The Ubiquiti UniFi Security Gateway (USG) Pro makes a great VPN terminator and is ideal firewall for small and medium business. Occasionally, I am configuring the USG Pro for my clients to protect their networks, be the gateway of their network, and also provide VPN capability.
In this guide, I will show you how to configure a Remote Access VPN on the Ubiquiti USG Pro using L2TP. In this setup, I am using the Cloud Key G2 to manage a Ubiquiti USG Pro.
What is L2TP?
Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used in VPNs. It needs an encryption protocol to protect the traffic being sent through the L2TP tunnel. Read more here.
There are a few components needed to make this work
- RADIUS Server (on the USG)
- RADIUS User
- VPN Network (on the USG)
- Firewall Rules (allowing L2TP VPN)
- Device configuration
RADIUS User Configuration
To log in remotely via VPN, you need an account. The first step is to log into your USG or your UniFi management.
Go to Settings and then click on Services
Under RADIUS and Users, click on Create New User.
Type out the account name for this user and give it a strong password. (Make sure you keep that in your password manager). Leave the VLAN section blank.
For Tunnel Type, select 3 – Layer Two Tunneling Protocol (L2TP)
For Medium Type, select 1 – IPv4
Click Save
RADIUS Server Configuration
We will need to configure a RADIUS Server on the Ubiquiti USG in order to accept remote VPN connections from various users that we can set up for remote access.
Under RADIUS and Server enable RADIUS Server. Below that, type in a strong Secret and make sure you document that in your password manager.
Leave the defaults for the rest of the options. Then click on Apply.
Configure a Remote Access VPN Network
When users VPN into the network, we need to place them on their own subnet. On the left side navigation, under Settings, click on Networks.
Click on Create a New Network.
Give the network a descriptive name such as Remote User VPN
For purpose, select Remote User VPN. This will allow us to select a VPN Type.
For VPN Type, select L2TP Server.
Create a strong Pre-Shared Key (You’ll need this key later when configuring your device for remote VPN)
Give the Remote User VPN network a Gateway/Subnet (Do not overlap this with any preconfigured networks. This is a new network.
For Name Server, select auto or manual. Under Manual you will specify the name servers.
Under RADIUS, select the Default RADIUS profile
Click Save
When you selected Remote User VPN and saved the network, it creates the necessary Firewall rules to allow L2TP VPN. View it under Routing & Firewall > Firewall > Rules IPv4 > WAN LOCAL
Create VPN Profile on Computer
I use macOS so these instructions are specific. Once I get a hold of my Windows Laptop and update it I’ll add a section for Windows.
In macOS we will use the built-in L2TP VPN capabilities.
Open Network Preferences
Click on the + icon on the bottom left to add a new VPN interface
Under Interface, select VPN
For VPN Type, select L2TP over IPsec
Create a descriptive name under Service Name
Click Create
In the configuration of the VPN profile, keep Configuration at Default.
For the Server Address, set the IP address of your USG’s WAN interface
For account name, set it to the RADIUS user you created earlier
Click on Authentication Settings button
For Password, enter the password of the RADIUS user
Under Machine Authentication, select Shared Secret enter the Shared Secret of the RADIUS Server.
Click OK
Back at the VPN Profile configuration window, click Advanced
Under Options, enable “Send all traffic over VPN connection” if you’d like to make this a Full VPN Tunnel.
Click OK and then click on Apply
Test Remote Access VPN
Click on Connect
If successful, status will change to Connected, you’ll see how long you’ve been connected, and you’ll have an IP address from when you configured it on the Remote Access VPN network.
Now try accessing your local resources.
At the time of this writing, Ubiquiti doesn’t offer any way to easily see the status of remote access VPN users on the GUI dashboard.
The closest thing is an Event where my laptop shows that it has connected to the LAN, but you would assume that’s a local Ethernet connection.
The only way to tell the status is through the CLI of the USG using show vpn remote-access and show vpn ipsec sa
$ show vpn remote-access
Active remote access VPN sessions:
User Time Proto Iface Remote IP TX pkt/byte RX pkt/byte
---------- --------- ----- ----- --------------- ------ ------ ------ ------
rowell 00h00m14s L2TP l2tp0 192.168.3.1 326 105.5K 425 62.0KThe Remote IP is the Remote VPN network that I created earlier.
$ show vpn ipsec sa
remote-access: #6, ESTABLISHED, IKEv1, 5df87ceee4a88d30:ba926ce41288578c
local ‘x.x.x.x’ @ x.x.x.x
remote '172.20.3.6' @ 12.9.250.183
AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
established 330s ago
remote-access: #7, INSTALLED, TRANSPORT-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96
installed 330 ago
in c7a3bef9, 1458020 bytes, 9236 packets, 0s ago
out 0e0bf674, 9496201 bytes, 10136 packets, 29s ago
local x.x.x.x/32[udp/l2f]
remote 12.9.250.183/32[udp/51184]I’ve sanitized the local IP address. The local address is the WAN of the USG.
The remote IP address is my private IP and what my WAN IP is at the hotel I’m at.
For troubleshooting purposes, you could issue show vpn log tail to see the last 10 VPN log messages. tail is optional, it will continue to update the last 10 log messages and you can use that for troubleshooting someones connection.
$ show vpn log tail
Mar 7 07:10:12 12[IKE] <remote-access|6> closing CHILD_SA remote-access{7} with SPIs c7a3bef9_i (1548107 bytes) 0e0bf674_o (9631239 bytes) and TS x.x.x.x/32[udp/l2f] === 12.9.250.183/32[udp/51184]
Mar 7 07:10:12 04[IKE] <remote-access|6> deleting IKE_SA remote-access[6] between x.x.x.x[x.x.x.x]...12.9.250.183[172.20.3.6]
Mar 7 07:10:15 08[KNL] interface l2tp0 deleted
Mar 7 07:10:56 07[IKE] <7> 12.9.250.183 is initiating a Main Mode IKE_SA
Mar 7 07:10:57 04[IKE] <remote-access|7> IKE_SA remote-access[7] established between x.x.x.x[x.x.x.x]...12.9.250.183[172.20.3.6]
Mar 7 07:10:57 02[IKE] <remote-access|7> CHILD_SA remote-access{8} established with SPIs cb2f14f2_i 02e5c731_o and TS x.x.x.x/32[udp/l2f] === 12.9.250.183/32[udp/64282]
Mar 7 07:11:00 16[KNL] 10.255.255.0 appeared on ppp0
Mar 7 07:11:00 06[KNL] 10.255.255.0 disappeared from ppp0
Mar 7 07:11:00 05[KNL] 10.255.255.0 appeared on ppp0
Mar 7 07:11:00 02[KNL] interface l2tp0 activatedThoughts
Overall, it was simple to configure remote access VPN if you are familiar with configuring it on other network devices. Ubiquiti could help others with a more simplified wizard to eliminate the number of sections you need to jump through to complete remote access VPN.
Additionally, Ubiquiti needs to add a status of remote VPN users in their dashboard to avoid having to use the CLI.
This is an excellent, step by step guide to setting up a VPN on the Unify USG, and connecting from a Mac.
A couple of things which would be awesome.
1.) Screenshots/Instructions for setting up the Windows client
2.) Screenshots/Instructions for RDP into a Windows machine after connecting to the VPN
Thanks for the feedback. I’ll get ahold of a Windows machine and replicate the steps for that OS.
Would love for a step-by-step guide for debian based linux as well. Got the serverside part done, but can’t get my linux client to connect.
Hello. This is very useful indeed, thanks.
I have a question: Once I am connected to my remote USG (in another town) via the VPN, how do I access those devices connected to that USG (it is in the 192.168.1.1 network while my VPN is on 192.168.4.1 network – followed your instructions not to overlap my VPN with any existing network). I am new at this kind of thing, but there must be a way to link these 2 networks so that I can see my devices by typing their IP addresses. Or is this not how it works?
Many thanks
Hi Jin, you may need to create a firewall rule to allow traffic between those two subnets.
Hi Rowell. Do I create this rule on the USG Routing and Firewall settings, LAN IN/OUT I presume? Many thanks
Hi, Did you manage to do a windows config? having issues with connectivity
I have setup the VPN but when two users, each with their own credentials, try to login to the VPN from the same location, it only allows one of them to connect.
Is this normal?
Pretty good article but at which point does the encryption take place? I don’t see that mentioned anywhere. If this VPN is not encrypted, how do we go about encrypting it?
Dav: L2TP – Layer 2 Tunneling Protocol is a version is IPsec – Encrypted network data
Christos: I don’t have an answer, I have never tried connecting from one location twice, generally L2TP is used for end-users on a one-off connection. Where more than one person is needing access, we setup a site-to-site tunnel on the router at that location, bypassing the computer needing to connect with VPN.
These instructions didnt work for my USG PRO 4 but I was trying to use an iPhone as the VPN client
It appears that Ubiquiti has no clue what a VPN is, or is used for. Is there really no !@#$ing way to get a Remote Device to have an IP *inside my LAN*??? That is what I had with a relatively straightforward CLI configuration on my EdgeRouter. You’d *think* doing that would be made easier, not impossible, by USG’s supposed “user friendly GUI”.
>:-(
This failure to give the Remote User an IP *on my LAN* leads to the following:
Once I am connected to my remote USG (in another town) via the VPN, how do I access those devices connected to that USG (it is in the 192.168.1.1 network while my VPN is on 192.168.4.1 network – followed your instructions not to overlap my VPN with any existing network). There must be a way to link these 2 networks so that I can see my devices by typing their IP addresses. Or is this not how it works with Ubiquiti? s Perhaps the VPN on some random private CIDR block is only connecting back to China to install ransomware? /s
You can use WireGuard or Teleport to set up VPN. That would assign an IP on your LAN as long as you configure a subnet. It sounds like you need inter-VLAN routing and some firewall rules set up so the two networks can communicate with each other.