Tony, This was so much better than most of these types of videos because you didn't just show the config. You took the time to explain what each line of the config did! That helps SO much. One thing I didn't understand is how the packets coming in via the VPN address pool get route to and from the public WAN address. Thanks
Hi David, Thanks for your comments. Glad it helped you out. If I'm understanding your question correctly, you are defining the VPN WAN Interface and address pool in step 1. In addition, you are adding the necessary firewall rules allowing the VPN traffic to pass, see video at about the 7:36 mark of the video. Have a great day! Hope you subscribed.
@@QuikTechSolutions Absolutely! Just one question, if i may.? Im connected through VPN at 10 Ms/s max BD, is that settable from the EDGERouter or is something else? ohhh i just realize my upload is 10 Mb/s LOL...Any way thanks again! YOu got a new subs here.
@@QuikTechSolutions VPN on EDgerouter X, at my home (Coronavirus Have-to) it´s working pretty good. However, clients connected are using "my Internet conexion" instead their own, so, there is any config in the EDGERouter to solve that? Thanks!
Hey Ivan, if I’m understanding correctly that’s more a setting that is controlled on the client side, not the server side. In the client’s VPN configuration there should be a setting that says something like, Send all traffic over VPN. This can be enabled or disabled. Not sure if this is what you are referring to. Have a great day.
Quik Tech Solutions L.L.C mmmm ok, i understand. Yes, on the client side will check. Pfsense and OpenVPN got that config from the server, i get confused by that. Thanks again my friend!
Thank you for this tutorial Tony. I have tried this tutorial twice over the last few weeks on two different edgerouters at two different sites, on several different computers, and I keep running into the same problem. I am able to connect to the vpn successfully. I am able to verify with ipconfig that I am on the network with the the right ip address and range that I have assigned. The problem is I can not see other computers or devices on the network I am attached to via the VPN. I try to ping the computer I want to remote into and do not receive a response it, but I can do the opposite. I can ping the computer connected via the VPN, receive a response from it, and initiate a remote desktop connection. It's like the traffic is only flowing one way. Any computer on the physical network can ping the computer that's connected via the VPN, but not vice versa. I also tried remoting into the computer I want to remote into from another computer on the same physical network, and remote desktop works great. I made sure the VPN connections are set to private in Windows 10 and even tried disabling the Windows firewall. I feel as if there is a edgerouter firewall rule in place(or not in place) that is only allowing one way traffic to the VPN, but I'm probably wrong and am missing something. Any input would be greatly appreciated.
Hi Andrew, if you can ping the computer connected via VPN from a computer on the physical network and get a reply, you have two way traffic. Did you allow the subnets you wish to access? Did you implement the firewall rules as indicated in the video? Do you have a site to site VPN setup between the two Edgerouters that you tried this configuration on? If so, that would cause issues with Remote User VPN running on the same box. Also, I can remember exactly the firmware version, but about a year ago or more, there were some L2TP VPN issues with certain firmwares. Not sure if that’s been resolved.
I had to upgrade my EdgeRouter X to 1.9.1.1, because on the previous version it did not work. Once I upgrade to 1.9.1.1, it worked like charm! Thank you very much!
Thank you for sharing. Yes, there were some issues with VPN in earlier firmware releases. Glad you got it working. Please subscribe to the channel. Thanks if you already have.
Hi Hello Hello 👋, thanks for much for sharing. So glad you found the video helpful. Please subscribe, share, and give the video a like 👍. Have a great day!
Thank you So much TONY :) I just find your video so so helpful and nearly the ONLY ONE who explains how to do VPN on GUI apart from everyone else who does CLI I'm Really grateful that there's a TH-camr out there like you ... KEEP UP MY FRIEND 👍
Mr Twister thank you very much! I really appreciate your kind words. Over the last year I started teaching myself the CLI & Linux commands as there is definitely a plus to knowing this stuff, especially when needing to perform tweaks that may not be able to be completed through the GUI. Having said that, I felt your pain when searching for a TH-cam video on how to config VPN on the EdgeRouter. The stuff I was finding out there was great, all command line stuff. The problem was I was lost usually 2 minutes into the video. Lol. So I figured I would make this video because I felt there had to be other people like me out there who just wanted to get the job done without messing around with command line. Thanks for watching. Hope you subscribed!!
Super helpful! I have used this video twice now (had to reconfigure my edge-router) and both times process went smoothly because your video was so easy to follow! Thanks for a job well done!!
Still brilliant in 2023. My issue was external connection. Internal was fine. After setting the firewall rules from the ubiquity guide i had some pre existing port forwards on port 500 and 4500. Make sure to check your exisitng forwarding rules.
If your trying to connect to this from windows your must configure your VPN adapter to support MS-CHAP v2. Just had to search for this so thought I would post it here for everyone. Navigate to the Windows 10 Network connections. Settings > Network & Internet > Status > Change Adapter Options > L2TP Adapter properties Security > Allow these protocols > Microsoft CHAP Version 2 (MS-CHAP v2)
Chris Paetz that is correct. In fact, I did a separate video on just that. th-cam.com/video/Pd2NpYjrgCc/w-d-xo.html Thanks for sharing. Have a great day!
Great and informative video Tony! I learned a lot! Ihowever have two questions of which one is directly related to the video. When you choose L2PT in the iPhone settings, is the IPSEC encryption used? There is also a IPSEC setting on the iPhone. Is that needed? My other question is wheather you have considered using Softether or IKEV2 on an Edgerouter? Is it a possible future video project since L2PT/IPSEC security is under question?
Thanks so much! That's a great a question. To my understanding, the encryption and hashing algorithms on the EdgeRouter are creating by default, and cannot be edited using the CLI. I read on the UBNT forums that there is an unsupported option of editing the Vyatta script to make the encryption changes. Here's a link to that discussion - goo.gl/GXa9Us. I'm not recommending you do this, just throwing it out there as an FYI. So, when setting up the iPhone client using the L2TP connection type, it would make sense that when the client makes a successful connection to the L2TP tunnel, the encryption applies. If anyone else can shed any more light on this subject, please do. Have a great day!
Thank you! It sounds probable that it works that way. I’d rather not mess too much with CLI without clear instructions so L2TP/IPSec looks like the way to go on my iPhone. Or maybe OpenVPN as it seems not that difficult to implement.
Tabberacci The other thing I wanted to include in my original reply was the alternative using a Synology NAS device as a VPN server. If you already own a Synology NAS, there's a great VPN utility that can be downloaded and installed on the NAS. You can do PPTP, L2TP, and OpenVPN. On the L2TP side, there is an option to enable SHA2-256 mode. Once again, have a great day.
Thanks for replying. No, I don’t have a Synology or similar. I use single board computers as file servers and for my other NAS-tasks and unfortunately they don’t handle OpenVPN very well because of the ARM-CPU and the other server tasks they are running. I guess a dedicated server for the VPN would be ideal but I’d like to stay with the Edgerouter and SBC solution for now. I’ll try L2TP for a while to see if the hardware offload makes the speed superior to any OpenVPN solution I can run on my gear. Thanks again for the tutorial.
V1.2.0 is an old firmware. Update to a later version. I personally stay away from anything above v2.0. All my routers and clients’ routers are at v1.10.9.
Thank you sir, worked for the first time. Now finally after long time and tries i'm able to wake my pc from my smartphone/remote access. Works like a charm. Greetings from Germany
Hi John, thanks for commenting. You can remove the VPN but I don’t think there’s a way to disable it. But to be honest, I’m not sure on this. If anyone knows otherwise, please put it in the comments.
Great video and easy to set up no issues just followed the steps Thank you!! . I just have 1 question, I require 3 different users. One for me no problem but require 2 more (wife and son) is there any more configuration to do? Or just add the users via GUI ?
Absolutely great video, thanks! I can now connect to my local devices, but would also like to be able to use the internet over the VPN connection. How can I get that working or did I make a mistake somewhere?
Thanks for watching. Glad you got it working. You didn’t make a mistake. The VPN server you set up in the Edgerouter is for users to connect to the home network when away from the home. What you want to do is a completely different type of VPN. In that scenario, the Edgerouter acts as the client that connects to a paid VPN service. Two totally different things. I don’t have a video on this, but here’s a link to another creator that covers this topic. th-cam.com/video/EvD1HKAT14U/w-d-xo.html Have a great day.
Thanks for laying it all out and making it easy to follow. I'm going to set this up soon. Couple quick questions. Do the DHCP servers have to be public or can the be internal? One of the reasons I want to set up a VPN is so I can use Pi-Hole from outside my network to block ads, so I would want to use the Pi-Hole's internal IP address as the primary DHCP, with a public as a backup. Second, does the client address pool have to be part of the existing internal DHCP range, separate from that range, or does it not matter? I did not realize this pool needed to be specified, as I assumed the client would receive an address from the existing DHCP pool. Hope that makes sense.
@@QuikTechSolutions Hi tony, I have done the VPN configurations, from the mobile it's connected once, but from my Windows 10 laptop it is not connecting at all. I have watched your other video and check the MS-CHAP v2, still unable to connect. I have FTTP and I am using DDNS as a server name. it's terminating on eth0 on my EdgeMax.
Right! But you can still use the dhcp public ip in the windows client just to see if a connection is established. This eliminates the issue being with the L2TP server configuration.
