Saturday, November 28, 2015

Google Fiber - EdgeRouter Remote VPN Setup

Google Fiber's Network Box currently doesn't have support for remote access VPNs but the Ubiquiti EdgeRouter does. I'll walk through setting up remote access via L2TP over IPsec.

The firewall rule changes can be done through the GUI but everything else must be done through the CLI or the config tree.

Enable hardware offload for IPsec:
set system offload ipsec enable

Reorder a rule so there's space to add two new rules:
edit firewall
edit name WAN_LOCAL
rename rule 3 to rule 6
top

Add firewall rules for L2TP:
set firewall name WAN_LOCAL rule 4 action accept
set firewall name WAN_LOCAL rule 4 description 'Allow L2TP'
set firewall name WAN_LOCAL rule 4 destination port 500,1701,4500
set firewall name WAN_LOCAL rule 4 log disable
set firewall name WAN_LOCAL rule 4 protocol udp
set firewall name WAN_LOCAL rule 5 action accept
set firewall name WAN_LOCAL rule 5 description 'Allow ESP'
set firewall name WAN_LOCAL rule 5 log disable
set firewall name WAN_LOCAL rule 5 protocol esp

Setup IPsec:
set vpn ipsec auto-firewall-nat-exclude disable
set vpn ipsec ipsec-interfaces interface eth1.2
set vpn ipsec nat-networks allowed-network 10.0.0.0/8
set vpn ipsec nat-networks allowed-network 172.16.0.0/12
set vpn ipsec nat-networks allowed-network 192.168.0.0/16
set vpn ipsec nat-traversal enable

Setup L2TP:
#Change the username and password
set vpn l2tp remote-access authentication local-users username testuser password 'testpassword'
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access client-ip-pool start 192.168.100.101
set vpn l2tp remote-access client-ip-pool stop 192.168.100.110
set vpn l2tp remote-access dhcp-interface eth1.2
set vpn l2tp remote-access dns-servers server-1 8.8.8.8
set vpn l2tp remote-access dns-servers server-2 8.8.4.4
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
#Change the L2TP Shared Secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret testsecret
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
set vpn l2tp remote-access mtu 1492

Commit and Save:
commit
save

Additional Resources:
EdgeMax - L2TP Server Setup
Android Client Setup

2 comments:

Jason Broockerd said...

Thanks to the work of guys like you and Atlantisman, I have enjoyed using the ERL and so far I've had great luck with it.

Your setup here worked great, except that when using the VPN (from outside my LAN), I could not ping local hosts by their hostnames.

I had to add an additional line:

set service dns forwarding options "listen-address=x.x.x.x"
where x.x.x.x is the eth0 address of my router.

I also used that same router address for dns-server 1, although I'm not sure if that was necessary or not.

set vpn l2tp remote-access dns-servers server-1 x.x.x.x

alfred03white said...
This comment has been removed by a blog administrator.