The planned follow up to the Ubiquiti UniFi AP deployment/RaspberryPi controller post about running an ELK stack on the controller is on hold; there are no preexisting binaries for the ARM platform and a successful compile from source has eluded me so far. So instead we’re going to walk through setting up an L2TP/IPSEC VPN up on Ubiquiti’s EdgeRouter line of routers. Ubiquiti has a good guide here that will get you 90% of the way there, but is missing a few key pieces of info.
In my case I’m using the EdgeRouter X-SFP paired up with a 1GbE copper SFP from 10Gtek with eth5 (the SFP) for WAN connectivity and local authentication.
- SSH to your router
- Configure the IPSEC tunnel
- set vpn ipsec ipsec-interfaces interface eth5
- set vpn ipsec nat-networks allowed-network 0.0.0.0/0
- set vpn ipsec nat-traversal enable
- Setup authentication
- set vpn l2tp remote-access authentication mode local
- set vpn l2tp remote-access authentication local-users username <USERNAME> password <PASSWORD>
- Set the VPN client IP pool
- set vpn l2tp remote-access client-ip-pool start 192.168.X.X
- set vpn l2tp remote-access client-ip-pool stop 192.168.X.X
- Gotta have DNS
- set vpn l2tp remote-access dns-servers server-1 192.168.X.X
- By default the DNS forwarding service only listens on ethX (switch0 in my case), for VPN clients to utilize forwarding it must also listen on the router’s IP
- set service dns forwarding options “listen-address=192.168.X.X”
- Now we need to configure the L2TP authentication
- set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
- set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <REALLYLONGPASSWORD>
- set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
- Optionally you can set the MTU
- set vpn l2tp remote-access mtu 1400
- Configure the external IP
- set vpn l2tp remote-access dhcp-interface eth5
That covers the L2TP/IPSEC VPN setup, but it won’t do much good without putting some firewall rules in place. The rules below need to be placed under WAN_LOCAL.
- Allow IKE traffic
- set firewall name WAN_LOCAL rule 3 action accept
- set firewall name WAN_LOCAL rule 3 description ‘Allow IKE for Remote VPN Server’
- set firewall name WAN_LOCAL rule 3 destination port 500
- set firewall name WAN_LOCAL rule 3 log enable
- set firewall name WAN_LOCAL rule 3 protocol udp
- Allow L2TP traffic
- set firewall name WAN_LOCAL rule 4 action accept
- set firewall name WAN_LOCAL rule 4 description ‘Allow L2TP for Remote VPN Server’
- set firewall name WAN_LOCAL rule 4 destination port 1701
- set firewall name WAN_LOCAL rule 4 log enable
- set firewall name WAN_LOCAL rule 4 protocol udp
- Allow ESP traffic
- set firewall name WAN_LOCAL rule 5 action accept
- set firewall name WAN_LOCAL rule 5 description ‘Allow ESP for Remote VPN Server’
- set firewall name WAN_LOCAL rule 5 log enable
- set firewall name WAN_LOCAL rule 5 protocol esp
- Allow NAT traversal traffic
- set firewall name WAN_LOCAL rule 6 action accept
- set firewall name WAN_LOCAL rule 6 description ‘Allow Nat-T for Remote VPN Server’
- set firewall name WAN_LOCAL rule 6 destination port 4500
- set firewall name WAN_LOCAL rule 6 log enable
- set firewall name WAN_LOCAL rule 6 protocol udp
Now be sure to commit changes and save them so they’ll persist reboots. We’ll make use of commit-confirm for this just in case things blow up; if the commit isn’t confirmed my issuing a second commit command within 10 minutes the system will rollback to the previous active configuration. A very handy feature, especially when making configuration changes remotely.
- commit-confirm
- commit
- save
- exit
You should now be able to initiate L2TP/IPSEC VPN connections from inside and outside your LAN utilizing your WAN IP address. To check active sessions run this command at the CLI – show vpn remote-access.