VPN Quick Reference¶
Quick operational guide for VPN setup and diagnostics.
Implemented VPN modes in current t1n1wall¶
- IPsec: site-to-site and mobile client capabilities
- L2TP/IPsec: L2TP remote access protected by IPsec
- PPTP: available for legacy interoperability
Security posture¶
- Prefer IPsec and L2TP/IPsec for new deployments.
- Treat PPTP as legacy and avoid in new high-security designs.
- Disable unused VPN modes to reduce attack surface.
Web UI locations¶
VPN > IPsecVPN > L2TP/IPsecandVPN > L2TP/IPsec > UsersVPN > PPTPandVPN > PPTP > Users
Baseline for IPsec site-to-site¶
- Local and remote subnets exactly match design.
- Phase 1 and Phase 2 proposals align on both peers.
- Firewall policy permits intended tunneled traffic.
- Time/NTP is correct on both peers.
- No overlapping subnet design.
Baseline for L2TP/IPsec remote access¶
- L2TP/IPsec mode is enabled.
- Client pool (
remoteiprange) and server tunnel address are correct. - User credentials are present in L2TP users.
- Pre-shared key and policy match client settings.
- Firewall rules allow intended access from
l2tpclient network.
Baseline for PPTP remote access (legacy)¶
- PPTP mode is enabled and user credentials exist.
- GRE and TCP/1723 path is reachable from clients.
- Firewall rules allow intended access from
pptpclient network. - Use only when compatibility requires it.
Frequent failure causes¶
- Time/NTP drift (especially for IPsec/L2TP-IPsec)
- Identifier/key/certificate mismatch
- Phase2 subnet mismatch
- Missing route or policy on one side
- VPN pool subnet overlaps LAN/WAN subnets
Validation workflow¶
- Confirm tunnel/session establishes.
- Test reachability to one remote host.
- Test one application protocol.
- Confirm logs and states match observed behavior.