First, thank you for making this excellent tutorial. I have scoured the internet and your video is by far the best I have found for this topic. I am unable to make this work for me, and I know it is because of something I am doing wrong - in spite of deleting and re-adding a few times. Have you considered making an updated version of this video? As the version of the Edgerouter UI has changed quite a bit, it would be great to see a new tutorial. Plus, L2TP is considered unsecure and no one else has made a (good) recent video of how to setup a more secure VPN in this space.
Hello Frode! Thank you for tuning in and commenting. Glad you found the video helpful. Please subscribe, share, and give the video a like. Have a great weekend.
I have a new question about the firewall rules (IKE, L2TP ...). When the rules are created, in the Advanced> State section you will find the options of: established, invalid, new and related. In my case, I do not have any of them marked, should I mark any of them? Which one would they be?
Hi Scott, First off, thanks for you kind words and for taking the time to comment. You actually determine and create the shared secret. The key is that it is the same on the client and server. So, whatever you use as your shared secret, make sure you enter that in your devices vpn client during the configuration process. Hope this helps. Have a great day.
Great video, i have a few follow up questions. is the ip range for incoming clients required? i thought my router already has a range for dhcp for the internal clients (isnt that true?) if so, dont i have to make sure the range i use is valid (certain min/max values) and does not overlap with the other range assignment? also, i have static ip and since i am not as well versed on network engineering as most, i tend to be wary of altering my router config because messing things up can completely knock out my ability to access the internet (which is where i would go to research what to do) and the last time that happened i had to 'nuke/pave' my router which was painful. your video seems to imply that nothing you are showing would conflict with existing settings in any way which makes me feel more comfortable, but would a full backup of my router to a config file before starting give me the ability to restore in the event i did mess anything up? lastly, if i only want to use L2TP, do i have to put the other three rules in that you showed (IKE, ESP, etc)? thank you for the great video and sharing your expertise and thank you for taking the time with my questions!
Thanks for this. I would like to allow remote users to access a LAN at another site, can this be done over the same IP address the site uses for internet access, or does it require multiple IPs?
Hi Chris, thanks for commenting. Remote users can access a lan using that wan IP address. You can specify the lan you wish them to access in the setup.
Great video Tony. Very informative, and in-depth for visual learners. I do have one question for you on this setup. Using the Config Tree method, what should I set my outside address to if I am using a DynDns setup. Right now I am currently using NoIp for my dyndns, but when I use 0.0.0.0, I am unable to complete the connection. I have triple checked all of the other settings, and this is the only step that I can think it would be. Do you think this could be the issue, or any other ideas?
Hi Jimmy, I use 0.0.0.0 with DDNS and a PPPoE WAN connection. If your WAN connection is PPPoe, this should work. If your WAN connection is DHCP, then use eth0 or whatever port you have set to WAN. Hope this helps.
@@QuikTechSolutions Thanks Tony. I set DHCP interface to eth0 and it worked. I appreciate you taking the time to help me . Point me to your donations page please sir.
Does the IP address range need to be in the range of the DHCP server for the network accessed? Or does this somehow generate its own DHCP leases under the client-is-pool settings?
Hi Friis, thanks for tuning in and commenting. Glad you found the video helpful. This depends on how you set your network adapter. There should be a setting that says something similar to "Send all traffic over VPN." Have a great day.
Tony, Great Video. How would you set up this VPN to allow remote connections to private devices behind the NAT. Network is like this Public client --> DHCP from ISP->Cable modem with Firewall--> Edge Router--> Static clients
Thanks Tony, fab video as always. Is there a way to allow specific VPN users access to specific networks e.g. if have multiple VLANs, User1 and 2 can only see their own specific network
Thanks for commenting Adrian. To be honest, I haven’t got a clue. Try posting this to the UI Community Forums. There are a ton of people in this community willing to help.
Hello Tony. Great video. I have done this configuration on my EdgeRouter L-3, but I was unable to access my VPN. I have tested using Nmap, and all three ports (500, 701, 4500) are filtered. I thought that those four firewall rules added to the firewall list were supposed to allow VPN connection. Am I missing something here?
@@QuikTechSolutions Hello Tony. I have changed the firewall rules order but still the same. nmap show the following state for all ports: Port 500/udp State open|filtered. What does it mean Open/Filtered?
Thanks, Tony! I was able to follow along and set this up in no time. Works like a charm. I can access my devices on my home network and use my Pi-Hole for ad blocking when away from home. Those were my two goals. Does this also encrypt traffic like commercial VPNs do for the purpose of security when connected to a public hot spot?
Hello Ken, Congratulations on your successful installation. Happy to hear my content was useful to you. Regarding your inquiry, no this is not the same as the commercial subscription services. The intended use is for secure remote access when you are away from your home, not to be used within the home. In fact, if you try to connect from within your home network, the connection attempt will fail. Hope this clarifies. Thanks for tuning in. Have a great rest of your weekend.
@@QuikTechSolutions Thanks for the quick response. I think you may have misread my question. I did not say anything about connecting from within my home network. I know it is for connection TO your home network when away from home, and that is how I am using it. My question is, is that connection encrypted? Such that, when I'm connected to, let's say, a coffee shop network and then to my VPN, someone would not be able to snoop on my traffic, right? (I mean, it has to be, right? That's kinda the whole point of a vpn, right? I just want to verify this.)
Tony, great video. Did you have to set up Port Forwarding rules on the WAN to be able to connect the VPN? If so, what ports? Love all your other videos as well!
Thanks so much! No port forwarding on the WAN. Just make sure you put the firewall rules on WAN local as stated in the video. Please consider subscribing to the channel. Thanks if you already have. Have a great day
@@QuikTechSolutions how do I remotely access my ERX after successfully configuring the VPN and firewall rule Kindly help, I have followed all the steps but I wonder how will I access my router remotely
@@churchmouse7131 hello Church Mouse! Thanks for commenting. You have to configure the remote device with the following vpn info: server, username, password, pre-shared key.
Hello Chris, thanks for commenting. This is primarily for when you are away from your home or office and wish to connect remotely & securely back to your home or office. It is not the same as using a VPN subscription from within your home or office. Have a great day!
Thanks for the video. You explained something about PPPoE that actually helped to clarify some confusion I've had for a while. My question is with regard to the Auto Firewall setting in Edgerouter. You don't touch on it in the video, but is the setting on or off in this example and does it matter with what you did? Thanks so much.
Great video and still appears timely. I am surprised you did not add "set vpn ipsec auto-firewall-nat-exclude enable". I had to add this line to get to my vlans. Am I missing something?
Nice explanation of things tony. I really like how you actually show everything on the gui and the terminal. I myself hate the command line with a passion. I don't get peoples love for the command line. I have been typing since the late 80's and I don't care for typing if I don't have to. Carpal tunnel sucks if you ask me. Either way the vpn setup on this router sucks. By the way, why not just use port forwarding, it's much easier than doing all those rules that people seem to love. I'm finally using this router again since it didn't seem to want to cooperate a while back. A few firmware updates later and it seems to work now. At the moment I just use my nas open vpn, much better implemented than this router. I of course just connect to the computer and call it a day since I can get to everything from it. I guess I like to simplify my life but many people like to make it more work than it needs to be.
myshots101 thanks for your comments. As I mentioned in a previous comment on this thread, I recently began teaching myself the command line as there are advantages. But I much prefer to get things done in a GUI or Web UI.
I was able to set up my VPN only by adding a firewall rule to allow PING. Otherwise I was not able to access the VPN. Is this rule absolutely necessary?
Hi Tony, great video! However, when I try to connect from Windows 10 using the built-in VPN client, I get "The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password does not match...". However, I followed your instructions down to a T for both the server and client. The client is setup as L2TP/IPSec PSK. Are you aware of this error and what's causing it?
Hi Aubrey, thanks for commenting! This vid might be what you’re looking for: How To Connect To EdgeRouter L2TP VPN Server From Windows 10 th-cam.com/video/Pd2NpYjrgCc/w-d-xo.html
Curious with Android removing the l2tp as an option, and this video being a bit older, is there any possibility of updating this to utilizing ikev2/ipsec? I know about openVpn but I'd rather not have to rely on 3rd party apps, if at all possible.
Hi! Great video. Got my tunnel up in no time. But I cant find my bacnet-devices thru the tunnel. Do I have to make more adjustments to talk on port 47808 UDP? Thanks
Yes, I can reach my webbserver on port 80 and SSH to the server as well. Havent tried more ports, but the bacnet broadcast search cant find any devices.
Martin Mizgalski wish I could help, but I can’t speak to Bacnet as I don’t have any hands-on experience with it. The purpose of this video was to help with getting L2TP over IPSec working on an EdgeRouter and you’ve accomplished that. Maybe try looking to Bacnet Forums. Have a great day.
Hello Tony, I followed your guide and it was working for somedays, but after a weekend its stopped working. Now the error is: The L2TP connection attempt failed because the security layer encountered a processing error during the initial negotiations with the remote computer I would like to start again but i dont know how to delete set vpn lines. Thanks
Hi, the video is grate. but, I haven´t Ip public, and have 2 nat over on my ErL... I configure using Noip, thinking what the server will works, but not. some idea? The VPN works in my iPhone locally, but not in 4G AT&T
@@QuikTechSolutions Sorry for bothering you again,I wonder if you could help me a little more: 1. In the video, you explain/show setting up the user name ("Tony"), but you do not show setting up the password. The UBNT CLI has password being set up in the command line. Should I set up the PW under my name in the config. tree? 2. When configuring my phone (Android Ahh...), what should I enter under the DNS server address? I am using dynamic DNS. Thanks a lot
@@y.l.8361 you can set the pw in the config tree. I purposely showed the config tree for those not comfortable with working in the CLI. As for the Android client config, you can use whatever DNS server you want.
