|This guide assumes that you have already set up a Ubiquiti Unifi VPN following the guide:|
|To configure a Linux machine to be able to connect remotely I followed these steps. This guide was written for Debian 8.|
|- In Debian install the "xl2tpd" and "strongswan" packages.|
|- Edit /etc/ipsec.conf to add the connection:|
|# Replace IP address with your VPN server's IP|
|- Edit /etc/ipsec.secrets to add the secret key for this connection:|
|IPADDRESSOFVPNSERVER : PSK "SECRETPRESHAREDKEY"|
|- Edit /etc/xl2tpd/xl2tpd.conf to add this connection:|
|lns = IPADDRESSOFVPNSERVER|
|ppp debug = yes|
|pppoptfile = /etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME|
|length bit = yes|
|- Create the file /etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME:|
|# Uncomment if you want to use the DNS servers of the VPN host:|
|- Now to connect to the VPN create a script:|
|echo "Connecting to VPN..."|
|echo "c YOURVPNCONNECTIONNAME" > /var/run/xl2tpd/l2tp-control|
|# To have all internet traffic routed through the VPN uncomment:|
|#ip route add default dev ppp0|
|# To only have a remote subnet routed through the VPN uncomment|
|# (this line assumes the remote subnet you want routed is 192.168.0.0/24 and the remote VPN end is 10.11.0.1:|
|ip route add 192.168.0.0/24 via 10.11.0.1 dev ppp0|
|- And to disconnect to the VPN create a script:|
|ip route del default dev ppp0|
|ip route del 192.168.0.0/24 dev ppp0|
|echo "d YOURVPNCONNECTIONNAME" > /var/run/xl2tpd/l2tp-control|
|service xl2tpd restart|
|- Note that for these scripts I am assuming that the remote subnet we are interested in is 192.168.0.0/24|
|and the remote VPN gateway address is 10.11.0.1.|
|- You can also decide which line to uncomment based on if you want all traffic to be routed through the VPN|
|or to just route connections to the 192.168.0.0/24 subnet.|
|- If you want all traffic routed through the VPN you may want to uncomment the "usepeerdns" line in|
|/etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME so that DNS traffic flows through the VPN rather|
|than going to the local DNS server.|
Nice example, it worked great. One additional option I found useful, especially if multiple VPN connections are required, is to specify the ppp interface name manually by adding the following to /etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME:
Then modify the connect/disconnect scripts to utilize the interface name instead of the default "ppp0".
It will give the error message "Cannot find device ppp0" if it was not successful connecting to the VPN. Check syslog for the messages about establishing the VPN link. If you want to reset everything and try again, run:
and then watch the log as you bring the VPN up.
But, I will also tell you that the VPN software on Unifi continues to be really flaky. Sometimes it gets in a weird state on the Unifi end where you need to SSH on to the Unifi and run "restart vpn" and then reconnect from your client. So if you used to be able to connect OK but are now getting this "Cannot find device ppp0" error, reset the vpn on Unifi's side and see if it can reconnect. This seems to happen a lot more often when there are Windows clients involved, and I've had much better success when only Linux clients connect to the VPN. But personally I've kind of given up on Ubiquiti fixing it and have switched my main VPN to use Wireguard instead. It is so much better and I highly recommend it. It is a little work to set up but once it is set up, it just works. I know you can get it to work on the Unifi device but I just have mine running on that end on a Raspberry Pi that also runs PiHole.
Thanks - tried using networkmanager and strongswan and still get failed connection. Complains about encryption algorithm 3des_CBC not supported. I'm following the Ubiquiti doco page, but it does look like there is something wrong with their end. It is a little beyond my troubleshooting ability, so might investigate your suggestion. Thanks again.
One last update done the day after. Just tried connecting using my android phone's VPN service and it worked. So issue is on my Linux PC. Thanks again.