Step-by-Step Guide: Configuring Unifi L2TP VPN with Local User and Duo Security Integration

In today’s connected world, securing VPN access is essential for maintaining both privacy and data integrity. Recently, I worked on a project that involved configuring Unifi L2TP VPN for local users, integrated with Duo Security’s free plan for added two-factor authentication. Here’s a detailed step-by-step guide based on that experience.

1. Creating the Radius Profile in Unifi

Before you begin, it’s important to have a Unifi management setup ready. The first step is to create a Radius profile that will authenticate VPN users.

Access Unifi Management.

Create a Radius profile and assign a shared key (for example, Radius_profile_Unifi_Shared_Key).

Then, create an L2TP network and assign the Radius profile you just created.

2. Installing Duo Reverse Proxy

Duo Security offers multi-factor authentication (MFA) for VPN access, which can be easily integrated using their reverse proxy. Here’s how you can install and configure it:

Install the reverse proxy on any server or desktop in your network.

Configure Duo’s reverse proxy by editing the authproxy.cfg file with the following parameters:

[radius_client]

host=10.10.10.1  ## Unifi router IP ##

port=1812

secret=##Default_Radius_Shared_key_Unifi##

[radius_server_auto]

ikey=##Redacted##

skey=##Redacted##

api_host=api-#######.duosecurity.com

radius_ip_1=10.10.10.1  ## Unifi router IP ##

radius_secret_1=##Radius_Reverse_profile_Unifi_Shared_Key##

client=radius_client

port=1812

failmode=safe

In this setup:

radius_client refers to your Unifi router.

The reverse proxy forwards authentication requests to Duo Security, then returns the result to the VPN server for final authentication.

3. Configuring VPN Users in Unifi and Duo

Now that you’ve set up the infrastructure, it’s time to configure the users:

In Unifi: Create the VPN user and assign them to the default Radius profile.

In Duo: Log in to the Duo Security portal, create the same user, and assign them a token for multi-factor authentication.

This ensures that both systems (Unifi and Duo) have the same users, enabling seamless authentication.

4. Understanding the Authentication Flow

Here’s a breakdown of how the authentication works once everything is set up:

The VPN client connects to the public IP of your VPN server.

The VPN request is forwarded to the Radius Reverse Profile.

Duo’s reverse proxy intercepts the request, prompting the user for secondary authentication (the Duo token).

Once approved by Duo, the request is passed back to the VPN Radius client for the secondary (final) authentication through the default Radius profile.

5. Setting Separate Radius Passwords

For added security, you can configure a separate Radius password on the secondary Radius server. This is especially useful for ensuring that your Radius authentication remains secure and unique for each service.

These passwords are entered into Duo’s proxy configuration file and can be encrypted for added security.

By following this step-by-step guide, you can effectively integrate Duo Security with Unifi L2TP VPN, providing a secure and streamlined authentication process for your users. Sharing my experience with the community to save time and effort for others!

Feel free to reach out if you have any questions!