Tony, I got lost at the Firewall/NAT Policies. for me (EdgeROUTER Lite v1.10.8) the firewall Rulesets are empty, not sure where you r WAN Local (ppoe0\local) is coming from... Thenks!
A new EdgeRouter is usually configured for the first time with one of the wizards. One of the things the wizard does is creat the WAN_IN and WAN_LOCAL firewall rule sets. If you don’t complete a wizard and decide to configure everything manually, you must also manually create these rule sets.
Hello Zuhair. Recheck your input, check for typos, make sure you didn’t leave out any steps. If everything was done as per the video, things should work. Good luck.
Hi Zuhair , I have same problem, at DNS I presume. I use Dynamic DNS servers and when I connect to VPN, cannot to browse internet. Thou I can acces an IP camera from my network. How you solve the problem? Ty
@@QuikTechSolutions Thanks. I do not have access to the GUI, I'm a ways away from Router. Wanting to upload configuration backup using winscp or ssh. Any suggestions/help? Thanks
Mac XPS hi there. So, you have make eth5 part of the switch. I’m assuming you followed the setup wizard and ended up with a switch 0 interface. Go into the switch 0 config and add eth5 to the switch configuration.
Quik Tech Solutions L.L.C hi Tony, I’m trying to use the wizard , but I’m still not able to connect it, can you please explain in detail how I can do to configure the sfp port , because the is No guide to help just you I can’t thank you enough for your help
Send me an email, I’ll send you instructions with a screen shot. It’s something I’ll do as a video at some point. But I’ll send you an email instructions for now so you can get up & running.
I have an HP LaserJet printer on my network, and I was hoping to be able to print from the VPN, but sadly, the printer does not show up when a device is connected to the VPN. Is there a way to get this to work?
Hi Ken, thanks for commenting. I’m not sure how you have your printer installed on your network. Is it on the same subnet that you made available in the VPN configuration?
Quik Tech Solutions L.L.C Yes. After further troubleshooting, this seems to be an issue with the printer. Even when connected locally to the same network, it doesn’t always show up on the device I want to print from (Apple devices, so we are talking AirPrint here, which is built in to the printer and enabled), and I often have to power cycle the printer.
@7:37 the whole point of a VPN connection is to remote in from an outside network over the Public IP. You didn't establish any rules for the WAN_IN port to allow that traffic. Did I miss something?
Hi Tony. I tried using my EdgeRouter as my DNS server to take advantage of caching and it doesn't appear to work. Do I have to use an alternate (Internet) DNS server? Thanks!
Hi Henry, thanks for commenting! A couple of things come to mind initially. Did you set the DNS Listening Interface under the services tab? Also, under Services>DHCP, make sure you set the DNS field to the IP of the Router.
Hi Tony. Thanks for your great video. Clear and explanatory! I'm already a subscriber! I just have one small question: I live in Italy, and I'm expecting my ER-X soon from AMZN. Here things work a little differently; We have ADSL and usually we have a modem that connects to the phone line, already translating some provider-issued dynamic WAN IP into a local non-routable IP (assume 192.168.1.x) and I use a DDNS service to keep track of my public IP. My Idea was to put the ER-X into the DMZ of my modem, thus getting a LAN address from my modem that most likely would be 192.168.1.2 (being 192.168.1.1 the LAN address that the modem reserves for itself). Now the question is: should I then at step 6 of your tutorial put "set l2tp remote-access dhcp-interface eth0" (assuming obviously that eth0 is the WAN I/F connected to my modem), or should I use the third option for DDNS? I don't use PPOE, mind you, even if I *think* I might, but I'm not sure my modem would really allow.... My guess is option 2 (... dhcp-interface eth0) as - in principle - being the ER-X in DMZ nothing should be filtered out by the modem and routing should be allowed 1:1, but I'd like your position on this. Thanks very much in advance!!!
Hi Andrea, Thanks for your comments. As far as your setup goes, I'm not in favor of placing the ER-X in the DMZ. Would much rather see the modem placed into bridge mode, but sometimes this is not possible by the end user. In any event, based on your current config, I agree with you in theory regarding option 2. Good luck. Let me know how it plays out. Have a great day.
No worries!!! May I ask you please to make a video for how to build a network system with ubiquiti devices like edgerouter or usg ? Again thank you so much!
Mac XPS I am planning to do an Edge router config vid, as well as a basic Unifi config at some point. Trying to accumulate a few bucks to get a lab setup so I don't have to keep using my live production equip to make these videos. Stay tuned and have a great day.
Hello Ricardo. Here’s a link to Ubiquiti’s help doc. In this article you’ll find what you are requesting. Have a great day. help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server
Hi Tony. I've set this up, and it connects properly and uses my home connection to access the internet. However, I can't seem to connect to any local resources (printers, servers, etc...). Any ideas?
@@QuikTechSolutions I did. 10.x.x.1/24. It does now say DEPRECATED in the heading, so I'm not sure it's still looking at that value. One thing of note: my router sits at 10.x.x.254... do you think this may affect things? I've tried all 3 possibilities (.1, .0 and .254), none seemed to help.
I would recommend deleting the VPN altogether and start from scratch. Enter the Edgerouter CLI, then enter edit mode by typing config. Once in edit mode type the following commands: delete vpn commit save Good luck.
Thanks for the help Tony. I deleted it and started over, works like a charm. The only thing I can think of is I've done it through the CLI this time instead of the GUI. In any case, great video!
Good afternoon sir. How do I create the PPPoE interface? I tried adding it from the Dashboard (Add Interface/PPPoE) and even though it adds the interface to the Dashboard, , it does not shows as an option of the Interface the drop down . thanks!
Hello Tony, pls my edgerouter is sitting behind my ISP huawei HG8245H gateway, vpn is configured and working locally but i can't connect from outside the network can you pls help me out in resolving that pls
Hi Asamoah, two things come to mind. Why not use the EdgeRouter as the main router in place of the ISP device? If there is a reason that forces you to keep the ISP device, did you forward the VPN ports from the ISP device to the EdgeRouter?
Hi Tony. I love your videos. Could you do a video on how to configure - vpn l2tp remote-access outside-address on 2 diff wan ? First wan DHCP/ Second wan is PPPOE failover only edgerouter. Thanks
No, real Thank you Tony!! not sarcastic one! :) You are the best because in a past couple weeks I returned two Cisco RV series because of lack of reliability. And after I bought this router(last night) and I saw your video I was able to setup VPN on my Iphone!!! You are the man!!
Hi great tutorial, I followed your steps and can connect to the VPN. My LAN ntwork is 172.16.1.0/24 and the pool defined for the vpn is 172.16.1.38 - 234 My issue however is that my vpn client always gets assined an IP without a default gateway and a subnet of 255.255.255.255 thus i am unable to reach any device on the LAN where the vpn server is. Is there something i may have overlooked?
@@QuikTechSolutions yes I did figure that out as the issue eventually. VPN works fine now and endpoints can connect just fine. 🙏 I am now however trying to figure out how to setup a Site to site VPN between the Edge Router and an Azure VPN. Any helpful pointers would be greatly appreciated.
Glad you got it sorted out. Sorry for the delayed response, your comment was being held for approval. I’m not sure why that was. In any event, I’ve setup site to site between two Edgerouters and also between an Edgerouter and OPNsense. I’ve never done it with Azure VPN, so I’m not sure I can be of much help. All I can say is make sure you have the correct subnets entered on each side, as well as matching the secret key and the encryption settings. Good luck. Let me know how you make out eventually. Have a great day.
I have treed this on several Edge Routers it works perfectly connecting via windows (all versions) but on iOS just does not work. It's been a year of messing around and still no connection.
You can set additional users using the same command used to create the original user. SSH back into the router, enter Configure mode, then enter the command for each user you want to add. Don’t forget to save and commit. Also, backup your existing configuration before proceeding. This way, if something should go wrong, you can restore from the backup.
Hi Sami, not to my knowledge. L2TP is an older protocol now that is less secure than some of the newer protocols, which is why Google probably made the decision to stop using it. Do you have a Synology on your network by any chance. If so, you can get run Tailscale, check out my buddies video on how to do this. th-cam.com/video/u2Qp1BM8Qi8/w-d-xo.html
@@QuikTechSolutions Thank you for the quick reply. I dont actually have Synology. I am thinking of I install openVPN on a pc that is all on pc, it may work. Thanks dear
Hi Arlen, I’ve never done this, but my guess is you would have to have admin access to your ISP router to be able to port forward the VPN traffic to the Edgerouter.
Using a Windows 10 machine was an issue for me. I searched and found what was preventing my connection. After you create the Windows VPN, make sure to edit the VPN connection in Network Connections. Right Click on the VPN connection you just created, click properties, click security, enable "Allow these protocols" and select CHAP & MS-CHAP v2).
