Blog.gowifi

Blog.gowifi

logos (other)

Logos

Go Wireless NZ

Monday, October 17, 2016

Setup an L2TP over IPSec VPN for remote access to your Ubiquiti EdgeRouter

Scenario:

As of Apple IOS 10 and Mac OSX Sierra, PPTP has been removed due to it being weak and vulnerable to attack. This means if you currently use PPTP as your VPN for remote access to your home router you will need to migrate to L2TP over IPSec. Here is how you can do this on the EdgeRouter.






Prerequisites:
Ubiquiti EdgeRouter running firmware 1.9.0 or higher with a basic default configuration

Step 1 - Start with a default configuration:
Start with a default configuration if you haven't already. This will ensure this blog works and that you dont have any extra firewall rules or conflicting configuration that is preventing this from working. If you have already configured your EdgeRouter and do not wish to wipe you router configuration you can proceed to Step 2.

Step 2 - SSH into your EdgeRouter and configure the VPN. Change the values below as you require:
configure:
eth0: This is your WAN interface - to ensure you have the correct WAN interface see Step 1
192.168.100.200: Start of the VPN address pool of which remote users receive an address
192.168.100.220: End of the VPN address pool of which remote users receive an address
randomsecret: This is for a second level of authentication - use a long randomly generated key for best results. Feel free to generate one here
testuser: This is the username for the remote user
testsecret: This is the password for the remote user
1492: Leave the MTU unchanged
8.8.8.8: DNS Server 1 address for VPN users - currently google you can change if you want
8.8.4.4DNS Server 2 address for VPN users - currently google you can change if you want

set vpn ipsec auto-firewall-nat-exclude disable
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-networks allowed-network 10.0.0.0/8
set vpn ipsec nat-networks allowed-network 172.16.0.0/12
set vpn ipsec nat-networks allowed-network 192.168.0.0/16
set vpn ipsec nat-traversal enable
set vpn l2tp remote-access authentication local-users username testuser password testsecret
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access client-ip-pool start 192.168.100.200
set vpn l2tp remote-access client-ip-pool stop 192.168.100.220
set vpn l2tp remote-access dhcp-interface eth0
set vpn l2tp remote-access dns-servers server-1 8.8.8.8
set vpn l2tp remote-access dns-servers server-2 8.8.4.4
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret randomsecret
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
set vpn l2tp remote-access mtu 1492

Step 3 - Configure your firewall to all VPN connections through your firewall:
vpn_udp_ports: name of port group to create
30 & 40: Rule number - Make sure this does not clash with existing rule numbers. Use show firewall name WAN_LOCAL to view existing rule numbers.
set firewall group port-group vpn_udp_ports description 'VPN Port Group'
set firewall group port-group vpn_udp_ports port 500
set firewall group port-group vpn_udp_ports port 4500
set firewall group port-group vpn_udp_ports port 1701
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description 'Allow VPN UDP Ports'
set firewall name WAN_LOCAL rule 30 destination group port-group vpn_udp_ports
set firewall name WAN_LOCAL rule 30 protocol udp
set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description 'Allow VPN ESP Protocol'
set firewall name WAN_LOCAL rule 40 protocol esp
commit; save; exit

Step 4 - Connecting to your VPN remotely:
Mac OSX:
Navigate to System Preferences > Network > Add
Interface: VPN
VPN Type: L2TP over IPSec
Service Name (Interface Description): VPN to EdgeRouter
Password (users password): testsecret
Shared Secret (common shared secret): randomsecret
Apple IOS:
Navigate to Settings > VPN > Add VPN Configuration
Type: L2TP
Description: VPN to EdgeRouter
Server: 123.111.241.26
Account: testuser
Password: testsecret
Secret: randomsecret

Windows 10:
Navigate to Control Panel > Network and Internet > Network and Sharing Center > Set up a new connection or network

Android:
Navigate to Settings > More networks > VPN > Add VPN
Name: VPN to EdgeRouter
Type: L2TP/IPSec PSK
Server address: 123.111.241.26
IPSec pre-shared key: randomsecret
Username: testuser
Password: testsecret



No comments:

Post a Comment