Skip to content

Instantly share code, notes, and snippets.

@hcaw

hcaw/connecting_to_a_ubiquiti_unifi_vpn_with_a_linux_machine.md

Forked from nahall/connecting_to_a_ubiquiti_unifi_vpn_with_a_linux_machine.txt
Last active August 17, 2020 15:30
Show Gist options
  • Save hcaw/1bd56a2b99e75c420c35f3b394acacd0 to your computer and use it in GitHub Desktop.
Save hcaw/1bd56a2b99e75c420c35f3b394acacd0 to your computer and use it in GitHub Desktop.
Download ZIP
Connecting to a Ubiquiti Unifi VPN with a Linux machine
Raw
connecting_to_a_ubiquiti_unifi_vpn_with_a_linux_machine.md

This guide assumes that you have already set up a Ubiquiti Unifi VPN following the guide: https://help.ubnt.com/hc/en-us/articles/115005445768-UniFi-L2TP-Remote-Access-VPN-with-USG-as-RADIUS-Server

To configure a Linux machine to be able to connect remotely I followed these steps. This guide was written for Debian 8.

  • In Debian install the "xl2tpd" and "strongswan" packages.

  • Edit /etc/ipsec.conf to add the connection:

    conn YOURVPNCONNECTIONNAME authby=secret pfs=no auto=start keyexchange=ikev1 keyingtries=3 dpddelay=15 dpdtimeout=45 dpdaction=clear rekey=no ikelifetime=3600 keylife=3600 type=transport left=%defaultroute leftprotoport=17/1701

    Replace IP address with your VPN server's IP

       right=IPADDRESSOFVPNSERVER
   rightprotoport=17/%any
   ike=aes128-sha1-modp2048,aes256-sha1-modp4096,aes128-sha1-modp1536,aes256-sha1-modp2048,aes128-sha1-modp1024,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1,3des-sha1-modp1024,3des-sha1!
   esp=aes128-sha1-modp2048,aes256-sha1-modp4096,aes128-sha1-modp1536,aes256-sha1-modp2048,aes128-sha1-modp1024,aes256-sha1-modp1536,aes256-sha1-modp1024,aes128-sha1,aes256-sha1,3des-sha1!

  • Edit /etc/ipsec.secrets to add the secret key for this connection:

  IPADDRESSOFVPNSERVER : PSK "SECRETPRESHAREDKEY"

  • Edit /etc/xl2tpd/xl2tpd.conf to add this connection:

    [lac YOURVPNCONNECTIONNAME] lns = IPADDRESSOFVPNSERVER ppp debug = yes pppoptfile = /etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME length bit = yes

  • Create the file /etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME:

    ipcp-accept-local ipcp-accept-remote noccp refuse-eap refuse-chap noauth idle 1800 mtu 1410 mru 1410 defaultroute

    Uncomment if you want to use the DNS servers of the VPN host:

    #usepeerdns

    debug logfile /var/log/xl2tpd.log connect-delay 5000 proxyarp name VPNUSERNAME password "VPNPASSWORD"

  • Now to connect to the VPN create a script:

    #!/bin/bash

    echo "Connecting to VPN..."

    echo "c YOURVPNCONNECTIONNAME" > /var/run/xl2tpd/l2tp-control

    sleep 10

    To have all internet traffic routed through the VPN uncomment:

    #ip route add default dev ppp0

    To only have a remote subnet routed through the VPN uncomment

    (this line assumes the remote subnet you want routed is 192.168.0.0/24 and the remote VPN end is 10.11.0.1:

    ip route add 192.168.0.0/24 via 10.11.0.1 dev ppp0

  • And to disconnect to the VPN create a script:

    #!/bin/bash

    ip route del default dev ppp0 ip route del 192.168.0.0/24 dev ppp0

    echo "d YOURVPNCONNECTIONNAME" > /var/run/xl2tpd/l2tp-control service xl2tpd restart

  • Note that for these scripts I am assuming that the remote subnet we are interested in is 192.168.0.0/24 and the remote VPN gateway address is 10.11.0.1.

  • You can also decide which line to uncomment based on if you want all traffic to be routed through the VPN or to just route connections to the 192.168.0.0/24 subnet.

  • If you want all traffic routed through the VPN you may want to uncomment the "usepeerdns" line in /etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME so that DNS traffic flows through the VPN rather than going to the local DNS server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment