Vyatta/VyOS/Ubiquiti VPN clients

First, download and run our RADIUS proxy.

UPDATE: Use the following CLI command (from this page):

set vpn l2tp remote-access authentication require pap

OLD INFO: Vyatta-derived L2TP/ipsec VPN servers are hard-coded to require MS-CHAP password authentication. Unfortunately neither our cloud-hosted RADIUS nor our RADIUS proxy can support this.

Because Vyatta is ultimately just a Linux box, this is a pretty easy fix.

First, download and run our RADIUS proxy.

# sudo vi /opt/vyatta/share/perl5/Vyatta/L2TPConfig.pm

Find the line that says "refuse pap = yes" and change it to "require pap = yes". Now modify the Vyatta VPN configuration to use the local machine (127.0.0.1) as the RADIUS host. Once the configuration is saved, the underlying config files are re-generated and PAP will be enabled.

📘

Security notice

PAP (Password Authentication Protocol) is an insecure protocol. However, because these VPNs use L2TP on top of ipsec, the transmission is encrypted.