Introduction
In the previous article, Running an AWS Lambda + Route 53 DDNS Client on EdgeRouter X, I built a system that periodically runs a DDNS client on the EdgeRouter X to keep a Route 53 DNS record in sync with the global IP address assigned to its WAN interface. This made it possible to associate an FQDN with the dynamically changing global IP address. In this article, I use that setup to connect to the EdgeRouter X via remote access VPN.
References
Test Environment
Tested on EdgeRouter X (ER-X) firmware 3.0.1.
Network Topology
The diagram below is a simplified view of the configuration that connects Site A and Site B via VPN.
graph LR
subgraph SiteA["Site A (192.168.10.0/24)"]
PC[PC] --- L2SWA[L2 Switch] --- RouterA[Router]
end
subgraph SiteB["Site B (192.168.1.0/24)"]
ERX[EdgeRouter X] --- L2SW[L2 Switch]
L2SW --- NAS[NAS]
L2SW --- RPI[Raspberry Pi]
L2SW --- AP[Wireless AP]
AP -.-|Wireless| IoT1[IoT Device 1]
AP -.-|Wireless| IoT2[IoT Device 2]
AP -.-|Wireless| IoT3[IoT Device 3]
end
RouterA ===|VPN| ERX
Configuring L2TP/IPsec
I configured L2TP/IPsec by following EdgeRouter X – 6. リモートアクセス VPN (L2TP).
Open the CLI window from the EdgeRouter X GUI, or access the router via SSH.
_____ _
| ____|__| | __ _ ___ (c) 2010-2023
| _| / _ |/ _ |/ _ \ Ubiquiti Inc.
| |__| (_| | (_| | __/
|_____\__._|\__. |\___| https://www.ui.com
|___/
Welcome to EdgeOS
By logging in, accessing, or using the Ubiquiti product, you
acknowledge that you have read and understood the Ubiquiti
License Agreement (available in the Web UI at, by default,
http://192.168.1.1) and agree to be bound by its terms.
Enter configuration mode:
configure
In configuration mode, run the following commands to configure L2TP/IPsec:
## Basic IPsec configuration
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable
set vpn ipsec auto-firewall-nat-exclude enable
## Specify that the L2TP WAN-side IP address is assigned via DHCP
set vpn l2tp remote-access dhcp-interface eth0
## Specify the IP address range assigned to L2TP clients
set vpn l2tp remote-access client-ip-pool start 192.168.1.100
set vpn l2tp remote-access client-ip-pool stop 192.168.1.200
## Set the L2TP "secret"
## Replace YOUR_SECRET with any password of your choice
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret YOUR_SECRET
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
## Set L2TP client authentication to local
set vpn l2tp remote-access authentication mode local
## Set the L2TP client username and password
## Replace YOUR_USERNAME and YOUR_PASSWORD with your values
set vpn l2tp remote-access authentication local-users username YOUR_USERNAME password YOUR_PASSWORD
## Set the L2TP MTU conservatively
set vpn l2tp remote-access mtu 1280
## Set the DNS used by L2TP clients to the router itself and Google DNS
set vpn l2tp remote-access dns-servers server-1 192.168.1.1
set vpn l2tp remote-access dns-servers server-2 8.8.8.8
## Enable DNS forwarding on the router so that L2TP clients can use the router's DNS
set service dns forwarding listen-on lo
commit
save
Firewall Configuration on the WAN-Side Interface
Next, configure the firewall so that L2TP/IPsec connections from the WAN side can reach the EdgeRouter X. This is also based on the sites listed in the References section.
Log in to the EdgeRouter X GUI as an administrator and open the firewall settings. Click the Firewall/NAT icon in the left-side menu.
Click the Firewall Policies tab → Actions for WAN_LOCAL → Edit Ruleset.
Click Add New Rule. (The screenshot below shows the state after the rules described below have already been added.)
Click the Basic tab. Enter any name in Description. Here, I use Allow L2TP. For Action, select Accept, and for Protocol, select UDP.
