L2TP VPN

pfSense® software can act as an L2TP VPN server. L2TP is purely a tunneling protocol that offers no encryption of its own, so it is typically combined with some other encryption technique, such as IPsec.

Warning

While pfSense software supports L2TP over IPsec, it has severe limitations and problems compared to other types of remote access VPNs and it should be avoided unless absolutely necessary. Current best practices inclduing using IKEv2 IPsec, OpenVPN, or WireGuard for remote access VPNs.

Most L2TP/IPsec clients will not work properly in common scenarios. The most common problem scenario is Windows clients behind NAT, which is nearly all Windows clients in practice. The Windows L2TP/IPsec client and the strongSwan IPsec daemon are not fully compatible when the client is behind a NAT device, which leads to failure. In the few situations where L2TP/IPsec can function properly it still suffers from security and performance concerns compared to other types of remote access VPNs.

See also

IPsec Remote Access VPN Example Using IKEv2 with EAP-MSCHAPv2 contains a walkthrough for configuring IKEv2, which is a much more flexible solution.

There are also recipes for other types of remote access VPNs in pfSense® software Configuration Recipes.

See also

For general discussion of the various types of VPN implementations available in pfSense software and their pros and cons, see Virtual Private Networks.

L2TP Security Warning

L2TP on its own is not encrypted, so it is not intended for private traffic. Some devices, such as Android, offer an L2TP-only client which is capable of connecting back to pfSense software but it should only be used for traffic that is already encrypted, or if the traffic is not considered private. For example, tunneling Internet traffic so it appears to originate from another location.