Configure Ubiquiti L2TP VPN and Split Tunneling

A series of Ubiquiti routers can act as a VPN server, which are also known as UniFi Gateway. UniFi Gateway supports Layer 2 Tunneling Protocol (L2TP) Virtual Private Network (VPN) connectivity, allowing users to remotely access an internal network via establishing a VPN connection. The ability to establish a secure VPN tunnel through L2TP over IPsec is typically built into a modern operating system such as Windows, macOS, iOS and Android. Therefore, there is no need to install additional software for connection. However, there are some procedures involved with the setup of an L2TP VPN connection on both the client and the VPN server, which in this case is a UniFi Gateway. This article demonstrates the steps to configure a Ubiquiti Dream Machine router for accepting L2TP VPN connections, as well as the procedure to initiate a secure VPN connection from the client device to the VPN gateway. A section about enabling VPN connection alerts is also included.

Good things to know: Teleport VPN

Ubiquiti offers a feature called Teleport VPN for zero-configuration VPN access. It can be accessed through an application called WiFiman . It is available on iOS and macOS (essentially an iOS app running on a Mac). However, it does not support split tunneling as of early 2023. Also, an application must be installed on a client OS to initiate a VPN connection to the router. Depending on the use cases, Teleport VPN can be a good choice if #1) simplicity is desired, #2) an application can be installed on your operating system, and #3) there is no need to use split tunneling.

Ubiquiti WiFiman Teleport VPN
Ubiquiti WiFiman Teleport VPN

Part 1: Configure Ubiquiti Dream Machine as a VPN Server

To begin with, navigate to your Ubiquiti Unifi Console admin page.

On the Teleport & VPN page, Enable VPN Server. Confirm that the VPN Protocol is listed as L2TP.

Enter a pre-shared key (PSK). The pre-shared key will need to be provided on a client device later as well. Note that the pre-shared key is used for IPsec encryption. L2TP itself is a VPN protocol which does not include any encryption. Therefore, it is required to add the pre-shared key to authenticate both the client OS and the VPN server and establish an encrypted connection.

The UniFi Gateway IP is automatically displayed on the GUI. Be aware that the IP address is the same public IP assigned (WAN IP) assigned by your ISP. Therefore, the address may be changed periodically unless a static IP address service is in-place. If the ISP-assigned public IP is changed, you must use the new IP address to connect to your environment.

On the User Authentication area, create a new user. Specify an account name and password. Again, the username and password must be provided on the client device.

Configure VPN Server on UniFi Console
Configure VPN Server on UniFi Console

By default, Ubiquiti VPN server will create a separate subnet (192.168.2.0/24) for assigning an IP address to your remotely connected device. Ensure that the name server is configured as the same address as your gateway, which is often the Ubiquiti router itself (by default: 192.168.1.1). It allows remote devices connected to the VPN to use Dream Machine as the DNS server for DNS query. Ensure that “Require Strong Authentication” is checked.

Configure VPN Server on UniFi Console (Manual)
Configure VPN Server on UniFi Console (Manual)

Part 2: Configure Alerts on VPN Connections

On Ubiquiti UniFi console, enable “VPN Client Connection Change” alert definition on “System” > “Advanced Notifications”.

Ubiquiti Alerts on VPN Connection
Ubiquiti Alerts on VPN Connection

Alerts will be sent to your email address shall there be a new VPN connection / disconnection.

Ubiquiti Alert Email
Ubiquiti Alert Email

Part 3: Configure L2TP over IPsec VPN Connection on a Client Device

On the client device, navigate to the VPN setting page. Enter the same settings as per the configuration on Ubiquiti UniFi Console, including:

#1) Server Address (WAN Address of your Ubiquiti router)

#2) Account Name

#3) Password

#4) Shared Secret (which is the pre-shared key configured on the UniFi gateway earlier)

VPN Setting on a Client Device
VPN Setting on a Client Device

For split tunneling, disable the option: “Send all traffic and save the configuration.”

VPN Setting - Send all traffic over VPN connection
VPN Setting – Send all traffic over VPN connection

Part 4: Establish a VPN Connection between the VPN server and the Client

To establish the VPN connection, simply enable the VPN profile created in the above step.

Enable VPN Profile
Enable VPN Profile

If successful, the L2TP tunnel will be established.

Successfully Connected to a VPN
Successfully Connected to a VPN

The IP address assigned by the router can be checked after the connection. 

% ifconfig | grep 192 -C 1

ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280

inet 192.168.2.6 --> 10.255.255.0 netmask 0xffffff00

From the ifconfig output above, we can see that network interface: ppp0 is used for connecting to the remote network, which is assigned with the IP address 192.168.2.6/24 through DHCP.

Part 5: Add a route to Enable Split Tunneling

After the VPN connection is established, we can go to the 192.168.2.0/24 network. However, by default, there is no route going to the 192.168.1.0/24 network. As the primary network, including the router, is on the 192.168.1.0/24 network, we need to add a route on the client OS to access network resources on the 192.168.1.0/24 network via split tunneling.

% netstat -rn | grep ppp0

default            link#25            UCSIg            ppp0       
10.255.255.0       192.168.2.6        UH               ppp0       
192.168.2          ppp0               USc              ppp0       
224.0.0/4          link#25            UmCSI            ppp0       
255.255.255.255/32 link#25            UCSI             ppp0

We can do that by executing “route add” command:

% route add 192.168.1.0/24 -interface ppp0

After adding the route, we can verify that with netstat and ping.

% netstat -rn | grep ppp0            
          
default            link#25            UCSIg            ppp0       
10.255.255.0       192.168.2.6        UH               ppp0       
192.168.1          ppp0               USc              ppp0       
192.168.2          ppp0               USc              ppp0       
224.0.0/4          link#25            UmCSI            ppp0       
255.255.255.255/32 link#25            UCSI             ppp0

Pinging the gateway on 192.168.1.0/24 network.

% ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=235.863 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=237.454 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=234.011 ms

Part 6: Remotely Access Applications Hosted in an Internal Network

After the VPN connection has been established and a route is added to the client OS, we can access remote resources. As demonstrated in the above section, all remote resources within 192.168.1.0/24 network are now reachable – just like in a LAN connection.

The advantage of split tunneling is that there is no need to send all traffic to the VPN connection. If the VPN server (i.e., the Ubiquiti gateway device) is physically far away from the user location, the speed of browsing regular website content will be slower. Through split tunneling, for example, we can browse website content using a high-speed, low-latency local network (without going through the VPN connection) and connect to a remote server using RDP protocol through the VPN connection.

As shown on below web page, the ISP information is still the same provider in a campus Wi-Fi network rather than another ISP in a remote location.

Regular website connection through split tunneling
Regular website connection through split tunneling