Then click the Destination tab and enter 500,1701,4500 in Port. Finally, click Save.
Next, click Add New Rule again.
Click the Basic tab. Enter any name in Description. Here, I use Allow ESP. For Action, select Accept. For Protocol, select Choose a protocol by name, and choose esp from the dropdown. Finally, click Save.
Move the two newly added rules so they sit between the existing Allow established/related rule and the Drop invalid state rule. You can drag and drop each rule by hovering over it.
Configuring the VPN Client on Windows 11
My Windows 11 system is set to English, so the menus and buttons appear in English. The screen layout and button positions are the same in the Japanese version, so substitute as needed.
In the Settings app, click Network & Internet → VPN → Add VPN.
Fill in each field by referring to the table below.
| Field | Value |
|---|---|
| VPN Type | L2TP/IPsec with pre-shared key |
| Type of sign-in info | Username and password |
| Connection name | Any name |
| Server name or address | The FQDN configured via DDNS |
| Pre-shared key | The YOUR_SECRET set in the L2TP/IPsec configuration |
| Username | The YOUR_USERNAME set in the L2TP/IPsec configuration |
| Password | The YOUR_PASSWORD set in the L2TP/IPsec configuration |
In the VPN connection you just created, click Advanced options.
Click Edit next to More VPN properties.
Click the Security tab, select Allow these protocols, and check Microsoft CHAP Version 2 (MS-CHAP v2).
Click the Networking tab, select Internet Protocol Version 4 (TCP/IPv4), and click Properties.
On the General tab, click Advanced.
On the IP Settings tab, uncheck Use default gateway on remote network.
Verifying the Connection
Click Connect.
When the connection succeeds, the connection details are displayed as follows.
If you can reach network devices behind the VPN, such as a NAS, the connection is working. Internet traffic is routed through the WAN side of the EdgeRouter X. You can also access the LAN-side IP address of the EdgeRouter X from the VPN client to check the status of the remote site.
Conclusion
In this article, I covered how to connect to an EdgeRouter X via remote access VPN, specifically:
- L2TP/IPsec configuration on the EdgeRouter X
- Firewall configuration on the WAN-side interface
- VPN client configuration on Windows 11
The Windows 11 VPN client setup was a bit involved. The VPN properties span several screens, and a few options are not particularly intuitive.
For EdgeRouter X configuration in general, the EdgeRouter X がすごい series is a great reference. It contains many practical configuration examples, so I recommend it as a reference.
By combining the previous article, Running an AWS Lambda + Route 53 DDNS Client on EdgeRouter X, with the configuration described here, you can connect to your EdgeRouter X via remote access VPN. I hope this article is helpful.
Translation notes
A few stylistic decisions I made to match your previous dev.to post:
-
Headings: Used
## Introduction,## References,## Test Environment, and## Conclusion, identical to the prior post. - Voice: First-person ("I built", "I use") for narrative sections and imperative ("Click", "Run") for procedural steps, matching your earlier article.
- Terminology: Kept "shared secret", "Lambda function URL", "FQDN", "WAN side" consistent with the previous translation. "拠点 A / 拠点 B" → "Site A / Site B" to match common networking phrasing.
-
References: Listed as bullet points with
<>-wrapped URLs, the same format as before. -
Title: Used
Setting Up an L2TP/IPsec Remote Access VPN on EdgeRouter Xto mirror the gerund + "on EdgeRouter X" style of the prior title (Running an AWS Lambda + Route 53 DDNS Client on EdgeRouter X). If you prefer something closer to the literal Japanese,Connecting to EdgeRouter X via Remote Access VPNalso works. - Image links: Left the Qiita-hosted image URLs intact. They are publicly accessible from S3, so they should render on dev.to as-is. If you want to host them on dev.to instead, you'll need to re-upload via the dev.to editor.
Let me know if you'd like a different title, a more literal translation of any specific section, or if you want me to save this as a file in the repo (e.g., outside public/ so the Qiita CLI doesn't pick it up).
Top comments (0)