Configure L2TP VPN on UniFi Network Controllers — A Clear, Step-by-Step Guide

Introduction

L2TP over IPsec remains a widely used VPN option for remote access because it combines the simplicity of L2TP with the security of IPsec. For administrators using Ubiquiti UniFi hardware (USG, UDM, UDM-Pro) managed through the UniFi Network Controller (now “Network” application), enabling L2TP VPN requires coordination between the controller UI, device-level settings, firewall/nat rules, and client configuration. This guide walks you through a clear, step-by-step process with practical configuration samples, CLI hints, troubleshooting steps, and security best practices targeted at webmasters, enterprise IT staff, and developers.

Prerequisites and design considerations

Before you start, ensure you have:

UniFi Network Controller (Network application) access with administrative privileges.
One of the supported UniFi gateway devices (USG, UDM, UDM-Pro) adopted by the controller.
A public IP reachable by the gateway (or proper port forwarding if behind another NAT).
Basic familiarity with SSH and the UniFi controller’s settings UI.

Design considerations:

IP addressing: Select a dedicated VPN subnet that does not overlap your LANs (e.g., 10.10.10.0/24).
Authentication: UniFi supports local accounts for L2TP (username/password + pre-shared key). For larger deployments, integrate with a RADIUS server for centralized auth and accounting.
Security: L2TP itself does not encrypt traffic; IPsec provides encryption. Use a strong pre-shared key or, preferably, certificate-based IPsec where supported by your environment.
Firewall & NAT: UDP ports 500 and 4500 and IP protocol ESP (50) must be allowed. Be aware of NAT traversal and double-NAT scenarios.

Step 1 — Create the Remote User VPN via the UniFi Network Controller

Use the classic UniFi Network Controller workflow:

Open the controller and go to Settings > Networks.
Click Create New Network.
Set Purpose to Remote User VPN.
Protocol: choose L2TP (or L2TP over IPsec, depending on UI wording).
Enter a Name (e.g., Remote-L2TP), a dedicated Subnet (e.g., 10.10.10.0/24) and the Pre-shared Key (PSK). Keep the PSK strong and store it securely.
Set DNS servers to be pushed to clients (e.g., your internal DNS or public resolvers like 1.1.1.1).
Enable Save or Apply to push configuration to the gateway.

After applying, the controller will provision the gateway. This UI step provisions standard L2TP settings and creates local VPN user entries if the controller supports them.

Step 2 — Add VPN users (local accounts)

On smaller deployments you can use local users provisioned via the controller:

Under Settings > Users or within the Remote User VPN dialog (UI varies by version), add username and password pairs.
Ensure each user has a unique password and follow your organization’s password policy.

For enterprise setups, integrate with a RADIUS server:

Configure RADIUS under Settings > Services > RADIUS with server IP, shared secret and authentication type.
In the Remote User VPN settings select RADIUS as the authentication backend.

Step 3 — Verify gateway-level IPsec & L2TP settings (advanced)

In most cases the controller-provisioned settings are sufficient. For customized crypto proposals or advanced logging, you must SSH into the gateway and, for USG devices, use configuration overrides:

SSH to the gateway: ssh admin@.
Check the current L2TP/IPsec runtime status: sudo ipsec statusall (or similar strongSwan commands) and inspect /var/log/messages for related events.
To make persistent advanced configuration on USG, create or edit /etc/unifi/config.gateway.json or use a controller-based advanced config block (note: incorrect JSON will break provisioning – back up before changes).

Example override for stronger IKE/AESP proposals (conceptual):

Note: Exact JSON keys vary by firmware. Use controller docs and backup before editing.

Step 4 — Firewall and NAT rules

Common connectivity issues arise from firewall or NAT rules. Ensure the following:

Allow UDP port 500 (IKE) and 4500 (NAT-T) from WAN to the gateway.
Allow IP protocol ESP (50) if your ISP/gateway supports it. Some home routers block ESP which breaks L2TP/IPsec.
Create appropriate LAN-to-VPN and VPN-to-LAN allow rules. By default VPN clients should be allowed to access internal resources; if not, add rules that permit traffic from the VPN subnet to the LAN subnets on required ports/services.
Configure NAT hairpin/masquerade if VPN clients need to access an internal resource using the public IP.

