info_i_25x25.png Due to unforeseen weather conditions we are experiencing higher chat wait times. Remember you can also submit a ticket and one of our support representatives will get back to you as soon as possible. We apologize for the inconvenience.

UniFi - USG VPN: L2TP Remote Access VPN with USG as RADIUS Server


Overview


This article describes how to set up L2TP VPN using the UniFi Security Gateway (USG) as a RADIUS Server.


Table of Contents


  1. UniFi Controller Setup
  2. Windows Setup
  3. OS X Setup
  4. Additional Notes & Considerations
  5. Related Articles

UniFi Controller Setup


Back to Top

Configure the USG as a RADIUS server

  1. Navigate to Settings > Services > RADIUS.
  2. Enable the RADIUS server under the "Server" tab.2.png
  • Secret: Pre-shared key provisioned to the authenticator devices and the RADIUS server. This provides authentication between the two types of devices ensuring RADIUS message integrity.
  • Authentication port: The port in which RADIUS authentication messages are to be sent and received by authenticator and RADIUS server devices.
  • Accounting Port: The port in which RADIUS accounting messages are to be sent and received by authenticator and RADIUS server devices.
  • Accounting Interim Interval: Time in milliseconds in which a RADIUS access request packet is sent with an Acct-Status-Type attribute with the value "interim-update". This update is sent to request the status of an active session. "Interim" records contain report the current session duration and can provide information on data usage. 

Create User Accounts

  1. Navigate to Settings > Services > RADIUS.
  2. Create user accounts under the "User" tab. 

l2tpuser.png

Configure the L2TP Network

Navigate to Settings > Networks > Create New Network in the UniFi Controller.

image00.png

3. Fill out necessary fields as shown in the image above:

  • Purpose: Remote User VPN
  • VPN Type: L2TP Server
  • Pre-Shared Key: Known as the pre-shared secret, will be entered along with the username and password (created in RADIUS users) on L2TP clients.
  • Gateway/Subnet: Will need to be non-conflicting with any other networks present on the controller.
  • Name server and WINS servers: Can be left auto / blank, unless further customizing the configuration is desired.
  • Site-to-Site VPN: If you're using the "Auto" VPN type to connect sites, the L2TP VPN subnet will be included in those automatic routes if this option is selected.

4. Choose the Default RADIUS Profile from the dropdown.

5. Click SAVE.


Windows Setup


Back to Top

If using a Windows machine to connect to L2TP, follow these steps to set it up:

Windows 10

1. Go to Settings

2. VPN > Add VPN connection

3. See the following screenshot and fill the information requested.

Pasted_image_at_2017_09_22_03_39_PM.png

Windows Authentication Setup

  1. Go to Control Panel > Network & Sharing settings > Change Adapter Settings.
  2. Right click the L2TP adapter, then go to Properties > Security.
  3. Under Type of VPN, select  Layer 2 Tunneling Protocol with IPsec.
  4. Click Advanced Settings. Select preshared key for authentication and enter it.
  5. Make sure to have the option of Allow these protocols enabled and mark the checkbox for Check Microsoft CHAP Version 2 (MS-CHAP v2), as shown in the screenshot below.

l2tp-windows.PNG

 


OS X Setup


Back to Top

The OS X setup is more straightforward and no authentication modifications are needed.

1. Simply go to System Preferences > Network

2. Click the + button

2.1 Interface: VPN

2.2 VPN Type: L2TP over IPsec

Pasted_image_at_2017_09_22_03_26_PM.png

 3. In Authentication settings enter the preshared key.

Pasted_image_at_2017_09_22_03_23_PM.png

 


Additional Notes & Considerations


Back to Top

  • L2TP doesn't have a route distribution method. If the setting on the client to route "all" traffic through the tunnel is not used, it will be necessary to add the manual routes on the client, to point to the USG's local networks.
  • Setting up L2TP will auto add firewall rules to WAN Local in Settings > Routing & Firewall, no manual rules are required on the user end.
  • In pre-4.3.41 USG firmware, L2TP remote access VPN will not work if there are already one or more site-to-site IPsec VPNs configured. Please update to the latest firmware.
  • If UPnP is configured on the USG, an ACL will need to be created to deny UDP ports 500/4500. See this Community post for more. This community post is in the Early access section of our Community, see this article to learn How to Sign Up for Early Access.

Related Articles


Back to Top

UniFi - Configuring Access Policies (802.1X) for Wired Clients