I have an USG and i setup basic L2TP VPN server using a static radius user… Just not sure if i can make it a bit more secure so that only specific devices can VPN in…
Connections will mostly be made from iPhone 98% and 2% windows 10 computer.
You’d want to deploy certificates. I think the OpenVPN one is a lot easier to do because there are guides out there. The guide I found for L2TP/IPsec doesn’t work as expected.
Openvpn is pretty great. I’ve got mine set to verify both certs and against users in the active directory. That way if someone gets a hold of the client key there’s some measure of safeguard.
as in installing OpenVPN on a server (i could) or as run OpenVPN on my USG?
What didn’t work? I installed a USG for a friend, and left myself a L2TP/IPsec VPN setup in case I need to access his network remotely (short term, otherwise I would have just configured a site to site VPN from his USG to my SRX300). The L2TP/IPsec setup works fine with Windows 10, macOS, and iOS clients.
You’re not wrong about easy OpenVPN setups, particularly some of the pre-packaged containerized versions that generate certificates and all, but L2TP/IPsec works fine. Even used their embedded RADIUS as the AAA source.
I am not really familiar with USG since I use EdgeRouter. I’d assume that they run the same OS underneath. If that’s the case, then there should be away for you to add OpenVPN on it without an external server.
Another option that you could do is add MFA on your RADIUS server. While it won’t limit devices that it can talk to, you’d have additional layer of defense because of the MFA. Really up to you what you want to do. Personally, I like the L2TP/IPsec since majority (if not all) OS supports it with the built-in client.
What guide did you follow for the certificate piece of the L2TP/IPsec? My L2TP/IPsec works fine with my RADIUS with Two-Factor Authentication.
when using the GUI to setup VPN is IPsec implemented by default?
how did you add two factor anthentication? Cant find how to do this
I didn’t do any certificates with L2TP. Like I said those were with OpenVPN.
Up above, you said:
The guide I found for L2TP/IPsec doesn’t work as expected.
That’s what prompted me to ask what didn’t work.
Google “usg l2tp vpn”. First result has the whole thing. Embedded AAA, L2TP over IPsec, works a treat.
Strictly speaking, L2TP on its own can be used to build a VPN, though it won’t be encrypted.
I use FreeRADIUS server with Google Authenticator. There are guides out there for that.
I could see the confusion. Though, I did say in the first sentence “you’d want to deploy certificates”. I thought that’d be enough context for the L2TP/IPsec sentence. All good. 
Gotcha ill look it up
…derp. Insert caffeine to continue.
I don’t know if there’s a guide for the USG part though. In the EdgeRouter, you just need few commands:
set vpn l2tp remote-access authentication mode radius
set vpn l2tp remote-access authentication radius-server <server address here> key <key here>
set vpn l2tp remote-access authentication require pap
At least, this is the one that worked for me with my EdgeRouter and Ubuntu Server edition running FreeRADIUS with Google Authenticator.