Create a L2TP VPN

  • Updated on May 20, 2026
  • Published on Apr 28, 2026
  • 4 minute(s) read
Prev Next

This guide covers the creation of a native L2TP VPN connection. These can be used natively by MacOS and Windows devices.

Once you have completed setting up the VPN, you can configure your end devices.
MacOS - L2TP VPN - MacOS Native Client
Windows - L2TP VPN - Windows Native Client

These steps of the process are covered in this guide:

  • Creating a User Group and assigning Users

  • Creation of an L2TP IPsec VPN tunnel

Creating a User Group and assigning Users

To ensure secure access, you will start this process by creating a User Group and Users that you wish to have access to your FortiClient VPN.

Creating the User Group

  1. Navigate to the following area: “User & Authentication” > “User Groups

image-20260318-230601.png

  1. Enter a descriptive “Name”, leave the Type as Firewall, and press the “OK button:

image-20260319-004030.png

Create and assign users to the group

  1. On the “User Groups” tab, double-click on your newly created group to edit it:

  2. Now that we are in the “Edit User Group” menu, you can press the ‘+’ button next to “Members” to begin creating and assigning users:

  3. We can create our Users in the box that pops up by using the “+ Create” button:

  4. Select “+ User”:

  5. On the “Users/Groups Creation Wizard”, leave the User Type as “Local User” and click “Next”:

  6. Enter a Username and Password under the “Login Credentials” tab:

  7. Leave “Two-Factor Authentication” disabled and click “Next”:

  8. On the “Extra Info” tab, leave the “User Account Status” set as enabled.
    Press “Submit”:

  9. This process can be repeated as many times as you want for additional users, or you can create multiple users and attach them all to the User Group.
    Now that your users are created, you can click on the created User under the “Select Entries” pane. You will see that the user has appeared under the “Members” section of the User Group. You can now press “OK”:

  10. You can see that the User is listed as an active Member of the “L2TP VPN” Group:

Creating an L2TP/IPSec VPN

  1. Log in to your existing FortiGate Firewall product and go to the following tab: =
    VPN > IPsec Wizard.

  2. Put a descriptive “Name” for the VPN in place > Select “Remote Access” > Select “Native” > Select “Windows Native” and press “Next”:

    Note:

    Fortigate refers to L2TP VPNs as windows native even though it they also be used by natively MacOS and can be setup on some versions of Linux

  3. Select your “Incoming Interface” for the connection. This will, as a standard, be VDOMNAME_wan.
    In our example, this is “CE089_wan1”. You can reference your VDOM name as shown in the screenshot.

    Leave the “Authentication method” set to “Pre-shared Key” and enter a complex one.
    I would recommend using a password generator and setting the key to 24 characters or more.

    Select the “User Group” we created earlier within this guide and press “Next”:

  4. Select the “Local Interface” as the LAN interface. This interface can be identified, as it will have a name similar to the following: VDOM_lan(VLANXXXX).

    In this example, we will select our VDOM LAN interface: “CE089_lan (VLAN3224)”.

    You will need to denote your “Local Address” range. In our example, the range has been selected as “all” under the “ADDRESS” dropdown. You can also have specific ranges put in place via an “Address” containing the IP Range or IP Ranges that you wish the VPN to have access to:

  5. You will now need to assign a “Client Address Range” and a Subnet Mask.

    1. Enter an uncommon private IP range to utilise.
      In my example, I will go with 192.168.123.1 to 192.168.123.254.
      Confirm this range does not overlap with your personal computer's existing IP range! The range entered must be separated by a “-”.

    2. Once you have entered the “Client Address Range” and “Subnet Mask” you can press “Next” as shown in the example below:

  6. On the “Review Settings” tab, ensure all of your settings are correct and press “Create”:

    This will create a firewall policy for the IP range that you designated during creation. This will allow your chosen IP range access to talk to the wider internet.

Creating your SNAT Rule

A SNAT rule will need to be created to allow connectivity outbound for the VPN so that you can access the internet.

  1. This can be done via the “Policy & Objects” under the “Central SNAT” tab. You will press “Create New” to proceed:

  2. You will use the following configuration settings:

    • Incoming Interface: This is NOT the name of the L2TP VPN you created, which can cause confusion. Select the l2t.vd_XXXXX interface, where the XXXXX is representative of your VDOM as seen in the top right of your screen.

    • Outgoing Interface: Select your WAN interfaces for the Outgoing Interface. The name will be similar to XXXXX_wan.

    • Source Address: Specify the range you designated in the L2TP VPN configuration, which can be found by searching the L2TP VPN name and selecting it. It will have a naming convention similar to the following: “VPNNAME_range”.

    • Destination Address: Specify the IP range you want to hit on the internet, or set the value to “all”.

An example of a configuration is below. Once you have entered all settings, you can then press “OK”:

You’ve set up the VPN.


Here is how to configure your end user devices:
MacOS - L2TP VPN - MacOS Native Client
Windows - L2TP VPN - Windows Native Client

Securing your L2TP VPN

We have created a follow on guide if you wish to further secure your L2TP connection to run on newer protocols. Click on the following link to find out more:

FortiGate - Securing your Windows L2TP tunnel