By connecting to my VPN server I have always a secure connection and can access my home network from every location with an internet connection.
Creating a VPN server on an Ubiquiti EdgeRouter Lite running EdgeOS is easy! In this blog post, I set up an L2TP over IPsec VPN server.
To understand the configuration you should first know my setup. I have an Ubiquiti EdgeRouter Lite with 3 ports.
The port configuration:
eth0 - My FTTH connection
eth0.4 - VLAN4 (Internet)
eth0.6 - VLAN6 (IPTV)
eth0.7 - VLAN7 (VOIP)
eth1 - My LAN network
eth2 - Link to the KPN Experiabox (VOIP)
pppoe0 - Connection to KPN (Internet)
Enable IPsec on pppoe0
First, configure the allowed networks and enable NAT traversal on the pppoe0 interface.
set vpn ipsec ipsec-interfaces interface pppoe0
set vpn ipsec nat-networks allowed-network 10.0.0.0/8
set vpn ipsec nat-networks allowed-network 172.16.0.0/12
set vpn ipsec nat-networks allowed-network 192.168.0.0/16
set vpn ipsec nat-traversal enable
Enable L2TP remote access with local authentication
I use the local authentication of the EdgeRouter but you can also use RADIUS.
set vpn l2tp remote-access authentication mode local
If you use local authentication you have also to define the users in the EdgeRouter. Replace <username> and <password> with your credentials.
set vpn l2tp remote-access authentication local-users username <username> password <password>
Client IP pool
The VPN users should also get an IP from the EdgeRouter.
set vpn l2tp remote-access client-ip-pool start 172.16.201.50
set vpn l2tp remote-access client-ip-pool stop 172.16.201.100
IPsec shared key
IPsec requires a pre-shared key for authentication. Replace <password> with your pre-shared key secret.
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <password>
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
Configure the outside address and next hop address to enable routing to the internet from a VPN connection. Replace <IP address> with the external IP address received by your ISP.
set vpn l2tp remote-access outside-address <IP address>
set vpn l2tp remote-access outside-nexthop <IP address>
You can set an MTU to avoid fragmentation and reassembly in the L2TP switching path.
set vpn l2tp remote-access mtu 1024
Commit and Save
Commit and save the changes to the EdgeOS configuration.
commit; save; exit;
To allow VPN users to connect to your VPN server you have to open some ports in the firewall.
ACCEPT from WAN to LOCAL:
IKE: UDP destination port 500
L2TP: UDP destination port 1701
ESP: protocol 50
NAT-T: UDP destination port 4500
Connect to your VPN server from your phone or another external device. Once connected, run show vpn remote-access to view the session.