This guide assumes that you have already set up a Ubiquiti Unifi VPN following the guide: https://help.ubnt.com/hc/en-us/articles/115005445768-UniFi-L2TP-Remote-Access-VPN-with-USG-as-RADIUS-Server
To configure a Linux machine to be able to connect remotely I followed these steps. This guide was written for Debian 8.
-
In Debian install the "xl2tpd" and "strongswan" packages.
-
Edit /etc/ipsec.conf to add the connection:
conn YOURVPNCONNECTIONNAME authby=secret pfs=no auto=start keyexchange=ikev1 keyingtries=3 dpddelay=15 dpdtimeout=45 dpdaction=clear rekey=no ikelifetime=3600 keylife=3600 type=transport left=%defaultroute leftprotoport=17/1701
right=IPADDRESSOFVPNSERVER rightprotoport=17/%any ike=aes128-sha1-modp2048,aes256-sha1-modp4096,aes128-sha1-modp1536,aes256-sha1-modp2048,aes128-sha1-modp1024,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1,3des-sha1-modp1024,3des-sha1! esp=aes128-sha1-modp2048,aes256-sha1-modp4096,aes128-sha1-modp1536,aes256-sha1-modp2048,aes128-sha1-modp1024,aes256-sha1-modp1536,aes256-sha1-modp1024,aes128-sha1,aes256-sha1,3des-sha1!
-
Edit /etc/ipsec.secrets to add the secret key for this connection:
IPADDRESSOFVPNSERVER : PSK "SECRETPRESHAREDKEY"
-
Edit /etc/xl2tpd/xl2tpd.conf to add this connection:
[lac YOURVPNCONNECTIONNAME] lns = IPADDRESSOFVPNSERVER ppp debug = yes pppoptfile = /etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME length bit = yes
-
Create the file /etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME:
ipcp-accept-local ipcp-accept-remote noccp refuse-eap refuse-chap noauth idle 1800 mtu 1410 mru 1410 defaultroute
#usepeerdns
debug logfile /var/log/xl2tpd.log connect-delay 5000 proxyarp name VPNUSERNAME password "VPNPASSWORD"
-
Now to connect to the VPN create a script:
#!/bin/bash
echo "Connecting to VPN..."
echo "c YOURVPNCONNECTIONNAME" > /var/run/xl2tpd/l2tp-control
sleep 10
#ip route add default dev ppp0
(this line assumes the remote subnet you want routed is 192.168.0.0/24 and the remote VPN end is 10.11.0.1:
ip route add 192.168.0.0/24 via 10.11.0.1 dev ppp0
-
And to disconnect to the VPN create a script:
#!/bin/bash
ip route del default dev ppp0 ip route del 192.168.0.0/24 dev ppp0
echo "d YOURVPNCONNECTIONNAME" > /var/run/xl2tpd/l2tp-control service xl2tpd restart
-
Note that for these scripts I am assuming that the remote subnet we are interested in is 192.168.0.0/24 and the remote VPN gateway address is 10.11.0.1.
-
You can also decide which line to uncomment based on if you want all traffic to be routed through the VPN or to just route connections to the 192.168.0.0/24 subnet.
-
If you want all traffic routed through the VPN you may want to uncomment the "usepeerdns" line in /etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME so that DNS traffic flows through the VPN rather than going to the local DNS server.