Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Connecting to a Ubiquiti Unifi VPN with a Linux machine
This guide assumes that you have already set up a Ubiquiti Unifi VPN following the guide:
https://help.ubnt.com/hc/en-us/articles/115005445768-UniFi-L2TP-Remote-Access-VPN-with-USG-as-RADIUS-Server
To configure a Linux machine to be able to connect remotely I followed these steps. This guide was written for Debian 8.
- In Debian install the "xl2tpd" and "strongswan" packages.
- Edit /etc/ipsec.conf to add the connection:
conn YOURVPNCONNECTIONNAME
authby=secret
pfs=no
auto=start
keyexchange=ikev1
keyingtries=3
dpddelay=15
dpdtimeout=45
dpdaction=clear
rekey=no
ikelifetime=3600
keylife=3600
type=transport
left=%defaultroute
leftprotoport=17/1701
# Replace IP address with your VPN server's IP
right=IPADDRESSOFVPNSERVER
rightprotoport=17/%any
ike=aes128-sha1-modp2048,aes256-sha1-modp4096,aes128-sha1-modp1536,aes256-sha1-modp2048,aes128-sha1-modp1024,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1,3des-sha1-modp1024,3des-sha1!
esp=aes128-sha1-modp2048,aes256-sha1-modp4096,aes128-sha1-modp1536,aes256-sha1-modp2048,aes128-sha1-modp1024,aes256-sha1-modp1536,aes256-sha1-modp1024,aes128-sha1,aes256-sha1,3des-sha1!
- Edit /etc/ipsec.secrets to add the secret key for this connection:
  IPADDRESSOFVPNSERVER : PSK "SECRETPRESHAREDKEY"
- Edit /etc/xl2tpd/xl2tpd.conf to add this connection:
[lac YOURVPNCONNECTIONNAME]
lns = IPADDRESSOFVPNSERVER
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME
length bit = yes
- Create the file /etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME:
ipcp-accept-local
ipcp-accept-remote
noccp
refuse-eap
refuse-chap
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
# Uncomment if you want to use the DNS servers of the VPN host:
#usepeerdns
debug
logfile /var/log/xl2tpd.log
connect-delay 5000
proxyarp
name VPNUSERNAME
password "VPNPASSWORD"
- Now to connect to the VPN create a script:
#!/bin/bash
echo "Connecting to VPN..."
echo "c YOURVPNCONNECTIONNAME" > /var/run/xl2tpd/l2tp-control
sleep 10
# To have all internet traffic routed through the VPN uncomment:
#ip route add default dev ppp0
# To only have a remote subnet routed through the VPN uncomment
# (this line assumes the remote subnet you want routed is 192.168.0.0/24 and the remote VPN end is 10.11.0.1:
ip route add 192.168.0.0/24 via 10.11.0.1 dev ppp0
- And to disconnect to the VPN create a script:
#!/bin/bash
ip route del default dev ppp0
ip route del 192.168.0.0/24 dev ppp0
echo "d YOURVPNCONNECTIONNAME" > /var/run/xl2tpd/l2tp-control
service xl2tpd restart
- Note that for these scripts I am assuming that the remote subnet we are interested in is 192.168.0.0/24
and the remote VPN gateway address is 10.11.0.1.
- You can also decide which line to uncomment based on if you want all traffic to be routed through the VPN
or to just route connections to the 192.168.0.0/24 subnet.
- If you want all traffic routed through the VPN you may want to uncomment the "usepeerdns" line in
/etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME so that DNS traffic flows through the VPN rather
than going to the local DNS server.
@brett-kimball

This comment has been minimized.

Copy link

@brett-kimball brett-kimball commented Feb 10, 2019

Nice example, it worked great. One additional option I found useful, especially if multiple VPN connections are required, is to specify the ppp interface name manually by adding the following to /etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME:

ifname YOURIFACENAME

Then modify the connect/disconnect scripts to utilize the interface name instead of the default "ppp0".

@JnMik

This comment has been minimized.

Copy link

@JnMik JnMik commented Feb 19, 2019

Hello guys,

In connect.sh file, on that line :

ip route add default dev ppp0

I end up with Cannot find device "ppp0".
Not quite sure what to do from here, does it have anything to do with pptp software ?

  • Ubuntu 16.04.3
@pjbisset

This comment has been minimized.

Copy link

@pjbisset pjbisset commented May 11, 2020

I have the same issue as JnMik - for us newbies there must be something missing here. How is the interface ppp0 created?

@nahall

This comment has been minimized.

Copy link
Owner Author

@nahall nahall commented May 11, 2020

It will give the error message "Cannot find device ppp0" if it was not successful connecting to the VPN. Check syslog for the messages about establishing the VPN link. If you want to reset everything and try again, run:

/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart

and then watch the log as you bring the VPN up.

But, I will also tell you that the VPN software on Unifi continues to be really flaky. Sometimes it gets in a weird state on the Unifi end where you need to SSH on to the Unifi and run "restart vpn" and then reconnect from your client. So if you used to be able to connect OK but are now getting this "Cannot find device ppp0" error, reset the vpn on Unifi's side and see if it can reconnect. This seems to happen a lot more often when there are Windows clients involved, and I've had much better success when only Linux clients connect to the VPN. But personally I've kind of given up on Ubiquiti fixing it and have switched my main VPN to use Wireguard instead. It is so much better and I highly recommend it. It is a little work to set up but once it is set up, it just works. I know you can get it to work on the Unifi device but I just have mine running on that end on a Raspberry Pi that also runs PiHole.

@pjbisset

This comment has been minimized.

Copy link

@pjbisset pjbisset commented May 11, 2020

Thanks - tried using networkmanager and strongswan and still get failed connection. Complains about encryption algorithm 3des_CBC not supported. I'm following the Ubiquiti doco page, but it does look like there is something wrong with their end. It is a little beyond my troubleshooting ability, so might investigate your suggestion. Thanks again.

One last update done the day after. Just tried connecting using my android phone's VPN service and it worked. So issue is on my Linux PC. Thanks again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.