Edge Router L2TP VPN Server Setup



  • I recently setup my EdgeRouter X as a L2TP server with local user authentication. We've been using this for the past few days without any issues. Connecting from various platforms/OS's works perfectly. Let me know if anyone has an alternative method or if this guide should be tweaked at all.

    Assumes outside WAN interface is eth0

    configure
    
    set vpn ipsec ipsec-interfaces interface eth0
    set vpn ipsec nat-traversal enable
    set vpn ipsec nat-networks allowed-network 0.0.0.0/0
    set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
    

    If you have a static IP from your ISP, issue the following command, where x.x.x.x is your IP:

    set vpn l2tp remote-access outside-address x.x.x.x
    

    Gateway/next hop for public IP above:

    set vpn l2tp remote-access outside-nexthop x.x.x.x
    
    set vpn l2tp remote-access client-ip-pool start 10.0.1.10
    set vpn l2tp remote-access client-ip-pool stop 10.0.1.20
    
    set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
    
    set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret horsebatterystaple
    
    set vpn l2tp remote-access authentication mode local
    
    set vpn l2tp remote-access authentication local-users username adam password adampassword
    
    set vpn l2tp remote-access mtu 1492
    
    set vpn l2tp remote-access dns-servers server-1 8.8.8.8
    set vpn l2tp remote-access dns-servers server-2 8.8.4.4
    
    commit 
    

    To verify the server is setup, the following command can be used.

    show vpn l2tp remote-access
    

    Save to keep changes on reboot

    save
    

    Set firewall rules for VPN traffic:
    This can be done via the GUI as well, but I used CLI. Just make sure to pay attention to your rule numbers and order.

    set firewall name WAN_LOCAL rule 20 action accept
    set firewall name WAN_LOCAL rule 20 description Allow_L2TP
    set firewall name WAN_LOCAL rule 20 destination port 500,1701,4500
    set firewall name WAN_LOCAL rule 20 log disable
    set firewall name WAN_LOCAL rule 20 protocol udp
    set firewall name WAN_LOCAL rule 30 action accept
    set firewall name WAN_LOCAL rule 30 description Allow_ESP
    set firewall name WAN_LOCAL rule 30 log disable
    set firewall name WAN_LOCAL rule 30 protocol 50
    

    That's it! Now setup the built in client on your OS of choice and you should be good to go.



  • Awesome, thanks for the write up.



  • Great write up



  • Thanks for documenting this.



  • Great work.



  • No problem!