L2TP VPN On The EdgeRouter X: Firmware 1.10.8

I set up a VPN on my EdgeRouter X.  A great little box for $60.  The routing functions are vastly superior to consumer WiFi routers.  I just got the UniFi AP AC LR unit, which will be hooking up to the X.

Anyways, I wanted to tell you how I got the VPN going.

If your on a *Nix box, then open your favorite terminal.  If your on MacOS, open the macOS terminal.  If your on Windows, download Cygwin look for the section, called installing Cygwin.  Get the 64 bit version.  Install Cygwin. When Cygwin is done installing, click on the installer again and when you get to the software install page, do a search for OpenSSH and install the latest version.  When all that’s done, you should have a working *Nix terminal in Windows that serves a useful purpose of SSH client and other useful tools.

 

Start here: https://help.ubnt.com/ Article on L2TP VPN

I used the UBNT link to set up my VPN.  Lets walk through it line by line on the terminal.

 

First, type configure.  That puts the system into editing mode or makes it modifiable. configure

Second, Add firewall rules for the L2TP traffic to the local firewall policy.  But then they say at the bottom, NOTE: Make sure to not overwrite any existing firewall rules.  What does that mean?  Not to overwrite any existing firewall rules?  Well… lets take a look.  In the UBNT article we see that the firewall rules are labeled 30 to 60.  In the X, they are actually labeled 1 to 6 in the GUI.  What they mean by overwriting is that you don’t want to overwrite or erase an existing number.  Lets say you have a firewall labeled number 5.  If you created a firewall labeled 5, that new firewall number 5 would delete the old 5 and the new 5 would take its place.

Here’s a screenshot of the X firewall rules.  Notice how the rule numbers match up with the UBNT article.  I did not know all this until a few days ago.  Holy cow!  I could have seriously messed up my system.  I got lucky.  I learned just in time about not to overwrite firewall rules and to adjust the numbers when writing new firewall rules.  So, go into your X and if you have more that 2 rules, that would be rule 1 and 2, you will need to adjust the firewall rules numbers.  Lets says you have three rules.  Then your rules would start at 40 and end at 70 etc.  Here’s that screenshot.firewall

Third, the article says to: Configure the server authentication settings (replace <secret> with your desired passphrase).  I know it can seem obvious to some people, but not to me, but those <secret> arrows around the word secret don’t actually go into the command.  Here’s a screenshot of an actual command.passphrase

Same thing as above, remove the two arrows around the word secret and replace the word secret with your actual password AND replace username with a username of your choosing, make your username unique to you and just so you know the word password comes after your username, Then your password.  set vpn l2tp remote-access authentication local-users username password .

Skip the Radius thing because if you need that, you don’t need this article.

For the IP pool I would just follow the articles advice.  For myself, I plan on having multiple users, so I chose 192.168.100.1 to 192.168.100.249.  I’m quite interested in the limits of the X in handling concurrent users on VPN.

 

For DNS, I chose OpenDNS and the X has a static IP, so the OpenDNS servers are always active.  P2P and bot protection among others are turned on.  If you have a dynamic IP or want to restrict VPN users really tightly, I would suggest the family shield servers from OpenDNS.  Or you could turn up your dash-board settings to max.  It’s really important to lock down the DNS.  My DNS in the X and in the VPN are both OpenDNS.  Watch out for that pesky DNS over HTTPS, over TLS is not as bad.  You’ll need some magic to deal with that.

This was hard: Define the WAN interface which will receive L2TP requests from clients. Configure only one of the following statements.  I had trouble deciding what interface to select.  But I got help at the great and helpful UBNT community forums.  My family has a PPPoE DSL connection.  So the interface was: set vpn l2tp remote-access outside-address 0.0.0.0interface

I just followed the guide for this one and it worked: Define the IPsec interface which will receive L2TP requests from clients.

 

An optional thing is to set the MTU to a value.  I set mine to 1460.  I’m playing around with it.  I’m going by some Cisco documentation.  We’ll see how it turns out.

 

Very important, commit your changes to the system and then save.  See screenshot.  If you forget the system won’t let you exit out.  That’s commit ; savesave

Now just follow the rest of the article for the how-to on setting up the Windows and Mac clients.  On Windows 10 it’s real easy and takes at most 2 minutes, tops.  Good luck.

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s