The Ubiquiti EdgeRouter series are powerful gigabit routers with advanced network management and security features.
EdgeRouter models with EdgeOS software offer an array of advanced features, commonly seen on higher end devices, including: QoS, DPI, DHCP services, VPN, Firewall features, Dynamic DNS and much more - making them a top choice for many small business and home office users looking to upgrade their networking infrastructure.
In this guide, we take you through the key tech specs of the popular EdgeRouter X, plus a step-by-step tutorial on how to set up an L2TP VPN server on your Ubiquiti EdgeRouter.
Series: Ubiquiti EdgeRouter
Recommended for: Home office or small business (1-5 users)
Supported VPN Protocols: L2TP, PPTP
Processor: Dual-Core 880 MHz
Additional features: Centralized Management (UNMS), EdgeOS, Firewall, Wall-Mountable, Dynamic DNS, RADIUS Client
Device Status: Active
Set up VPN on a Ubiquiti EdgeRouter
Carry out the following steps to set up an L2TP VPN server on your EdgeRouter and get secure remote access to your home or office network on your Mac.
Psst... already set up L2TP VPN on your EdgeRouter?
Skip the config section and go ahead and get connected to your EdgeRouter in seconds in VPN Tracker: The secure macOS remote access solution for Ubiquiti users. Connect to your EdgeRouter →
Setting up an L2TP VPN server on your EdgeRouter
Step one: Open the config tree
From any device connected to a LAN port of your EdgeRouter, log in to the web interface with an administrator user account and go to the tab Config Tree:
Step two: Set up an IPsec interface
Go to vpn > ipsec > ipsec-interfaces and enter the name of the IPsec interface which will receive L2TP requests from users (e.g. “eth0”.)
Step three: Set up remote access
Next, go to vpn > l2tp > remote-access. Enter a description and set an idle timeout between 30 and 86400 seconds.
- If the port configured in step two obtains its IP address via DHCP, enter the port name at dhcp-interface, as shown in the screenshot:
- If the port has a static IP address, leave the field dhcp-interface empty and enter the static IP address into the field outside-address instead
- If the port obtains its IP address via PPPoE, leave dhcp-interface empty and enter “0.0.0.0” into the field outside-address
Step four: Authentication
Go to vpn > l2tp > remote-access > authentication and type “local”into the field labeled “mode”:
Step five: Creating VPN users
VPN users are the users who are authorised to access the VPN tunnel - i.e. staff members or family.
Go to vpn > l2tp > remote-access > authentication > local-users > username and enter the name of at least one VPN user. You can add as many VPN users as you wish.
Once done, select Update List to add the new user entries to the tree.
➔ Note: You can return to this view to add more users later.
Your added users will now appear in the tree as additional branches under username.
For each new user created, repeat the following steps:
- Select the user
- Enter a password
- Optional: Assign a static IP address to the user (i.e. if you need to identify users by specific IP addresses)
Remember: Your unique user credentials will be required later in the VPN client to access the VPN connection.
Step six: Setting up a client IP pool
Go to vpn > l2tp > remote-access > client-ip-pool and enter the first address of the client IP pool in the start field. Enter the end of the client IP pool in the stop field:
Note: Users without a static IP address in Step Five will obtain a random IP address from this pool each time they connect.
The address pool may overlap with the address range of your LAN network but it must not overlap with the DHCP range of any network!
Step seven: DNS (optional)
Setting up DNS servers is optional. It is only required if VPN clients need to use specific DNS servers once connected to the VPN, e.g. to be able to access devices within the LAN via hostname. More about DNS.
To add DNS servers, go to vpn > l2tp > remote-access > dns-servers:
If you are using DNS, please ensure to also enter DNS server information when you set up your VPN connection in the VPN client later.
Step eight: IPsec settings
Go to vpn > l2tp > remote-access > ipsec-settings and enter an IKE lifetime in seconds into the field ike-lifetime. We recommend 86400 seconds (24 hours).
Then, enter an IPsec lifetime into the field lifetime. We recommend 28800 seconds (8 hours).
Step nine: IPsec authentication
Go to vpn > l2tp > remote-access > ipsec-settings > authentication and type pre-shared-secret into the field mode. Then, enter a Pre-Shared Key into the field pre-shared-secret:
Be sure to make a note of this password, as you will need it to authenticate the VPN connection in the VPN client.
Step ten: Applying the configuration
Finally, click the Preview button that is displayed at the bottom of each settings page to review the settings you have configured. If you are satisfied, click Apply to save and activate these settings.
Setting up the firewall
By default the firewall drops all incoming data packets that don’t seem to be replies to previously sent outgoing data packets.
If you have completely disabled the firewall on your device, you can skip this step -otherwise, you need to update the firewall to let VPN-related traffic from clients pass through.
Step one: Open the firewall policies
Go to the tab Firewall/NAT and select Firewall Policies:
Step two: Choose a ruleset
Locate the Ruleset WAN_LOCAL and select Edit Ruleset via the action button on the right:
If you have deleted the Ruleset WAN_LOCAL or have replaced it by a new Ruleset, you may have to first create a Ruleset or add the following rules to a different Ruleset. The required rules need to be added to a Ruleset that is attached to the WAN interface with direction local. If your WAN interface is named eth0, the Ruleset table should list eth0/local. The default Ruleset named WAN_LOCAL serves this purpose.
Do not add the rules to a Ruleset bound to direction in, as this only affects traffic whose destination lies within any LAN network but not traffic that terminates at the router itself, as is the case for all VPN traffic.
Step three: Create rules
You will now need to add the following rules. Click Add New Rule to set up a new firewall rule and click Save when done with each rule:
Description: IKE Action: Accept Protocol: UDP Destination > Port: 500
Description: NAT-T Action: Accept Protocol: UDP Destination > Port: 4500
Description: ESP Action: Accept Protocol: Choose a protocol by name > ESP
Description: L2TP Action: Accept Protocol: UDP
Now switch to the advanced tab:
IPSec: Match inbound IPSec packets Destination > Port: 1701
Once you've reviewed the newly-added firewall rules, you can complete the VPN setup and move on to the next step.
Connect to EdgeRouter VPN on macOS
Once you've configured a VPN server on your EdgeRouter, all you need to get connected is a VPN client. VPN Tracker is the best VPN client for macOS and iOS and provides you with secure remote access to your EdgeRouter on your Mac.
Get connected in seconds with help from the VPN Tracker configuration assistant for EdgeRouter:
- Open the VPN Tracker EdgeRouter Connection Creator
- Enter the IP address or hostname of your EdgeRouter and follow the remaining steps in the setup wizard
- Once you've completed all the steps, save your new VPN connection in your account for secure remote access to your EdgeRouter on your Mac