Hello Felice! Thanks for commenting. You are correct about editing the network adapter. In fact, I have a video dedicated to this issue on my channel. Have a good day.
hi! thanks for great video... Q: i cant connect to my VPN over 4G but if the iphone is on my edgerouter network and i try to connect to the VPN then it works.... please help
Thanks for commenting. Technically, it should be the other way around. If your iPhone is on your internal network & connected to your wifi, you shouldn't be able to connect to your VPN. You may want to take a look at your setup.
Ok, so I'm assuming you setup the VPN on an EdgeRouter seeing as you commented on this VPN video. Did you do the initial config using the CLI (command line) or using the Config Tree in the router's GUI? In any event, you can check your config against the video starting at the 5:00 mark. Log into your EdgeRouter, then go to Config Tree>VPN and expand each section under IPSEC and L2TP. Make sure your network information is entered correctly, especially your WAN interface. Good luck.
wonderful video. can you explain how to connect lan in vpn with a edgerouter lite and a fritzbox 7590? (formely a vpn router to router) thank you excuse my bad english
I totally appreciate the offer. However, I prefer to have a physical unit so that I could set up a test environment in the lab to explore. Have a great day!
Followed all of your instructions (great video btw) and I am getting errors on both my Mac and my Android. My Android says timeout while connecting and my Mac says that the connection could not be established with the PPP server. Any ideas? Cheers.
Thanks. From what you’re saying, sounds like you have multiple VPN config commands in the Router. Maybe from previous configuration attempts? You can check through the Config Tree by expanding the VPN tab and checking each area.
Hey Tony, I updated my firmware and it broke my VPN which was setup following your instructions. Any chance you could update this for firmware version 2.0.3? I think what breaks is somewhere around step 6 Thanks so much. Dave
Hi Dennis, I have stayed completely clear of firmware V2 and above because it is known to be very unstable and breaks lots of things. The best advice I can give you at this time is to roll your system back down to V1.10.9. Get completely off of V2. Hopefully, you keep backups of your config files. Good luck.
@@QuikTechSolutions well I got it working. It appears that in the firmware upgrade one of the firewall rules IPSEC was shifted from "accept" to "reject". I fixed that and it took off. Thanks so much for the prompt reply Tony! I do have backups so I knew I could get back to my starting point, but fortunately I didn't have to do it. Thanks again.
Great Video. I got everything setup except the Dynamic DNS. Are the following steps close to what I need to do. 1. Buy or get free DNS service from noip.com (or similar). 2. Under Services - DNS input the Dynamic DNS service (hostname, login, password etc). 3. Go to Firewall/NAT -> Port forward to forward the incoming connection?? To summarize, I don't know how to configure the Dynamic DNS on the Edge router to make it work with the VPN solution your describing. Thanks
Is it easy to configure an Edgerouter X as VPN client? In my scenario I'd like it to connect to a VPN server in a datacenter, because it's not possible to get my own internet connection at the office space I'm currently leasing. They provide a big flat 192.168.x.x network that anyone can plug into and refuse to create separate networks for all the offices. I don't want my employees having to mess with VPN settings on their laptops, I'd rather have the router maintain a permanent VPN tunnel.
Hello, thanks for your work! The tutorials are very good, but I would appreciate it if you could update it to the current software version. I am currently on the latest v2.0.9-hotfix.7 and due to errors, I cannot perform the settings either with GUI or CLI commands.
Hello Lindon, I don’t have an Android device to test with. However, after reading a few forums on this same issue, several users posted that adding the following line to your L2TP configuration will resolve the issue. set vpn l2tp remote-access authentication require mschap-v2
Tony,
This was so much better than most of these types of videos because you didn't just show the config. You took the time to explain what each line of the config did! That helps SO much.
One thing I didn't understand is how the packets coming in via the VPN address pool get route to and from the public WAN address. Thanks
Hi David, Thanks for your comments. Glad it helped you out. If I'm understanding your question correctly, you are defining the VPN WAN Interface and address pool in step 1. In addition, you are adding the necessary firewall rules allowing the VPN traffic to pass, see video at about the 7:36 mark of the video. Have a great day! Hope you subscribed.
tony, I am so happy. I've been trying for 6 months to get this working. Thanks to you it is now. Already Subscribed buddy!
+David Dennis awesome and thanks for the subscription. Have a great day!
Absolutely 👍🏼
Tony, this video of yours deserves all kinds of accolades. Very clear, descriptive, informative. Great job and thanks!
Thank you sir! Very much appreciated! Glad you found the video useful. Have a great day.
Thank you Tony! I always learn er-x configuration bit by bit from your videos. It's a great way to build up my networking knowledge.
Thank you miragesea. I appreciate your comment very much. Glad the videos are helpful.
Hey Tony! Fantastic tutorial for those who come from Iptables-linux-based-routing, thank you so much. Greeting from Argentina.
Hello Ivan from Argentina! Thank you for commenting. Glad you found the information useful. Have a great day!
@@QuikTechSolutions Absolutely! Just one question, if i may.? Im connected through VPN at 10 Ms/s max BD, is that settable from the EDGERouter or is something else? ohhh i just realize my upload is 10 Mb/s LOL...Any way thanks again! YOu got a new subs here.
@@QuikTechSolutions VPN on EDgerouter X, at my home (Coronavirus Have-to) it´s working pretty good. However, clients connected are using "my Internet conexion" instead their own, so, there is any config in the EDGERouter to solve that? Thanks!
Hey Ivan, if I’m understanding correctly that’s more a setting that is controlled on the client side, not the server side. In the client’s VPN configuration there should be a setting that says something like, Send all traffic over VPN. This can be enabled or disabled. Not sure if this is what you are referring to. Have a great day.
Quik Tech Solutions L.L.C mmmm ok, i understand. Yes, on the client side will check. Pfsense and OpenVPN got that config from the server, i get confused by that. Thanks again my friend!
Thanks Tony. I just found your video and I was able to setup VPN on my iPhone and Edgerouter 4 by following these instructions.
Very cool! Glad the info presented was helpful. Thanks for commenting and have a great day!
Thank you for this tutorial Tony. I have tried this tutorial twice over the last few weeks on two different edgerouters at two different sites, on several different computers, and I keep running into the same problem. I am able to connect to the vpn successfully. I am able to verify with ipconfig that I am on the network with the the right ip address and range that I have assigned. The problem is I can not see other computers or devices on the network I am attached to via the VPN. I try to ping the computer I want to remote into and do not receive a response it, but I can do the opposite. I can ping the computer connected via the VPN, receive a response from it, and initiate a remote desktop connection. It's like the traffic is only flowing one way. Any computer on the physical network can ping the computer that's connected via the VPN, but not vice versa. I also tried remoting into the computer I want to remote into from another computer on the same physical network, and remote desktop works great. I made sure the VPN connections are set to private in Windows 10 and even tried disabling the Windows firewall. I feel as if there is a edgerouter firewall rule in place(or not in place) that is only allowing one way traffic to the VPN, but I'm probably wrong and am missing something. Any input would be greatly appreciated.
Hi Andrew, if you can ping the computer connected via VPN from a computer on the physical network and get a reply, you have two way traffic. Did you allow the subnets you wish to access? Did you implement the firewall rules as indicated in the video? Do you have a site to site VPN setup between the two Edgerouters that you tried this configuration on? If so, that would cause issues with Remote User VPN running on the same box. Also, I can remember exactly the firmware version, but about a year ago or more, there were some L2TP VPN issues with certain firmwares. Not sure if that’s been resolved.
😣 It was older firmware! I hadn't updated in awhile because they had been so reliable. I should have known better. Thank you for your input.
Hello Andrew, thanks for reporting back. Glad you got the issue resolved. Have a great day!
I had to upgrade my EdgeRouter X to 1.9.1.1, because on the previous version it did not work. Once I upgrade to 1.9.1.1, it worked like charm! Thank you very much!
Thank you for sharing. Yes, there were some issues with VPN in earlier firmware releases. Glad you got it working. Please subscribe to the channel. Thanks if you already have.
@@QuikTechSolutions I am on version 2.0.9 and cannot get it to work. Any info on where to look in the log files to see where it is failing?
Just set this up today with my EdgeRouterX SFP, so much better than reading thru tutorials on the web. I enjoy all your vids and Happy New Year.
I really do appreciate your comments. Happy new year to you as well. Glad you found video helpful. Have a great day.
Thanks for the detailed explanation. It is taking me awhile to learn the ins and outs of this device but It’s nice to finally have vpn set up.
Great! Glad you were able to get the VPN up & running. Have a great day!
Just want to say thank you for the video. I have used this to successfully configure my EdgeRouter and connected via my Android device!
Hi Hello Hello 👋, thanks for much for sharing. So glad you found the video helpful. Please subscribe, share, and give the video a like 👍. Have a great day!
I got it working on my Macbook. How did you getting it working on your android? What are the settings you used?
