Setup a VPN server on your Ubiquiti EdgeRouter Lite

Written by Pim on Monday March 28, 2016 - Comment - Permalink
Categories: technology, howto - Tags: ubiquiti, edgerouter, vpn

By connecting to my VPN server I have always a secure connection and can access my home network from every location with an internet connection.
Creating a VPN server on an Ubiquiti EdgeRouter Lite running EdgeOS is easy! In this blog post, I set up an L2TP over IPsec VPN server.

My setup

To understand the configuration you should first know my setup. I have an Ubiquiti EdgeRouter Lite with 3 ports.
The port configuration:

eth0 - My FTTH connection
eth0.4 - VLAN4 (Internet)
eth0.6 - VLAN6 (IPTV)
eth0.7 - VLAN7 (VOIP)
eth1 - My LAN network
eth2 - Link to the KPN Experiabox (VOIP)
pppoe0 - Connection to KPN (Internet)

Enable IPsec on pppoe0

First, configure the allowed networks and enable NAT traversal on the pppoe0 interface.

set vpn ipsec ipsec-interfaces interface pppoe0
set vpn ipsec nat-networks allowed-network 10.0.0.0/8
set vpn ipsec nat-networks allowed-network 172.16.0.0/12
set vpn ipsec nat-networks allowed-network 192.168.0.0/16
set vpn ipsec nat-traversal enable

Enable L2TP remote access with local authentication

I use the local authentication of the EdgeRouter but you can also use RADIUS.

set vpn l2tp remote-access authentication mode local

If you use local authentication you have also to define the users in the EdgeRouter. Replace <username> and <password> with your credentials.

set vpn l2tp remote-access authentication local-users username <username> password <password>

Client IP pool

The VPN users should also get an IP from the EdgeRouter.

set vpn l2tp remote-access client-ip-pool start 172.16.201.50
set vpn l2tp remote-access client-ip-pool stop 172.16.201.100

IPsec shared key

IPsec requires a pre-shared key for authentication. Replace <password> with your pre-shared key secret.

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <password>
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600

L2TP routing

Configure the outside address and next hop address to enable routing to the internet from a VPN connection. Replace <IP address> with the external IP address received by your ISP.

set vpn l2tp remote-access outside-address <IP address>
set vpn l2tp remote-access outside-nexthop <IP address>

MTU tuning

You can set an MTU to avoid fragmentation and reassembly in the L2TP switching path.

set vpn l2tp remote-access mtu 1024

Commit and Save

Commit and save the changes to the EdgeOS configuration.

commit; save; exit;

Firewall

To allow VPN users to connect to your VPN server you have to open some ports in the firewall.

ACCEPT from WAN to LOCAL:

IKE: UDP destination port 500
L2TP: UDP destination port 1701
ESP: protocol 50
NAT-T: UDP destination port 4500

Test!

Connect to your VPN server from your phone or another external device. Once connected, run show vpn remote-access to view the session.