Last active
August 14, 2024 12:12
-
-
Save nahall/6b23603ce9df2500a4053b280071d1ad to your computer and use it in GitHub Desktop.
Connecting to a Ubiquiti Unifi VPN with a Linux machine
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This guide assumes that you have already set up a Ubiquiti Unifi VPN following the guide: | |
https://help.ubnt.com/hc/en-us/articles/115005445768-UniFi-L2TP-Remote-Access-VPN-with-USG-as-RADIUS-Server | |
To configure a Linux machine to be able to connect remotely I followed these steps. This guide was written for Debian 8. | |
- In Debian install the "xl2tpd" and "strongswan" packages. | |
- Edit /etc/ipsec.conf to add the connection: | |
conn YOURVPNCONNECTIONNAME | |
authby=secret | |
pfs=no | |
auto=start | |
keyexchange=ikev1 | |
keyingtries=3 | |
dpddelay=15 | |
dpdtimeout=45 | |
dpdaction=clear | |
rekey=no | |
ikelifetime=3600 | |
keylife=3600 | |
type=transport | |
left=%defaultroute | |
leftprotoport=17/1701 | |
# Replace IP address with your VPN server's IP | |
right=IPADDRESSOFVPNSERVER | |
rightprotoport=17/%any | |
ike=aes128-sha1-modp2048,aes256-sha1-modp4096,aes128-sha1-modp1536,aes256-sha1-modp2048,aes128-sha1-modp1024,aes256-sha1-modp1536,aes256-sha1-modp1024,3des-sha1-modp1024! | |
esp=aes128-sha1-modp2048,aes256-sha1-modp4096,aes128-sha1-modp1536,aes256-sha1-modp2048,aes128-sha1-modp1024,aes256-sha1-modp1536,aes256-sha1-modp1024! | |
- Edit /etc/ipsec.secrets to add the secret key for this connection: | |
IPADDRESSOFVPNSERVER : PSK "SECRETPRESHAREDKEY" | |
- Edit /etc/xl2tpd/xl2tpd.conf to add this connection: | |
[lac YOURVPNCONNECTIONNAME] | |
lns = IPADDRESSOFVPNSERVER | |
ppp debug = yes | |
pppoptfile = /etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME | |
length bit = yes | |
- Create the file /etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME: | |
ipcp-accept-local | |
ipcp-accept-remote | |
noccp | |
refuse-eap | |
refuse-chap | |
noauth | |
idle 1800 | |
mtu 1410 | |
mru 1410 | |
defaultroute | |
# Uncomment if you want to use the DNS servers of the VPN host: | |
#usepeerdns | |
debug | |
logfile /var/log/xl2tpd.log | |
connect-delay 5000 | |
proxyarp | |
name VPNUSERNAME | |
password "VPNPASSWORD" | |
- Now to connect to the VPN create a script: | |
#!/bin/bash | |
echo "Connecting to VPN..." | |
echo "c YOURVPNCONNECTIONNAME" > /var/run/xl2tpd/l2tp-control | |
sleep 10 | |
# To have all internet traffic routed through the VPN uncomment: | |
#ip route add default dev ppp0 | |
# To only have a remote subnet routed through the VPN uncomment | |
# (this line assumes the remote subnet you want routed is 192.168.0.0/24 and the remote VPN end is 10.11.0.1: | |
ip route add 192.168.0.0/24 via 10.11.0.1 dev ppp0 | |
- And to disconnect to the VPN create a script: | |
#!/bin/bash | |
ip route del default dev ppp0 | |
ip route del 192.168.0.0/24 dev ppp0 | |
echo "d YOURVPNCONNECTIONNAME" > /var/run/xl2tpd/l2tp-control | |
service xl2tpd restart | |
- Note that for these scripts I am assuming that the remote subnet we are interested in is 192.168.0.0/24 | |
and the remote VPN gateway address is 10.11.0.1. | |
- You can also decide which line to uncomment based on if you want all traffic to be routed through the VPN | |
or to just route connections to the 192.168.0.0/24 subnet. | |
- If you want all traffic routed through the VPN you may want to uncomment the "usepeerdns" line in | |
/etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME so that DNS traffic flows through the VPN rather | |
than going to the local DNS server. |
will this work on the Unifi UDM as well?
I would think so but I haven't tried that.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
will this work on the Unifi UDM as well?