Thank you So much TONY :) I just find your video so so helpful and nearly the ONLY ONE who explains how to do VPN on GUI apart from everyone else who does CLI
I'm Really grateful that there's a TH-camr out there like you ... KEEP UP MY FRIEND 👍
Mr Twister thank you very much! I really appreciate your kind words. Over the last year I started teaching myself the CLI & Linux commands as there is definitely a plus to knowing this stuff, especially when needing to perform tweaks that may not be able to be completed through the GUI. Having said that, I felt your pain when searching for a TH-cam video on how to config VPN on the EdgeRouter. The stuff I was finding out there was great, all command line stuff. The problem was I was lost usually 2 minutes into the video. Lol. So I figured I would make this video because I felt there had to be other people like me out there who just wanted to get the job done without messing around with command line. Thanks for watching. Hope you subscribed!!
I just did subscribe Tony .. again thank you for your work my friend :)
Super helpful! I have used this video twice now (had to reconfigure my edge-router) and both times process went smoothly because your video was so easy to follow! Thanks for a job well done!!
Thanks so much for commenting. Please subscribe, share, & give the video a like. Glad the content was useful in both instances. Have a great day!
Thank you sooooo much!!! I've been struggling to find a configuration that really works... Your directions were clear and totally effective. Awesome!
Thanks Nine Star. Great to know the video content is still relevant these days. Have a great day!
Still brilliant in 2023. My issue was external connection. Internal was fine. After setting the firewall rules from the ubiquity guide i had some pre existing port forwards on port 500 and 4500. Make sure to check your exisitng forwarding rules.
Thanks for watching and commenting. Have a great day.
Thank you Tony for the great instructions. Clear and understandable. I wish you many more such tutorials. Best regards from Slovakia
Thank you for commenting. Glad you found the info to be useful. Have a great day!
If your trying to connect to this from windows your must configure your VPN adapter to support MS-CHAP v2. Just had to search for this so thought I would post it here for everyone.
Navigate to the Windows 10 Network connections.
Settings > Network & Internet > Status > Change Adapter Options > L2TP Adapter properties
Security > Allow these protocols > Microsoft CHAP Version 2 (MS-CHAP v2)
Chris Paetz that is correct. In fact, I did a separate video on just that.
th-cam.com/video/Pd2NpYjrgCc/w-d-xo.html
Thanks for sharing. Have a great day!
Thank you for this :)
Well done sir. Thank you for taking the time to create this video.
Thanks Harry! Glad the info was helpful. Have a great day!
Great and informative video Tony! I learned a lot! Ihowever have two questions of which one is directly related to the video.
When you choose L2PT in the iPhone settings, is the IPSEC encryption used? There is also a IPSEC setting on the iPhone. Is that needed?
My other question is wheather you have considered using Softether or IKEV2 on an Edgerouter? Is it a possible future video project since L2PT/IPSEC security is under question?
Thanks so much! That's a great a question. To my understanding, the encryption and hashing algorithms on the EdgeRouter are creating by default, and cannot be edited using the CLI. I read on the UBNT forums that there is an unsupported option of editing the Vyatta script to make the encryption changes. Here's a link to that discussion - goo.gl/GXa9Us. I'm not recommending you do this, just throwing it out there as an FYI. So, when setting up the iPhone client using the L2TP connection type, it would make sense that when the client makes a successful connection to the L2TP tunnel, the encryption applies. If anyone else can shed any more light on this subject, please do.
Have a great day!
Thank you! It sounds probable that it works that way. I’d rather not mess too much with CLI without clear instructions so L2TP/IPSec looks like the way to go on my iPhone. Or maybe OpenVPN as it seems not that difficult to implement.
Tabberacci The other thing I wanted to include in my original reply was the alternative using a Synology NAS device as a VPN server. If you already own a Synology NAS, there's a great VPN utility that can be downloaded and installed on the NAS. You can do PPTP, L2TP, and OpenVPN. On the L2TP side, there is an option to enable SHA2-256 mode. Once again, have a great day.
Thanks for replying. No, I don’t have a Synology or similar. I use single board computers as file servers and for my other NAS-tasks and unfortunately they don’t handle OpenVPN very well because of the ARM-CPU and the other server tasks they are running. I guess a dedicated server for the VPN would be ideal but I’d like to stay with the Edgerouter and SBC solution for now. I’ll try L2TP for a while to see if the hardware offload makes the speed superior to any OpenVPN solution I can run on my gear. Thanks again for the tutorial.
Appreciate this video very much. Been looking for a simple explanation like this. Thank you.
You’re very welcome! Glad you found information in the video helpful. And thank you for subscribing! Have a great day.
@@QuikTechSolutions Question here. What if I am not seeing the Config Tree Tab in my dashboard? I am using a EdgeRouter PoE v1.2.0
V1.2.0 is an old firmware. Update to a later version. I personally stay away from anything above v2.0. All my routers and clients’ routers are at v1.10.9.
@@QuikTechSolutions Ok thanks
Very descriptive and illustrative. It works! Thank you!
Gueorgui Nikolov Popov Karadjov thank you for your comments. Please consider subscribing if you have not done so already. Have a great day.
Thank you sir, worked for the first time. Now finally after long time and tries i'm able to wake my pc from my smartphone/remote access. Works like a charm. Greetings from Germany
Hello Bartek, thanks for tuning in. Glad you found the video helpful. Have a great day!
Great video thank you. Short Question how can you temporarily disable the VPN?
Hi John, thanks for commenting. You can remove the VPN but I don’t think there’s a way to disable it. But to be honest, I’m not sure on this. If anyone knows otherwise, please put it in the comments.
Thank you for explaining what each setting is doing. Teach a man to fish...
Thanks Brian! I don't fish, lol. Glad you found the video helpful. Have a great day.
Great video and easy to set up no issues just followed the steps Thank you!! . I just have 1 question, I require 3 different users. One for me no problem but require 2 more (wife and son) is there any more configuration to do? Or just add the users via GUI ?
Christopher Bianco if you’ve already completed the setup.l, probably easier to add them using the GUI Config Tree.
Quik Tech Solutions L.L.C great then via GUI ! Thank you 😊
Absolutely great video, thanks! I can now connect to my local devices, but would also like to be able to use the internet over the VPN connection. How can I get that working or did I make a mistake somewhere?
Thanks for watching. Glad you got it working. You didn’t make a mistake. The VPN server you set up in the Edgerouter is for users to connect to the home network when away from the home. What you want to do is a completely different type of VPN. In that scenario, the Edgerouter acts as the client that connects to a paid VPN service. Two totally different things. I don’t have a video on this, but here’s a link to another creator that covers this topic. th-cam.com/video/EvD1HKAT14U/w-d-xo.html Have a great day.
Thanks for laying it all out and making it easy to follow. I'm going to set this up soon. Couple quick questions. Do the DHCP servers have to be public or can the be internal? One of the reasons I want to set up a VPN is so I can use Pi-Hole from outside my network to block ads, so I would want to use the Pi-Hole's internal IP address as the primary DHCP, with a public as a backup. Second, does the client address pool have to be part of the existing internal DHCP range, separate from that range, or does it not matter? I did not realize this pool needed to be specified, as I assumed the client would receive an address from the existing DHCP pool. Hope that makes sense.
Nice and crisp, easy to follow instructions, right to the point, thank you for creating the video. Stay blessed.
Thanks again Wasif! Have a great day!
@@QuikTechSolutions Hi tony, I have done the VPN configurations, from the mobile it's connected once, but from my Windows 10 laptop it is not connecting at all. I have watched your other video and check the MS-CHAP v2, still unable to connect. I have FTTP and I am using DDNS as a server name. it's terminating on eth0 on my EdgeMax.
Have you tried connecting using the IP instead of the DDNS?
@@QuikTechSolutions Unfortunately I do no have a static IP from my ISP that's why I am using DDNS...
Right! But you can still use the dhcp public ip in the windows client just to see if a connection is established. This eliminates the issue being with the L2TP server configuration.
First, thank you for making this excellent tutorial. I have scoured the internet and your video is by far the best I have found for this topic. I am unable to make this work for me, and I know it is because of something I am doing wrong - in spite of deleting and re-adding a few times. Have you considered making an updated version of this video? As the version of the Edgerouter UI has changed quite a bit, it would be great to see a new tutorial. Plus, L2TP is considered unsecure and no one else has made a (good) recent video of how to setup a more secure VPN in this space.
Thank you for this video. It was very easy to follow and made it easy to set up VPN on my own router.
Hello Frode! Thank you for tuning in and commenting. Glad you found the video helpful. Please subscribe, share, and give the video a like. Have a great weekend.
Thanks Tony. I will be trying this when I get home from work.
I have a new question about the firewall rules (IKE, L2TP ...). When the rules are created, in the Advanced> State section you will find the options of: established, invalid, new and related. In my case, I do not have any of them marked, should I mark any of them? Which one would they be?
Established, New, & Related
@@QuikTechSolutions Moltes gràcies!!!!!
You’re welcome! Have a great day!
Hello Tony, This is a great video. I really like how you describe how and why. Can you tell me how to create the pre-shared-secret?
Hi Scott, First off, thanks for you kind words and for taking the time to comment. You actually determine and create the shared secret. The key is that it is the same on the client and server. So, whatever you use as your shared secret, make sure you enter that in your devices vpn client during the configuration process. Hope this helps. Have a great day.
Quik Tech Solutions L.L.C is this connection encrypted?
Yes sir! That is the whole purpose behind using a vpn of this nature.
