Non aviation content. Play nice – No religion, no politics and no axe grinding please.
By Colonel Panic
I might be pushing my luck with this one, but I'll ask anyway :wink:

I have followed various "tutorials" on YouTube, and have done the following ...

Within my router > Services
    Created a RADIUS user, with a name & a "secret", with Authentication Port 1812 & Accounting Port 1813 (both numbers were pre-populated)
    Created a RADIUS server, with name & password, with L2TP & IPv4
Within my router > Networks
    Created a Remote User VPN, with a network name, the "secret" (see above), L2TP Server, Gateway/Subnet (which gives me 6 users which is fine), and selected the Default RADIUS profile
Within my iPhone > General > VPN
    Created a VPN with L2TP, Server is my public IP, a/c is my RADIUS User as above, ditto password, ditto secret

But the iPhone won't connect to the VPN. The error message is "The L2TP-VPN server was unreachable. Verify the server address & try reconnecting. If the problem continues, contact the Flyer Forum for assistance" :wink:

Where have I gone wrong? Do I need to change the Server IP (I have also tried my public IP:1812)?

Any tips?

User avatar
By carlmeek
My advice, probably not quite what you want to hear, is to get a router that supports OpenVPN. Very easy to use and reliable.
By rjc101
Take a look here, especially at the bullet points at the end... ... Access-VPN

The first one might be a problem unless the phone has the ability to route all networks over the VPN (not tried it on a phone). I do use the USG VPN from laptop to home/office fine, and the site to site works well too.
User avatar
By Sjoram
rjc101 wrote:...unless the phone has the ability to route all networks over the VPN (not tried it on a phone).

I use SoftEther as my VPN server and the Android native VPN client works fine with this. I haven't tested with iOS.
By Colonel Panic
Thanks to all; I had been using my iPhone on 3G, so that wasn't the issue. The bullet points above were helpful, but still resulted in a conflict. I'd never heard of OpenVPN before, but have now, and I see my Synology NAS can act as a server, so will give that a try instead.
By Colonel Panic
[UPDATE: I am now in a cafe and whilst I can connect to the VPN via Tunnelblick, the DNS issue below means that I can't access anything (but it is connected). :? ]

I can now connect to the OpenVPN server running on my Synology NAS via Tunnelblick on my laptop, using a Personal Hotspot on my iPhone / 3G.

Looking within SysPref / Network the laptop shows up as which surprises me, as my LAN is 192.168.2.x and I set the VPN within the NAS to use Dynamic IP addresses etc . And the Tunnelblick log states "2020-01-06 11:30:09.096717 *Tunnelblick: DNS address is being routed through the VPN".

But whilst I can access the NAS fine, no other web page opens and after a while I get an error message saying the DNS server is not responding. Within the NAS I have set my Pi-Hole to be the main DNS Server, and after the initial blocking I added OpenDNS's as well, but still it doesn't load. "After connecting to VPNConfig, DNS does not appear to be working. This may mean that your VPN is not configured correctly."

This may be due to the comms between the NAS & the USG router (& possibly even the modem on ?) but I can't see where I have gone wrong. I have set the NAS VPN to "Allow clients to access server's LAN", and have set up port forwarding from the USG to the NAS on 1194 UDP.

Where else might I need to tweak the settings?

By Colonel Panic
Famous last words, but I think I have finally managed to get my UniFi USG based VPN to work. (Full proof will follow when I'm next out in a cafe). I have had to check the "Require MS-CHAP v2" box which surprised me (& isn't mentioned in most YouTube videos).

When logged in via the VPN (with a local IP of I can access devices on the main 192.168.2.x subnet fine, but when I type emonpi.local in a browser it doesn't connect.

emonpi.local is the same as (which does work), so what is it about a VPN that blocks the former from resolving?
By Colonel Panic
Thanks @stevelup - I had never heard of mDNS, but I know have 8)

WRT to the VPN, again today when in a cafe I can start the VPN on my MacBookPro, everything within SysPref/Network looks right, and I am given an IP of - which fits in with what I had asked the USG to give out (ie , which gives up to 6 connections).

But I still can't access things on my LAN, ie (Synology NVR). Might this be due to the 3 subnet instead of the 2 that the NVR is on? How might I get round this? Can I tell the USG to give out (say) to inbound VPN access?

Or have I missed out another step somewhere?

User avatar
By Sjoram
You are most likely spot on. Unless the USG has been configured to perform routing between the two subnets, they will be unable to see each other.

I would suggest amending the DHCP for the local network to create some space from which the VPN clients can be served.

I don't know the default behaviour of the USG, but a lot of consumer kit will enable DHCP across the whole range of addresses. I always prefer to have a section at the beginning and end of the subnet available for static allocation. You could then also serve your VPN clients from within that range.

Example - If your network is and your USG is (I haven't checked back earlier posts, so this is an example only)

Available for static assginment: -
VPN clients: -

All clients would need to have a /24 ( subnet mask to be able to see each other without configuring routing separately.
User avatar
By stevelup
I'm confused because you said you could access emonpi on whilst connected to the VPN.

If one thing works, everything should work.

If emonpi is working, but not the NAS it could be that the NAS doesn't have the correct gateway set for example. Or your NAS is configured to only allow connections from the local subnet or something.