Secure EdgeRouter X VPN Setup Using L2TP/IPsec

Setting up a secure remote access solution for your home or small office network doesn’t require expensive hardware. With Ubiquiti’s EdgeRouter X and the L2TP/IPsec protocol, you can establish a reliable VPN tunnel that encrypts all traffic between your devices and your local network. This guide walks through configuring the VPN server on the EdgeRouter X, adjusting firewall rules to allow incoming connections, and connecting from a Windows 11 client.

Why Choose L2TP/IPsec for Remote Access

L2TP/IPsec combines two protocols to deliver both encryption and reliable data transmission. While L2TP handles the tunneling of data packets, IPsec provides the encryption layer, making it a strong choice for securing remote connections. The EdgeRouter X, running EdgeOS, supports this configuration natively, eliminating the need for additional software or licensing. This combination is widely compatible with most operating systems, including Windows, macOS, and mobile devices, making it ideal for users who need consistent access across multiple platforms.

Prerequisites and Network Setup

Before starting the configuration, ensure your EdgeRouter X is running a recent firmware version. The setup described here was tested on EdgeOS version 3.0.1, which includes all necessary VPN features. Your router should have a functional internet connection and a public IP address (either static or dynamically updated via DDNS as in the previous setup). The local network should use a private IP range, such as 192.168.10.0/24 or 192.168.1.0/24, which will be accessible once connected via VPN.

Configuring the VPN Server on EdgeRouter X

Accessing the router’s command-line interface (CLI) is required to configure L2TP/IPsec. You can do this either through the EdgeRouter X web interface or via SSH. Once logged in, enter configuration mode by running:

configure

The following commands set up the core VPN components. These include enabling IPsec on the WAN interface, defining the client IP pool, and configuring authentication:

set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable
set vpn ipsec auto-firewall-nat-exclude enable

set vpn l2tp remote-access dhcp-interface eth0
set vpn l2tp remote-access client-ip-pool start 192.168.1.100
set vpn l2tp remote-access client-ip-pool stop 192.168.1.200

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret YOUR_SECRET
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600

set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username YOUR_USERNAME password YOUR_PASSWORD

set vpn l2tp remote-access mtu 1280

set vpn l2tp remote-access dns-servers server-1 192.168.1.1
set vpn l2tp remote-access dns-servers server-2 8.8.8.8

After entering these commands, enable DNS forwarding on the router so VPN clients can resolve internal hostnames:

set service dns forwarding listen-on lo

Apply and save the configuration:

commit
save

Adjusting Firewall Rules for Incoming VPN Traffic

The EdgeRouter X’s default firewall prevents unauthorized access from the internet. To allow L2TP/IPsec connections, you’ll need to modify the WAN_LOCAL firewall policy. Log in to the EdgeOS web interface and navigate to Firewall/NAT → Firewall Policies. Edit the WAN_LOCAL ruleset and add two new rules:

• Rule 1 (Allow L2TP): Accept UDP traffic on ports 500, 1701, and 4500.
• Rule 2 (Allow ESP): Accept IPsec ESP protocol traffic.

Position these rules above the Drop invalid state rule but below the Allow established/related rule. This ensures VPN traffic is processed before more restrictive rules are applied.

Connecting via Windows 11 VPN Client

Windows 11 includes built-in support for L2TP/IPsec with pre-shared keys. To set up the connection:

1. Open Settings → Network & Internet → VPN → Add VPN.
2. Fill in the connection details:

• VPN Type: L2TP/IPsec with pre-shared key
• Server name or address: Use the FQDN you configured via DDNS (e.g., vpn.yourdomain.com)
• Pre-shared key: Enter the YOUR_SECRET value set earlier
• Username and password: Use the credentials defined in the EdgeRouter X configuration

1. Save the connection and connect.

Once connected, your Windows device will have access to your local network resources, including shared storage, printers, and IoT devices. For enhanced security, enable Microsoft CHAP v2 in the connection’s advanced settings under the Security tab.

Maintaining Security and Performance

Regularly review your VPN configuration and firewall rules to ensure they remain secure. Rotate shared secrets and user passwords periodically, and consider using certificate-based authentication for stronger security. Monitor connection logs for failed attempts, which may indicate brute-force attacks. Additionally, set up automatic firmware updates on your EdgeRouter X to patch any security vulnerabilities.

With this setup, your EdgeRouter X becomes a secure gateway to your network, enabling remote access without compromising performance or security. Whether you're working from home or managing multiple locations, L2TP/IPsec offers a practical and reliable solution.