Great video, i have a few follow up questions. is the ip range for incoming clients required? i thought my router already has a range for dhcp for the internal clients (isnt that true?) if so, dont i have to make sure the range i use is valid (certain min/max values) and does not overlap with the other range assignment? also, i have static ip and since i am not as well versed on network engineering as most, i tend to be wary of altering my router config because messing things up can completely knock out my ability to access the internet (which is where i would go to research what to do) and the last time that happened i had to 'nuke/pave' my router which was painful. your video seems to imply that nothing you are showing would conflict with existing settings in any way which makes me feel more comfortable, but would a full backup of my router to a config file before starting give me the ability to restore in the event i did mess anything up? lastly, if i only want to use L2TP, do i have to put the other three rules in that you showed (IKE, ESP, etc)? thank you for the great video and sharing your expertise and thank you for taking the time with my questions!
edit: i watched your other video on backup/restore which answered one of my above questions. great resource site for ERX advice
Thanks for this. I would like to allow remote users to access a LAN at another site, can this be done over the same IP address the site uses for internet access, or does it require multiple IPs?
Hi Chris, thanks for commenting. Remote users can access a lan using that wan IP address. You can specify the lan you wish them to access in the setup.
@@QuikTechSolutions Great, thank you.
Great video Tony. Very informative, and in-depth for visual learners. I do have one question for you on this setup. Using the Config Tree method, what should I set my outside address to if I am using a DynDns setup. Right now I am currently using NoIp for my dyndns, but when I use 0.0.0.0, I am unable to complete the connection. I have triple checked all of the other settings, and this is the only step that I can think it would be. Do you think this could be the issue, or any other ideas?
Hi Jimmy, I use 0.0.0.0 with DDNS and a PPPoE WAN connection. If your WAN connection is PPPoe, this should work. If your WAN connection is DHCP, then use eth0 or whatever port you have set to WAN. Hope this helps.
@@QuikTechSolutions Thanks Tony. I set DHCP interface to eth0 and it worked. I appreciate you taking the time to help me . Point me to your donations page please sir.
Great! Glad you got it to work Jimmy. Here’s the donation link you requested:
www.paypal.me/quiktechsolutionsllc
Thanks so much!
Does the IP address range need to be in the range of the DHCP server for the network accessed? Or does this somehow generate its own DHCP leases under the client-is-pool settings?
Hi Tom, thanks for commenting. I’ve always set the pool as the same network just made sure they were outside the DHCP range. Have a great day!
Thanks for a great good video.
Does remote users get internet through their own router or through the l2tp servers gateway?
Hi Friis, thanks for tuning in and commenting. Glad you found the video helpful. This depends on how you set your network adapter. There should be a setting that says something similar to "Send all traffic over VPN." Have a great day.
Tony, Great Video. How would you set up this VPN to allow remote connections to private devices behind the NAT. Network is like this Public client --> DHCP from ISP->Cable modem with Firewall--> Edge Router--> Static clients
Thanks Tony, fab video as always. Is there a way to allow specific VPN users access to specific networks e.g. if have multiple VLANs, User1 and 2 can only see their own specific network
Thanks for commenting Adrian. To be honest, I haven’t got a clue. Try posting this to the UI Community Forums. There are a ton of people in this community willing to help.
Thank you verry much! This work perfect on my router too and now i have VPN connection thanks to you.
Hello Vladislav! I’m so glad to here you successfully set this up. Have a great day and thanks for taking the time to comment.
Hello Tony. Great video. I have done this configuration on my EdgeRouter L-3, but I was unable to access my VPN. I have tested using Nmap, and all three ports (500, 701, 4500) are filtered. I thought that those four firewall rules added to the firewall list were supposed to allow VPN connection. Am I missing something here?
Hello Marcio, thanks for commenting. Move the four rules up above the Drop Invalid-State rule.
@@QuikTechSolutions Hi Tony. I would do that right now and let you know. Thanks!
@@QuikTechSolutions Hello Tony. I have changed the firewall rules order but still the same. nmap show the following state for all ports: Port 500/udp State open|filtered. What does it mean Open/Filtered?
Thanks, Tony! I was able to follow along and set this up in no time. Works like a charm. I can access my devices on my home network and use my Pi-Hole for ad blocking when away from home. Those were my two goals. Does this also encrypt traffic like commercial VPNs do for the purpose of security when connected to a public hot spot?
Hello Ken, Congratulations on your successful installation. Happy to hear my content was useful to you. Regarding your inquiry, no this is not the same as the commercial subscription services. The intended use is for secure remote access when you are away from your home, not to be used within the home. In fact, if you try to connect from within your home network, the connection attempt will fail. Hope this clarifies. Thanks for tuning in. Have a great rest of your weekend.
@@QuikTechSolutions Thanks for the quick response. I think you may have misread my question. I did not say anything about connecting from within my home network. I know it is for connection TO your home network when away from home, and that is how I am using it. My question is, is that connection encrypted? Such that, when I'm connected to, let's say, a coffee shop network and then to my VPN, someone would not be able to snoop on my traffic, right? (I mean, it has to be, right? That's kinda the whole point of a vpn, right? I just want to verify this.)
Sorry Ken, I totally misread your question. Yes, you are correct. My bad!
Thank you, Tony, this helps a lot!! how to protect your local from outside ddos?
Thanks for commenting Richard. Glad you found the information presented in this video helpful! Have a great day!
Setting this up on an ER 4. I'm pretty sure we use a static IP for the WAN. What should be my input for ipsec/ipsec-interfaces setting?
Hi great video!
My question is...This option (Setting Client IP Pool) i configure with the same local network or put other range that i wish?
Hi Thanks for commenting. Same local network using a range of IPs that you can dedicate to the pool.
thanks!!!
Tony, great video. Did you have to set up Port Forwarding rules on the WAN to be able to connect the VPN? If so, what ports? Love all your other videos as well!
Thanks so much! No port forwarding on the WAN. Just make sure you put the firewall rules on WAN local as stated in the video. Please consider subscribing to the channel. Thanks if you already have. Have a great day
@@QuikTechSolutions how do I remotely access my ERX after successfully configuring the VPN and firewall rule
Kindly help, I have followed all the steps but I wonder how will I access my router remotely
@@churchmouse7131 hello Church Mouse! Thanks for commenting. You have to configure the remote device with the following vpn info: server, username, password, pre-shared key.
Hi Tony. I have dual wan on my Edge pro router all with static IPs. I have followed all procedure but seems not to wor
Thanks Tony. So with this method I DO NOT need an account with Nordvpn or PIA or whatever. Its Just not clear to me.
Hello Chris, thanks for commenting.
This is primarily for when you are away from your home or office and wish to connect remotely & securely back to your home or office. It is not the same as using a VPN subscription from within your home or office.
Have a great day!
Thanks for the video. You explained something about PPPoE that actually helped to clarify some confusion I've had for a while. My question is with regard to the Auto Firewall setting in Edgerouter. You don't touch on it in the video, but is the setting on or off in this example and does it matter with what you did? Thanks so much.
Great video and still appears timely. I am surprised you did not add "set vpn ipsec auto-firewall-nat-exclude enable". I had to add this line to get to my vlans. Am I missing something?
Great tip!
Nice explanation of things tony. I really like how you actually show everything on the gui and the terminal. I myself hate the command line with a passion. I don't get peoples love for the command line. I have been typing since the late 80's and I don't care for typing if I don't have to. Carpal tunnel sucks if you ask me. Either way the vpn setup on this router sucks. By the way, why not just use port forwarding, it's much easier than doing all those rules that people seem to love. I'm finally using this router again since it didn't seem to want to cooperate a while back. A few firmware updates later and it seems to work now. At the moment I just use my nas open vpn, much better implemented than this router. I of course just connect to the computer and call it a day since I can get to everything from it. I guess I like to simplify my life but many people like to make it more work than it needs to be.
myshots101 thanks for your comments. As I mentioned in a previous comment on this thread, I recently began teaching myself the command line as there are advantages. But I much prefer to get things done in a GUI or Web UI.
I was able to set up my VPN only by adding a firewall rule to allow PING. Otherwise I was not able to access the VPN. Is this rule absolutely necessary?
Hello James. Thanks for commenting. It’s not a requirement to my knowledge.
@@QuikTechSolutions Thanks.
Hi Tony, great video! However, when I try to connect from Windows 10 using the built-in VPN client, I get "The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password does not match...".
However, I followed your instructions down to a T for both the server and client. The client is setup as L2TP/IPSec PSK. Are you aware of this error and what's causing it?
Hi Aubrey, thanks for commenting! This vid might be what you’re looking for:
How To Connect To EdgeRouter L2TP VPN Server From Windows 10
th-cam.com/video/Pd2NpYjrgCc/w-d-xo.html
Curious with Android removing the l2tp as an option, and this video being a bit older, is there any possibility of updating this to utilizing ikev2/ipsec? I know about openVpn but I'd rather not have to rely on 3rd party apps, if at all possible.
Hi!
Great video. Got my tunnel up in no time. But I cant find my bacnet-devices thru the tunnel. Do I have to make more adjustments to talk on port 47808 UDP?
Thanks
Thanks for the comment. When you're connected to your VPN, do you see any other devices on your network?
Yes, I can reach my webbserver on port 80 and SSH to the server as well. Havent tried more ports, but the bacnet broadcast search cant find any devices.
