DevicesRoutersUbiquiti

Set up VPN for a Ubiquiti EdgeRouter

By GabrielleMay 10, 2023August 8th, 2023No Comments

The Ubiquiti EdgeRouter series are powerful gigabit routers with advanced network management and security features.

EdgeRouter models with EdgeOS software offer an array of advanced features, commonly seen on higher end devices, including: QoS, DPI, DHCP services, VPN, Firewall features, Dynamic DNS and much more - making them a top choice for many small business and home office users looking to upgrade their networking infrastructure.

In this guide, we take you through the key tech specs of the popular EdgeRouter X, plus a step-by-step tutorial on how to set up an L2TP VPN server on your Ubiquiti EdgeRouter.

Tech Specs: EdgeRouter X

Series: Ubiquiti EdgeRouter

Model: ER-X

Recommended for: Home office or small business (1-5 users)

Supported VPN Protocols: L2TP, PPTP

Processor: Dual-Core 880 MHz

WiFi: No

Additional features: Centralized Management (UNMS), EdgeOS, Firewall, Wall-Mountable, Dynamic DNS, RADIUS Client

Device Status: Active

EdgeRouter X

Set up VPN on a Ubiquiti EdgeRouter

Carry out the following steps to set up an L2TP VPN server on your EdgeRouter and get secure remote access to your home or office network on your Mac.

Psst... already set up L2TP VPN on your EdgeRouter?

Skip the config section and go ahead and get connected to your EdgeRouter in seconds in VPN Tracker: The secure macOS remote access solution for Ubiquiti users. Connect to your EdgeRouter →

Setting up an L2TP VPN server on your EdgeRouter

Step one: Open the config tree

From any device connected to a LAN port of your EdgeRouter, log in to the web interface with an administrator user account and go to the tab Config Tree:

Step two: Set up an IPsec interface

Go to vpn > ipsec > ipsec-interfaces and enter the name of the IPsec interface which will receive L2TP requests from users (e.g. “eth0”.)

Add the name of the interface that VPN users will be connecting to

Step three: Set up remote access

Next, go to vpn > l2tp > remote-access. Enter a description and set an idle timeout between 30 and 86400 seconds.

Remote access settings

dhcp-interface
  • If the port configured in step two​ obtains its IP address via DHCP, enter the port name at dhcp-interface, as shown in the screenshot:
  • If the port has a static IP address, leave the field dhcp-interface empty and enter the static IP address into the field outside-address instead
  • If the port obtains its IP address via PPPoE, leave dhcp-interface empty and enter “0.0.0.0” into the field outside-address

Step four: Authentication

Go to vpn > l2tp > remote-access > authentication and type “local”into the field labeled “mode”:

Step five: Creating VPN users

VPN users are the users who are authorised to access the VPN tunnel - i.e. staff members or family.

Go to vpn > l2tp > remote-access > authentication > local-users > username and enter the name of at least one VPN user. You can add as many VPN users as you wish.

Add VPN users

Once done, select Update List to add the new user entries to the tree.

➔ Note: You can return to this view to add more users later.

Your added users will now appear in the tree as additional branches under username.

For each new user created, repeat the following steps:

  • Select the user
  • Enter a password
  • Optional: Assign a static IP address to the user (i.e. if you need to identify users by specific IP addresses)

Configure user settings

Remember: Your unique user credentials will be required later in the VPN client to access the VPN connection.

Step six: Setting up a client IP pool

Go to vpn > l2tp > remote-access > client-ip-pool and enter the first address of the client IP pool in the start field. Enter the end of the client IP pool in the stop field:

Enter the client IP pool

Note: Users without a static IP address in ​Step Five​ will obtain a random IP address from this pool each time they connect.

IMPORTANT

The address pool may overlap with the address range of your LAN network but it must not overlap with the DHCP range of any network!

Step seven: DNS (optional)

Setting up DNS servers is optional. It is only required if VPN clients need to use specific DNS servers once connected to the VPN, e.g. to be able to access devices within the LAN via hostname. More about DNS.