Example controller-level firewall steps:

Settings > Routing & Firewall > Firewall > WAN Local: add allow rules for UDP 500 & 4500 source any to destination WAN IP.
Settings > Routing & Firewall > Firewall > LAN In: allow traffic from VPN subnet to LAN subnets as required.

Step 5 — Client configuration (Windows, macOS, iOS, Android)

Provide users the essentials: server address (public WAN IP or DDNS hostname), username, password, and PSK.

Windows 10/11

Settings > Network & Internet > VPN > Add a VPN connection.
VPN provider: Windows (built-in). Connection name: choose. Server name or address: your public IP or hostname.
VPN type: L2TP/IPsec with pre-shared key. Enter the PSK. Type of sign-in info: username and password.
Advanced: Set authentication to MS-CHAP v2 if asked. If you get error 809, verify ports and NAT issues.

macOS

System Preferences > Network > + > Interface: VPN, VPN Type: L2TP over IPsec. Server Address, Account Name, and Authentication Settings: fill in password and shared secret.
Click Advanced to send all traffic over VPN if desired (useful for forced-tunnel setups).

iOS

Settings > General > VPN > Add VPN Configuration > Type: L2TP. Enter server, account, password and Secret (PSK).

Android

Settings > VPN > Add L2TP/IPsec PSK. Enter server, username, password, and PSK.
Note: Android implementations vary; use clients like StrongSwan for certificate-based IPsec.

Troubleshooting checklist

When connections fail, follow this systematic approach:

Verify reachability: From a remote client, ping the public IP and confirm UDP 500 & 4500 are reachable using online port scanners or network tools.
Check logs: SSH into the gateway and tail the logs: tail -f /var/log/messages or check /var/log/syslog depending on firmware. Look for IKE failures and authentication errors.
Inspect IPsec status: Run sudo ipsec statusall or sudo swanctl --list-sas to see SA negotiation details.
Confirm firewall rules: Temporarily allow all UDP 500/4500 from any source to the WAN local to isolate rule issues.
Double NAT: If the gateway is behind another NAT (e.g., CGNAT or ISP router), port forwarding or bridging is required; otherwise IPsec may fail due to NAT restrictions.
Client logs: On Windows use the Event Viewer (Applications & Services Logs > Microsoft > Windows > RasClient) or on mobile check VPN status logs for authentication errors.

Advanced topics and enhancements

Consider these advanced improvements:

RADIUS integration: Centralize authentication and authorization, enable per-user accounting and easier user management.
Split vs full tunnel: Decide whether to push internal routes or force all traffic through the VPN. Use appropriate routing policies and NAT rules.
Certificate-based IPsec: Certificates are more secure than PSKs. Use a CA and issue certificates to the gateway and (where supported) clients.
Monitoring: Integrate VPN client counts and uptime into your monitoring stack (SNMP, UniFi metrics, or external tools).
Scaling: For many concurrent users, evaluate gateway CPU, IPSec throughput limits, and consider higher-end Ubiquiti hardware or dedicated VPN appliances.

Common pitfalls

Watch out for these frequent problems:

Using a VPN subnet that overlaps remote client networks causes routing conflicts.
Weak PSKs or reused keys across systems increase risk—rotate keys periodically.
Relying on default firewall rules without explicit allows for VPN traffic often breaks connectivity.
ISP restrictions (blocking ESP or IKE) can silently prevent tunnels from establishing.

Conclusion

Configuring L2TP over IPsec on UniFi-managed gateways is straightforward when you follow a systematic approach: provision the Remote User VPN in the controller, add users or integrate RADIUS, verify gateway-level IPsec settings for advanced needs, ensure firewall and NAT are correctly configured, and provision clients correctly. For larger or security-sensitive deployments, favor RADIUS and certificate-based authentication, monitor resource usage, and keep firmware patched. If you need to dive deeper into gateway-specific JSON overrides or strongSwan tuning, always back up your controller and device configurations before applying changes.

For more detailed guides and deployment tips relevant to managed IPs and VPN configurations, visit Dedicated-IP-VPN at https://dedicated-ip-vpn.com/.