Martin Mizgalski wish I could help, but I can’t speak to Bacnet as I don’t have any hands-on experience with it. The purpose of this video was to help with getting L2TP over IPSec working on an EdgeRouter and you’ve accomplished that. Maybe try looking to Bacnet Forums. Have a great day.
Thanks anyway! Got a lot of it to work, I have read some other had problem with bacnet over VPN. Thanks
+Martin Mizgalski thanks Martin. Glad to hear you’re making progress. Have a great day.
great video great explanation of each step. thumbs up!
Thanks so much!
Hello Tony,
I followed your guide and it was working for somedays, but after a weekend its stopped working. Now the error is:
The L2TP connection attempt failed because the security layer encountered a processing error during the initial negotiations with the remote computer
I would like to start again but i dont know how to delete set vpn lines.
Thanks
Sounds like your public IP address has changed. If in fact that’s what happened, you might want to use DDNS.
@@QuikTechSolutions I have fix IP and even tried with the IP and with DNS
This might sound like a silly question, but have you tried restarting your router?
@@QuikTechSolutions Yep already.
Hi, the video is grate. but, I haven´t Ip public, and have 2 nat over on my ErL... I configure using Noip, thinking what the server will works, but not. some idea?
The VPN works in my iPhone locally, but not in 4G AT&T
Thanks a lot for the video!!! If I do the L2TP via the config. tree, are there any steps needed besides what you showed int he video? Thanks
Nope, pretty much what I showed in the video. Thanks for watching. Have a great day.
@@QuikTechSolutions Sorry for bothering you again,I wonder if you could help me a little more:
1. In the video, you explain/show setting up the user name ("Tony"), but you do not show setting up the password. The UBNT CLI has password being set up in the command line. Should I set up the PW under my name in the config. tree?
2. When configuring my phone (Android Ahh...), what should I enter under the DNS server address? I am using dynamic DNS.
Thanks a lot
@@y.l.8361 you can set the pw in the config tree. I purposely showed the config tree for those not comfortable with working in the CLI. As for the Android client config, you can use whatever DNS server you want.
Tony, I got lost at the Firewall/NAT Policies. for me (EdgeROUTER Lite v1.10.8) the firewall Rulesets are empty, not sure where you r WAN Local (ppoe0\local) is coming from...
Thenks!
A new EdgeRouter is usually configured for the first time with one of the wizards. One of the things the wizard does is creat the WAN_IN and WAN_LOCAL firewall rule sets. If you don’t complete a wizard and decide to configure everything manually, you must also manually create these rule sets.
Hi Tony,
Thank you for the video, I setup the VPN server, after connecting I'm unable to reach the web from my iPhone.
Hello Zuhair. Recheck your input, check for typos, make sure you didn’t leave out any steps. If everything was done as per the video, things should work. Good luck.
Hi Zuhair , I have same problem, at DNS I presume. I use Dynamic DNS servers and when I connect to VPN, cannot to browse internet. Thou I can acces an IP camera from my network. How you solve the problem? Ty
Can this be done via ssh to the router?
Yes sir.
@@QuikTechSolutions Thanks. I do not have access to the GUI, I'm a ways away from Router. Wanting to upload configuration backup using winscp or ssh. Any suggestions/help? Thanks
Hi Tony,
i just got today my brand new Edgerouter X SFP consented to TP-link switch (SFP) but i got always eth05 down (SFP) any suggestions ?
Mac XPS hi there. So, you have make eth5 part of the switch. I’m assuming you followed the setup wizard and ended up with a switch 0 interface. Go into the switch 0 config and add eth5 to the switch configuration.
Quik Tech Solutions L.L.C hi Tony, I’m trying to use the wizard , but I’m still not able to connect it, can you please explain in detail how I can do to configure the sfp port , because the is No guide to help just you
I can’t thank you enough for your help
Send me an email, I’ll send you instructions with a screen shot. It’s something I’ll do as a video at some point. But I’ll send you an email instructions for now so you can get up & running.
I have an HP LaserJet printer on my network, and I was hoping to be able to print from the VPN, but sadly, the printer does not show up when a device is connected to the VPN. Is there a way to get this to work?
Hi Ken, thanks for commenting. I’m not sure how you have your printer installed on your network. Is it on the same subnet that you made available in the VPN configuration?
Quik Tech Solutions L.L.C Yes. After further troubleshooting, this seems to be an issue with the printer. Even when connected locally to the same network, it doesn’t always show up on the device I want to print from (Apple devices, so we are talking AirPrint here, which is built in to the printer and enabled), and I often have to power cycle the printer.
@7:37 the whole point of a VPN connection is to remote in from an outside network over the Public IP. You didn't establish any rules for the WAN_IN port to allow that traffic. Did I miss something?
Hello Chris, These are the only rules that need to be in place for a remote connection from the public Internet.
Tony, thanks BTW! great video
Thanks again.
Hi Tony. I tried using my EdgeRouter as my DNS server to take advantage of caching and it doesn't appear to work. Do I have to use an alternate (Internet) DNS server? Thanks!
Hi Henry, thanks for commenting! A couple of things come to mind initially. Did you set the DNS Listening Interface under the services tab? Also, under Services>DHCP, make sure you set the DNS field to the IP of the Router.
Hi Tony. Thanks for your great video. Clear and explanatory! I'm already a subscriber!
I just have one small question:
I live in Italy, and I'm expecting my ER-X soon from AMZN. Here things work a little differently; We have ADSL and usually we have a modem that connects to the phone line, already translating some provider-issued dynamic WAN IP into a local non-routable IP (assume 192.168.1.x) and I use a DDNS service to keep track of my public IP. My Idea was to put the ER-X into the DMZ of my modem, thus getting a LAN address from my modem that most likely would be 192.168.1.2 (being 192.168.1.1 the LAN address that the modem reserves for itself).
Now the question is: should I then at step 6 of your tutorial put "set l2tp remote-access dhcp-interface eth0" (assuming obviously that eth0 is the WAN I/F connected to my modem), or should I use the third option for DDNS? I don't use PPOE, mind you, even if I *think* I might, but I'm not sure my modem would really allow....
My guess is option 2 (... dhcp-interface eth0) as - in principle - being the ER-X in DMZ nothing should be filtered out by the modem and routing should be allowed 1:1, but I'd like your position on this.
Thanks very much in advance!!!
Hi Andrea, Thanks for your comments. As far as your setup goes, I'm not in favor of placing the ER-X in the DMZ. Would much rather see the modem placed into bridge mode, but sometimes this is not possible by the end user. In any event, based on your current config, I agree with you in theory regarding option 2. Good luck. Let me know how it plays out. Have a great day.
Thank you so much for great videos !!
Mac XPS thank you for your comment. Much appreciated. Glad you found it helpful.
No worries!!! May I ask you please to make a video for how to build a network system with ubiquiti devices like edgerouter or usg ?
Again thank you so much!
Mac XPS I am planning to do an Edge router config vid, as well as a basic Unifi config at some point. Trying to accumulate a few bucks to get a lab setup so I don't have to keep using my live production equip to make these videos. Stay tuned and have a great day.
Tony would be nice if you give the cli commands for the firewall rules.
Hello Ricardo. Here’s a link to Ubiquiti’s help doc. In this article you’ll find what you are requesting. Have a great day.
help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server
Hi Tony. I've set this up, and it connects properly and uses my home connection to access the internet. However, I can't seem to connect to any local resources (printers, servers, etc...). Any ideas?
Hi Martin, thanks for reaching out. Question, under allowed networks, did you put in the proper subnet information?
@@QuikTechSolutions I did. 10.x.x.1/24. It does now say DEPRECATED in the heading, so I'm not sure it's still looking at that value. One thing of note: my router sits at 10.x.x.254... do you think this may affect things? I've tried all 3 possibilities (.1, .0 and .254), none seemed to help.
I would recommend deleting the VPN altogether and start from scratch. Enter the Edgerouter CLI, then enter edit mode by typing config. Once in edit mode type the following commands:
delete vpn
commit
save
Good luck.
Thanks for the help Tony. I deleted it and started over, works like a charm. The only thing I can think of is I've done it through the CLI this time instead of the GUI. In any case, great video!
Hey Martin, that’s totally awesome. Glad you got it working. Please subscribe, share, and give the video a like 👍. Have a great night.
Good afternoon sir. How do I create the PPPoE interface? I tried adding it from the Dashboard (Add Interface/PPPoE) and even though it adds the interface to the Dashboard, , it does not shows as an option of the Interface the drop down . thanks!
Hi Juan, so the PPPoe is to configure your ISP settings. Under the Interface drop down you would select the port that is your WAN. Hope this helps.
Nice video! You should use the tab key more while in CLI ;)
For autocompletion of commands?
Excellent video. Thank you!
Thank you Chris! Glad you found the video helpful. Have a great day. Please subscribe to the channel if you haven’t done so already.
Hello Tony, pls my edgerouter is sitting behind my ISP huawei HG8245H gateway, vpn is configured and working locally but i can't connect from outside the network can you pls help me out in resolving that pls
Hi Asamoah, two things come to mind. Why not use the EdgeRouter as the main router in place of the ISP device? If there is a reason that forces you to keep the ISP device, did you forward the VPN ports from the ISP device to the EdgeRouter?