To add DNS servers, go to vpn > l2tp > remote-access > dns-servers:

Optional: Enter DNS server(s)

Important

If you are using DNS, please ensure to also enter DNS server information when you set up your VPN connection in the VPN client later.

Step eight: IPsec settings

Go to vpn > l2tp > remote-access > ipsec-settings and enter an IKE lifetime in seconds into the field ike-lifetime. We recommend 86400 seconds (24 hours).

Then, enter an IPsec lifetime into the field lifetime. We recommend 28800 seconds (8 hours).

Step nine: IPsec authentication

Go to vpn > l2tp > remote-access > ipsec-settings > authentication and type pre-shared-secret into the field mode. Then, enter a Pre-Shared Key into the field pre-shared-secret:

Set up a Pre-Shared Key for the connection

Be sure to make a note of this password, as you will need it to authenticate the VPN connection in the VPN client.

Step ten: Applying the configuration

Finally, click the Preview button that is displayed at the bottom of each settings page to review the settings you have configured. If you are satisfied, click Apply to save and activate these settings.

Setting up the firewall

By default the firewall drops all incoming data packets that don’t seem to be replies to previously sent outgoing data packets.

If you have completely disabled the firewall on your device, you can skip this step -otherwise, you need to update the firewall to let VPN-related traffic from clients pass through.

Step one: Open the firewall policies

Go to the tab Firewall/NAT and select Firewall Policies:

Step two: Choose a ruleset

Locate the Ruleset WAN_LOCAL and select Edit Ruleset via the action button on the right:

Important note

If you have deleted the Ruleset WAN_LOCAL or have replaced it by a new Ruleset, you may have to first create a Ruleset or add the following rules to a different Ruleset. The required rules need to be added to a Ruleset that is attached to the WAN interface with direction local. If your WAN interface is named eth0, the Ruleset table should list eth0/local. The default Ruleset named WAN_LOCAL serves this purpose.

Do not add the rules to a Ruleset bound to direction in, as this only affects traffic whose destination lies within any LAN network but not traffic that terminates at the router itself, as is the case for all VPN traffic.

Step three: Create rules

You will now need to add the following rules. Click Add New Rule to set up a new firewall rule and click Save when done with each rule:

IKE
Description: IKE
Action: Accept
Protocol: UDP
Destination > Port: 500
NAT-T
Description: NAT-T
Action: Accept
Protocol: UDP
Destination > Port: 4500
ESP
Description: ESP
Action: Accept
Protocol: Choose a protocol by name > ESP
L2TP
Description: L2TP
Action: Accept
Protocol: UDP

Now switch to the advanced tab:

IPSec: Match inbound IPSec packets
Destination > Port: 1701

Once you've reviewed the newly-added firewall rules, you can complete the VPN setup and move on to the next step.

Connect to EdgeRouter VPN on macOS

Once you've configured a VPN server on your EdgeRouter, all you need to get connected is a VPN client. VPN Tracker is the best VPN client for macOS and iOS and provides you with secure remote access to your EdgeRouter on your Mac.

Get connected in seconds with help from the VPN Tracker configuration assistant for EdgeRouter:

  1. Open the VPN Tracker EdgeRouter Connection Creator
  2. Enter the IP address or hostname of your EdgeRouter and follow the remaining steps in the setup wizard
  3. Once you've completed all the steps, save your new VPN connection in your account for secure remote access to your EdgeRouter on your Mac

Connect to your Ubiquiti EdgeRouter on your Mac

Your VPN Tracker benefits

  • Secure remote access to your company network, home office, and Smart Home - all in one app
  • Use your own VPN gateway
  • Ready-made profiles for 300+ VPN devices
  • Configuration wizard for a smooth and fast setup
  • For Mac, iPhone, iPad
  • Discover all features
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedback
View all comments
Privacy-Settings / Datenschutz-Einstellungen
0
Feedback or improvements? Let us know!x
()
x