Windows L2TP VPN

Home / Windows L2TP VPN

I recently updated the software of my Synology NAS to DSM 4.3. This update gave me the ability to use an extra flavor of VPN: L2TP. This is a more secure type that is natively being supported by almost any operating system. Before that the only option I could use was PPTP. (OpenVPN requires the installation of a client on the devices Í want to use the VPN on.)

To make all this working, I enabled the L2TP flavor on the VPN server. The only configuration I did on this was to define a preshared key. How to setup and configure a VPN server on a Synology is perfectly described in a Synology tutorial: How to set up the Synology NAS as the VPN Server

The second hurdle to take is passing the L2TP trafic through to the VPN server. Every router has it’s own specific interface where this can be set. Please check the manual of your router how to do this. The ports that has to be passed through are UDP port 1701, 500, and 4500. If you have done that, your L2TP VPN is ready for use.

The next thing to do is connecting with devices to your newly created VPN server. I used an iPhone and an Android phone. Creating a connection on those two devices was straight forward. They both connected well without doing more than just configure the VPN connection on the device. The next thing to do is connecting my laptop with Windows. That was a real pain. It was not so straight forward as it should be.

As long as your VPN server is not directly connected with the internet, your VPN traffic has to be routed through your router. Espessialy L2TP with IPSec on a Windows machine doesn’t like this. It’s IPSec that is nagging. To make this working on your Windows you have to add a registry value. To do so you have to follow the next steps:

  1. Start RegEdit with administrator privileges.
  2. Browse to the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
  3. Create a DWORD (32 bits)  value with the name: AssumeUDPEncapsulationContextOnSendRule
  4. Give this value of 2.
    This key can contain the following values:
    0 – A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
    1 – A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
    2 – A value of 2 configures Windows so that it can establish security associations when both the server and the Windows based VPN client computer are behind NAT devices.
  5. Close all applications and reboot the machine.

After the reboot you can connect to the L2TP VPN server for outside your network. I also experienced that it is a good idea to  configure your L2TP client on your Windows machine a little more explicit. You can let Windows probe what protocol your VPN uses before it connects. You can bypass this by defining in the security tab that it is a Layer 2 Tunneling Protocol with IPSec explicitly. Also make sure the IPsec Policy Agent and IKE and AuthIP IPsec Keying Modules services are running.

Unfortunately this is not that easy to setup as the PPTP type. Therefore it is a more secure type of VPN. Let’s hope that Microsoft will configuring the onboard VPN client for L2TP as easy as it is on an Android device or an iPhone.

Split Tunnel

When you are connected to the VPN all traffic will be redirected to the VPN tunnel. Also the traffic that has another destination than the local network you would like to connect with. There is a setting in Windows that makes that only the traffic for the local network will be send to the VPN tunnel gateway. All other traffic will be send to the default gateway. This is called Split tunneling.

To enable split tunneling you need to open the properties of your VPN connection. Select the Internet Protocol Version 4 (TCP/IPv4) properties. Then click the Advanced.. button. In the IP Settings tab you have to uncheck the Use default gateway on remote network checkbox. Then Click Ok to confirm, click Ok againto close the Internet Protocol Version 4 (TCP/IPv4) properties and click Ok again to close the properties of the VPN connection.