Hi Tony. I love your videos. Could you do a video on how to configure - vpn l2tp remote-access outside-address on 2 diff wan ? First wan DHCP/ Second wan is PPPOE failover only edgerouter. Thanks
Thanks for commenting. I haven’t attempted this. From what I’ve read in the UI Community forums, no one has found success with this.
Great video! But when I connect to vpn I cannot browse internet. How can I do that? Thank you.
Thank you. Check your config and make sure you added the DNS servers.
Yes, good point , I know that was a mistake at DNS server setup. I should enter what DNS? Local(192.168..), noip host name...? Which one?
I would just put in the public DNS servers 1.1.1.1 and 8.8.8.8
@@QuikTechSolutions "The specified configuration node is not valid. Set failed"... any thoughts? Thank you Tony!!!
No, real Thank you Tony!! not sarcastic one! :) You are the best because in a past couple weeks I returned two Cisco RV series because of lack of reliability. And after I bought this router(last night) and I saw your video I was able to setup VPN on my Iphone!!! You are the man!!
Tony, love your tutorials. Have you done a tutorial for OpenVPN server?
Thank u so much Tony!
This worked out amazingly.
Thank Marcus for taking the time to comment. Glad it worked out for you.
Hi great tutorial, I followed your steps and can connect to the VPN. My LAN ntwork is 172.16.1.0/24 and the pool defined for the vpn is 172.16.1.38 - 234 My issue however is that my vpn client always gets assined an IP without a default gateway and a subnet of 255.255.255.255 thus i am unable to reach any device on the LAN where the vpn server is. Is there something i may have overlooked?
Hello Vincent! Thanks for watching. Did you define subnet for the allowed network in Step 1?
@@QuikTechSolutions yes I did figure that out as the issue eventually. VPN works fine now and endpoints can connect just fine. 🙏
I am now however trying to figure out how to setup a Site to site VPN between the Edge Router and an Azure VPN. Any helpful pointers would be greatly appreciated.
Glad you got it sorted out. Sorry for the delayed response, your comment was being held for approval. I’m not sure why that was. In any event, I’ve setup site to site between two Edgerouters and also between an Edgerouter and OPNsense. I’ve never done it with Azure VPN, so I’m not sure I can be of much help. All I can say is make sure you have the correct subnets entered on each side, as well as matching the secret key and the encryption settings. Good luck. Let me know how you make out eventually. Have a great day.
@@QuikTechSolutions Thanks a lot 😊
I have treed this on several Edge Routers it works perfectly connecting via windows (all versions) but on iOS just does not work. It's been a year of messing around and still no connection.
Sorry to hear you’re having issues getting your iOS devices to connect. Never had that issue with iOS. Check the ubnt community forums.
This works great, but how can I allow multiple connections from one public IP
Hi Ian, are you referring to additional users being able to connect? Please clarify.
@@QuikTechSolutions yes, additional users from the same public IP.
You can set additional users using the same command used to create the original user. SSH back into the router, enter Configure mode, then enter the command for each user you want to add. Don’t forget to save and commit. Also, backup your existing configuration before proceeding. This way, if something should go wrong, you can restore from the backup.
any update on this?
If you asking if I have a video showing how to add additional users, no I do not at this time.
Hi and thanks for the video. Now after android 12 removed L2TP, is thetr any way I can connect my android 12 to my edge router?
Thanks
Hi Sami, not to my knowledge. L2TP is an older protocol now that is less secure than some of the newer protocols, which is why Google probably made the decision to stop using it. Do you have a Synology on your network by any chance. If so, you can get run Tailscale, check out my buddies video on how to do this. th-cam.com/video/u2Qp1BM8Qi8/w-d-xo.html
@@QuikTechSolutions Thank you for the quick reply. I dont actually have Synology. I am thinking of I install openVPN on a pc that is all on pc, it may work.
Thanks dear
@@DRSGHAZAL That should work fine, but remember to forward the OpenVPN UDP Port 1194 on the Edgerouter to the PC that is running OpenVPN.
How would I setup this with double nat bc can't eliminate ISP router?
Hi Arlen, I’ve never done this, but my guess is you would have to have admin access to your ISP router to be able to port forward the VPN traffic to the Edgerouter.
Did you port forward all of the following ports: 4500, 500, 1701, & 50?
Using a Windows 10 machine was an issue for me. I searched and found what was preventing my connection. After you create the Windows VPN, make sure to edit the VPN connection in Network Connections. Right Click on the VPN connection you just created, click properties, click security, enable "Allow these protocols" and select CHAP & MS-CHAP v2).
Hello Felice! Thanks for commenting. You are correct about editing the network adapter. In fact, I have a video dedicated to this issue on my channel. Have a good day.
hi! thanks for great video... Q: i cant connect to my VPN over 4G but if the iphone is on my edgerouter network and i try to connect to the VPN then it works.... please help
HB noip i have the same problem
Thanks for commenting. Technically, it should be the other way around. If your iPhone is on your internal network & connected to your wifi, you shouldn't be able to connect to your VPN. You may want to take a look at your setup.
Quik Tech Solutions L.L.C thanks for answer! Do you have any idea on where to start looking?
Ok, so I'm assuming you setup the VPN on an EdgeRouter seeing as you commented on this VPN video. Did you do the initial config using the CLI (command line) or using the Config Tree in the router's GUI? In any event, you can check your config against the video starting at the 5:00 mark. Log into your EdgeRouter, then go to Config Tree>VPN and expand each section under IPSEC and L2TP. Make sure your network information is entered correctly, especially your WAN interface. Good luck.
wonderful video.
can you explain how to connect lan in vpn with a edgerouter lite and a fritzbox 7590? (formely a vpn router to router)
thank you excuse my bad english
Hey Vincenzo! Thanks for watching. I have no experience working with Fritzbox, nor do I have access to one for testing.
@@QuikTechSolutions I can arrange for you a fritz with a static public ip in next days.
always thank you for your time...
I totally appreciate the offer. However, I prefer to have a physical unit so that I could set up a test environment in the lab to explore. Have a great day!
Thanks Tony !!!
Thank you for watching. Nice to know this video is still relevant all these years later.
Followed all of your instructions (great video btw) and I am getting errors on both my Mac and my Android. My Android says timeout while connecting and my Mac says that the connection could not be established with the PPP server. Any ideas? Cheers.
Thanks. From what you’re saying, sounds like you have multiple VPN config commands in the Router. Maybe from previous configuration attempts? You can check through the Config Tree by expanding the VPN tab and checking each area.
Ran into problems with Android. The Edgerouter didn't like the CHAP response and there was nothing to tweak in Android.
Another helpful video
Thank you.
Thank you!
Hey Tony,
I updated my firmware and it broke my VPN which was setup following your instructions.
Any chance you could update this for firmware version 2.0.3?
I think what breaks is somewhere around step 6
Thanks so much.
Dave
Hi Dennis,
I have stayed completely clear of firmware V2 and above because it is known to be very unstable and breaks lots of things. The best advice I can give you at this time is to roll your system back down to V1.10.9. Get completely off of V2. Hopefully, you keep backups of your config files. Good luck.
@@QuikTechSolutions well I got it working. It appears that in the firmware upgrade one of the firewall rules IPSEC was shifted from "accept" to "reject". I fixed that and it took off. Thanks so much for the prompt reply Tony! I do have backups so I knew I could get back to my starting point, but fortunately I didn't have to do it. Thanks again.
Thank you Dennis for sharing your findings. Good information to know. We all learn from one another. Have a great evening.
Great Video. I got everything setup except the Dynamic DNS. Are the following steps close to what I need to do. 1. Buy or get free DNS service from noip.com (or similar). 2. Under Services - DNS input the Dynamic DNS service (hostname, login, password etc). 3. Go to Firewall/NAT -> Port forward to forward the incoming connection?? To summarize, I don't know how to configure the Dynamic DNS on the Edge router to make it work with the VPN solution your describing. Thanks
It works, thank you!!!
You’re welcome! Please subscribe to the channel, share, and give the video a “Like.” Have a great day!
I used exact config on my Edgerouter X and still i cant connect to it. I used NoIp service for my dynamic ip
Are you trying to connect with. Windows client?
Is it easy to configure an Edgerouter X as VPN client? In my scenario I'd like it to connect to a VPN server in a datacenter, because it's not possible to get my own internet connection at the office space I'm currently leasing. They provide a big flat 192.168.x.x network that anyone can plug into and refuse to create separate networks for all the offices. I don't want my employees having to mess with VPN settings on their laptops, I'd rather have the router maintain a permanent VPN tunnel.
Many, many thanks for your great tutorial from Italy. Now our VPN works perfectly!
Hello Paulo from Italy. Thank you for sharing. Happy to hear that my content is helping people all over the world. Have a great day and stay safe!
Hello, thanks for your work!
The tutorials are very good, but I would appreciate it if you could update it to the current software version. I am currently on the latest v2.0.9-hotfix.7 and due to errors, I cannot perform the settings either with GUI or CLI commands.
Thanks for watching. That is a great idea. I’ll put that on my list.
@@QuikTechSolutions having same problem here, getting "security layer could not negotiate parameters", help is greatly appreciated (2.0.9-hotfix.7)
i am having error in android phone , can you help me ?
Hello Lindon, I don’t have an Android device to test with. However, after reading a few forums on this same issue, several users posted that adding the following line to your L2TP configuration will resolve the issue.
set vpn l2tp remote-access authentication require mschap-v2