Edge Router L2TP VPN Server Setup
-
I recently setup my EdgeRouter X as a L2TP server with local user authentication. We've been using this for the past few days without any issues. Connecting from various platforms/OS's works perfectly. Let me know if anyone has an alternative method or if this guide should be tweaked at all.
Assumes outside WAN interface is eth0
configure set vpn ipsec ipsec-interfaces interface eth0 set vpn ipsec nat-traversal enable set vpn ipsec nat-networks allowed-network 0.0.0.0/0 set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
If you have a static IP from your ISP, issue the following command, where x.x.x.x is your IP:
set vpn l2tp remote-access outside-address x.x.x.x
Gateway/next hop for public IP above:
set vpn l2tp remote-access outside-nexthop x.x.x.x set vpn l2tp remote-access client-ip-pool start 10.0.1.10 set vpn l2tp remote-access client-ip-pool stop 10.0.1.20 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret horsebatterystaple set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access authentication local-users username adam password adampassword set vpn l2tp remote-access mtu 1492 set vpn l2tp remote-access dns-servers server-1 8.8.8.8 set vpn l2tp remote-access dns-servers server-2 8.8.4.4 commit
To verify the server is setup, the following command can be used.
show vpn l2tp remote-access
Save to keep changes on reboot
save
Set firewall rules for VPN traffic:
This can be done via the GUI as well, but I used CLI. Just make sure to pay attention to your rule numbers and order.set firewall name WAN_LOCAL rule 20 action accept set firewall name WAN_LOCAL rule 20 description Allow_L2TP set firewall name WAN_LOCAL rule 20 destination port 500,1701,4500 set firewall name WAN_LOCAL rule 20 log disable set firewall name WAN_LOCAL rule 20 protocol udp set firewall name WAN_LOCAL rule 30 action accept set firewall name WAN_LOCAL rule 30 description Allow_ESP set firewall name WAN_LOCAL rule 30 log disable set firewall name WAN_LOCAL rule 30 protocol 50
That's it! Now setup the built in client on your OS of choice and you should be good to go.
-
Awesome, thanks for the write up.
-
Great write up
-
Thanks for documenting this.
-
Great work.
-
No problem!