(ARCHIVED) UniFi - USG VPN: Remote User VPN with Local Users

This article has been archived. Applies to UniFi Controller versions older than 5.5.X
This article is no longer supported and will not be updated further. Find the current version of this article here: UniFi - USG: Configuring L2TP Remote Access VPNWe recommend to always upgrade to the newest firmware release to prevent security issues.


Readers will learn how to configure a Remote User VPN on the USG to allow clients to access a corporate LAN. As of Controller version 5.5.X, users will be able to use the RADIUS server, and configure RADIUS from the Controller itself. Follow our UniFi - USG: Configuring L2TP Remote Access VPN article on the subject. RADIUS authentication is more secure than the local authentication described in this article. It is recommended that you use RADIUS instead.

Table of Contents

  1. Notes & Requirements
  2. Implementation
  3. Related Articles

1. It is a requirement to create the Remote User VPN network in the controller under Settings>Networks. It will ask for RADIUS server info, but you may enter false information, like the dummy server information provided below. If you do not create this subnet then the USG will go into a provisioning loop.

2. The Remote User VPN with RADIUS will NOT work if local user authentication is substituted.

3. You can validate your json file contents with one of the various online tools. Google search "json validator".


Back to Top

By design, this feature shall be accompanied with a preset RADIUS server for secure user authentication purposes. However, it is also possible to create local users on USG and bypass the RADIUS requirement. This is only provided for convenience or testing purpose and we do NOT suggest this to be used in real deployment. 

A special hook is needed to accomplish this goal. This is an advanced feature which works, but needs to be executed properly. The idea here is to manually generate corresponding local user VPN config and then feed it to the USG. To do this, you will need to manually create a file "config.gateway.json" and then put it under the directory "<unifi_base>/data/sites/$site_id/". 

NOTE: The location <unifi_base> will vary depending on your operating system. See this article for more information.

For Remote User VPN with local users, you create a "config.gateway.json" with below contents:

    "vpn": {
        "pptp": {
            "remote-access": {
                "authentication": {
                    "local-users": {
                        "username": {
                            "user1": {
                                "password": "user1password"
                            "user2": {
                                "password": "user2password"
                    "mode": "local"

Above config will create two local users ('user1' and 'user2') for VPN connection. Feel free to change those and add more as required. If adding more users, use the following format, and place the user between user1 and user2.

WARNING: Be wary of pasting your password in the json file into online json validators.
                            "user3": {
                                "password": "user3password"

The next step is to manually trigger a provision to the USG.

We're sorry to hear that!