Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save nahall/6b23603ce9df2500a4053b280071d1ad to your computer and use it in GitHub Desktop.
Save nahall/6b23603ce9df2500a4053b280071d1ad to your computer and use it in GitHub Desktop.
Connecting to a Ubiquiti Unifi VPN with a Linux machine
This guide assumes that you have already set up a Ubiquiti Unifi VPN following the guide:
https://help.ubnt.com/hc/en-us/articles/115005445768-UniFi-L2TP-Remote-Access-VPN-with-USG-as-RADIUS-Server
To configure a Linux machine to be able to connect remotely I followed these steps. This guide was written for Debian 8.
- In Debian install the "xl2tpd" and "strongswan" packages.
- Edit /etc/ipsec.conf to add the connection:
conn YOURVPNCONNECTIONNAME
authby=secret
pfs=no
auto=start
keyexchange=ikev1
keyingtries=3
dpddelay=15
dpdtimeout=45
dpdaction=clear
rekey=no
ikelifetime=3600
keylife=3600
type=transport
left=%defaultroute
leftprotoport=17/1701
# Replace IP address with your VPN server's IP
right=IPADDRESSOFVPNSERVER
rightprotoport=17/%any
ike=aes128-sha1-modp2048,aes256-sha1-modp4096,aes128-sha1-modp1536,aes256-sha1-modp2048,aes128-sha1-modp1024,aes256-sha1-modp1536,aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes128-sha1-modp2048,aes256-sha1-modp4096,aes128-sha1-modp1536,aes256-sha1-modp2048,aes128-sha1-modp1024,aes256-sha1-modp1536,aes256-sha1-modp1024!
- Edit /etc/ipsec.secrets to add the secret key for this connection:
  IPADDRESSOFVPNSERVER : PSK "SECRETPRESHAREDKEY"
- Edit /etc/xl2tpd/xl2tpd.conf to add this connection:
[lac YOURVPNCONNECTIONNAME]
lns = IPADDRESSOFVPNSERVER
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME
length bit = yes
- Create the file /etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME:
ipcp-accept-local
ipcp-accept-remote
noccp
refuse-eap
refuse-chap
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
# Uncomment if you want to use the DNS servers of the VPN host:
#usepeerdns
debug
logfile /var/log/xl2tpd.log
connect-delay 5000
proxyarp
name VPNUSERNAME
password "VPNPASSWORD"
- Now to connect to the VPN create a script:
#!/bin/bash
echo "Connecting to VPN..."
echo "c YOURVPNCONNECTIONNAME" > /var/run/xl2tpd/l2tp-control
sleep 10
# To have all internet traffic routed through the VPN uncomment:
#ip route add default dev ppp0
# To only have a remote subnet routed through the VPN uncomment
# (this line assumes the remote subnet you want routed is 192.168.0.0/24 and the remote VPN end is 10.11.0.1:
ip route add 192.168.0.0/24 via 10.11.0.1 dev ppp0
- And to disconnect to the VPN create a script:
#!/bin/bash
ip route del default dev ppp0
ip route del 192.168.0.0/24 dev ppp0
echo "d YOURVPNCONNECTIONNAME" > /var/run/xl2tpd/l2tp-control
service xl2tpd restart
- Note that for these scripts I am assuming that the remote subnet we are interested in is 192.168.0.0/24
and the remote VPN gateway address is 10.11.0.1.
- You can also decide which line to uncomment based on if you want all traffic to be routed through the VPN
or to just route connections to the 192.168.0.0/24 subnet.
- If you want all traffic routed through the VPN you may want to uncomment the "usepeerdns" line in
/etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME so that DNS traffic flows through the VPN rather
than going to the local DNS server.
@emiller233
Copy link

will this work on the Unifi UDM as well?

@nahall
Copy link
Author

nahall commented Feb 4, 2023

will this work on the Unifi UDM as well?

I would think so but I haven't tried that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment