Configuring L2TP VPN in Ubiquiti UniFi USG

In this post we’ll look at how to setup a L2TP VPN connection in a UniFi USG. As of mid 2017, this is a built in Feature in the UniFi Controller, so it’s pretty easy to set it up. I’ll show you how I set it up before it was a built in option, and then how you can set it up using the new”ish” native capabilities in the USG.

The Old Way:

Before this became a native option, it involved creating or editing your custom “config.gateway.json” file on your UniFi Controller or Cloud Key. I went into detail on this file and where it’s located in this previous post about enabling OSPF on your USG:

The main steps involved where to create the VPN Network that incoming VPN Users will be placed on, and then creating and configuring the service in the JSON file.

Here is how I created my network that was assigned to my VPN:

And here is the code snippet that was in my custom JSON file we’ve talked above above.

“vpn”: {
“ipsec”: {
“auto-firewall-nat-exclude”: “enable”,
“ipsec-interfaces”: {
“interface”: [
“nat-networks”: {
“allowed-network”: {
“”: “””
“nat-traversal”: “enable”
“l2tp”: {
“remote-access”: {
“authentication”: {
“local-users”: {
“username”: {
“vpnuser”: {
“password”: “password”
“mode”: “local”
“client-ip-pool”: {
“start”: “”,
“stop”: “”
“dhcp-interface”: “eth0”,
“dns-servers”: {
“server-1”: “”,
“server-2”: “”
“ipsec-settings”: {
“authentication”: {
“mode”: “pre-shared-secret”,
“pre-shared-secret”: “MyPreSharedSecret”
“ike-lifetime”: “3600”
“mtu”: “1492”

And this worked perfectly for my needs. All I needed to do is then setup my VPN client using the public IP of my USG, the vpnuser username and password, and the Pre-Shared-Secret and I was good to go.

The New Way

Now let’s look at the new way so we don’t have to mess with the custom JSON file. The JSON file works fine, but the built in functionality is certainly the preferred method.

The steps here are pretty simple, Create a network for VPN users to use and configure Radius (Server, user, and profile). Let’s step through it.

First, let’s enable the radius server. This will be under Settings > Services > Radius. Turn it on and fill in your secret (this will be the Pre-Shared-Secret for your VPN). The ports and everything else can be left default.

Now, while still in the Radius settings, click user and create a new user. This will become your VPN User, so you can create 1 or many depending on how many remote users you need. Enter your VPN User Name and their password, then select Option 3 for Tunnel Type and Option 1 for Tunnel Medium Type (assuming your are using IPV4). You do not need to specify a VLAN, later we’ll create a specific network that will map to this L2TP Service.

Next we can create the Radius profile. This is under Settings > Profiles. This is very simple, you will basically just name the profile and then hit Save.

And last, but not least we create the network that will be assigned to this VPN Service. Create a network of purpose “Remote User VPN” and VPN Type of L2TP Server, assign your network IP info, select the Radius Profile you created in the previous step and then fill in your Pre-Shared Key. Note, this Pre-Shared Key must match the “Secret” you set when you enabled the Radius Server in the steps above.

And that’s it! Simple right? All you need to do now is setup your VPN client using the public IP of your USG, the vpnuser username and password, and the Pre-Shared-Secret and you’re good to go. Happy VPN’ing!

Leave a Reply

%d bloggers like this: