Random Thoughts of Network Engineer: Google Fiber

Google Fiber's Network Box currently doesn't have support for remote access VPNs but the Ubiquiti EdgeRouter does. I'll walk through setting up remote access via L2TP over IPsec.

The firewall rule changes can be done through the GUI but everything else must be done through the CLI or the config tree.

Enable hardware offload for IPsec:

set system offload ipsec enable

Reorder a rule so there's space to add two new rules:

edit firewall
edit name WAN_LOCAL
rename rule 3 to rule 6
top

Add firewall rules for L2TP:

set firewall name WAN_LOCAL rule 4 action accept
set firewall name WAN_LOCAL rule 4 description 'Allow L2TP'
set firewall name WAN_LOCAL rule 4 destination port 500,1701,4500
set firewall name WAN_LOCAL rule 4 log disable
set firewall name WAN_LOCAL rule 4 protocol udp
set firewall name WAN_LOCAL rule 5 action accept
set firewall name WAN_LOCAL rule 5 description 'Allow ESP'
set firewall name WAN_LOCAL rule 5 log disable
set firewall name WAN_LOCAL rule 5 protocol esp

Setup IPsec:

set vpn ipsec auto-firewall-nat-exclude disable
set vpn ipsec ipsec-interfaces interface eth1.2
set vpn ipsec nat-networks allowed-network 10.0.0.0/8
set vpn ipsec nat-networks allowed-network 172.16.0.0/12
set vpn ipsec nat-networks allowed-network 192.168.0.0/16
set vpn ipsec nat-traversal enable

Setup L2TP:
#Change the username and password

set vpn l2tp remote-access authentication local-users username testuser password 'testpassword'
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access client-ip-pool start 192.168.100.101
set vpn l2tp remote-access client-ip-pool stop 192.168.100.110
set vpn l2tp remote-access dhcp-interface eth1.2
set vpn l2tp remote-access dns-servers server-1 8.8.8.8
set vpn l2tp remote-access dns-servers server-2 8.8.4.4
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret

#Change the L2TP Shared Secret

set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret testsecret
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
set vpn l2tp remote-access mtu 1492

Commit and Save:

commit
save

Additional Resources:
EdgeMax - L2TP Server Setup
Android Client Setup

4 comments:

Unknown said...: Thanks to the work of guys like you and Atlantisman, I have enjoyed using the ERL and so far I've had great luck with it.

Your setup here worked great, except that when using the VPN (from outside my LAN), I could not ping local hosts by their hostnames.

I had to add an additional line:

set service dns forwarding options "listen-address=x.x.x.x"
where x.x.x.x is the eth0 address of my router.

I also used that same router address for dns-server 1, although I'm not sure if that was necessary or not.

set vpn l2tp remote-access dns-servers server-1 x.x.x.x; April 18, 2016 at 1:35 PM
alfred03white said...: This comment has been removed by a blog administrator.; July 14, 2017 at 10:07 PM
Kevin said...: What kind of speeds are you able to get with the ERL over VPN? Anywhere close to 1G?; September 12, 2017 at 7:37 PM
CompTech said...: With this VPN configuration, I was able to get about 20Mb/s over the VPN tunnel.; September 18, 2017 at 5:34 PM

Random Thoughts of Network Engineer

Saturday, November 28, 2015

Google Fiber - EdgeRouter Remote VPN Setup

4 comments: