This post is based on a support page on the Ubiquiti support site. If you have a UniFi Security Gateway of the UniFi Security Gateway Pro this procedure will work for you. There are 3 steps to setting up the VPN; configuring the UniFi RADIUS server, creating the network, configure the client, in this case Windows 10.
All of the step in this procedure are the same except configuring the Windows client. I need to add steps 6 – 12 in the Windows 10 Client setup because the VPN could authenticate properly without the Challenge Handshake Authentication Protocol (CHAP).
All steps except for the client configuration will be done in the UniFi Console, in the settings area. To get there click on the cogs in the lower left corner.
Setup the RADIUS Server
- Click Services
- Click Server
- Configure the RADIUS server as follows, all of the values are default except for the secret.
- Click Apply Changes.
- Click on Users and click on Create New User
- Enter a username, password, leave the VLAN blank, and set the Tunnel Type and Tunnel Medium Type to None. Click Save.
Setup the VPN Network
- Click on Network
- Click Create New Network
NOTE: The screenshot is an existing VPN, but the screens are the same.
- Enter the following conifuration:
- Name: reference name of the network.
- Purpose: Remote User VPN
- VPN Type: L2TP Server
- Pre-Shared Key: this key will be used by clients as part of establishing the tunnel.
- Gateway/Subnet will need to not conflict with any other subnet in use on the network. The value needs to be written like 172.17.200.1/24. In this case it has a range of 172.16.100.1-172.16.100.254. You can find Subnet Calculators to calculate the size of the subnet you need.
- Name Server: Auto will use the DNS in the DHCP server, or you can manual set the DNS for VPN users.
- RADIUS Pofile: Default
- Click Save.
Windows 10 Setup
- Go to Settings
- Search for VPN and click either Add VPN or Change virtual private networks (VPN).
- Click Add a VPN connection
- Set the following:
- VPN Provider: Windows (built-in)
- Connection name: a friendly connection name
- Server name or Address: your public IP Address or a DNS name pointing to you IP.
- VPN type: L2TP/IPsec with pre-shared key
- Pre-shared key: the pre-share key entered into the UniFi Console (step 3).
- Type of sign-in info: User name and password
- User name: this is optional if it is not entered here the user will be promoted each time they attempt to log into the VPN.
- Password: this is optional if it is not entered here the user will be promoted each time they attempt to log into the VPN.
- Click Save
- Open the Control Panel
- Click on Network and Sharing Center
- Click Change adapter settings
- Right click on the VPN connection with the name you set in step 4 and click Properties.
- Click on the Security Tab
- Select Allow these protocols and check Challenge Handshake Authentication Protocol (CHAP)
- Click Ok.
- To startup the VPN click the network icon in the Task Tray and click on the VPN, then click Connect.
If you would like some additional information on the UniFI configuration you can visit the UniFi support site that is post is based on.