authentication and enter it.
- Make sure to have the option of Allow these protocols enabled and mark the checkbox for Check Microsoft CHAP Version 2 (MS-CHAP v2), as shown in the screenshot below.
OS X Setup
The OS X setup is more straightforward and no authentication modifications are needed.
1. Simply go to System Preferences > Network
2. Click the + button
2.1 Interface: VPN
2.2 VPN Type: L2TP over IPsec
3. In Authentication settings enter the preshared key.
Additional Notes & Considerations
- L2TP doesn't have a route distribution method. If the setting on the client to route "all" traffic through the tunnel is not used, it will be necessary to add the manual routes on the client, to point to the USG's local networks.
- Setting up L2TP will auto add firewall rules to WAN Local in Settings > Routing & Firewall, no manual rules are required on the user end.
- In pre-4.3.41 USG firmware, L2TP remote access VPN will not work if there are already one or more site-to-site IPsec VPNs configured. Please update to the latest firmware.
- If UPnP is configured on the USG, an ACL will need to be created to deny UDP ports 500/4500. See this Community post for more. This community post is in the Early access section of our Community, see this article to learn How to Sign Up for Early Access.