OpenVPN Client Setup on EdgeOS

Background

I am by no means a network aficionado. I’ve done limited Cisco console work in my IT career, so diving into EdgeOS still took me a couple of days to wrap my head around.  Its somewhat similar to Cisco IOS, so if you have familiarity with that, just keep in mind the principles between IOS and EdgeOS are the same except there are different commands to do what you want to.

I bought the EdgeRouter X mainly based on the rave reviews Steve Gibson gave on the Security Now podcast: a $70 CAD / $50 USD router that had a majority of the the enterprise level routing capabilities that you see in expensive Juniper or Cisco gear, without the cost.

I wrote this walk through cause it took me days to figure out what you NEED to do to use the EdgeRouter X as an OpenVPN client only.  A lot of the information I came across was to also use it as an OpenVPN server. Also, some of the information wasn’t instructionally (step-by-step) complete, including Ubiquity’s own support posts, or were too involved cause of someone’s personal preference (ex. setting up just specific clients to use the VPN tunnel rather than the whole LAN).

This walk through will take you from unboxing the EdgeRouter X to OpenVPN client connectivity for the whole LAN, hopefully with relative simplicity. I’m writing this assuming you have basic understanding of networking and computer terms. Feedback on how to make this guide better is welcome in the comments!

Initial Setup

The EdgeRouter X does NOT come pre-configured with DHCP services like most commercial routers do. As a result, you will have to do a couple of steps to get it into a “store-bought” state.

1. Statically assign your computer’s network adapter to the 192.168.1.0/24 subnet and physically connect to the eth0 port.
2. Head over to https://192.168.1.1/ in your browser. Log in with the default credentials:
   • username: ubnt
   • password: ubnt
3. Click on the Wizards tab and go through the WAN+2LAN2 setup.
   • This wizard will configure eth0 to be your WAN port, and eth1, eth2, eth3, and eth4 as LAN ports.
     • “But I’m using eth0 right now to talk to the router!” I know. Continue any way.
   • This wizard also configures  DHCP services for your LAN.
     • Note: for ease and simplicity of the overall configuration (post OpenVPN client setup), set your DNS servers within the DHCP scope to Google (8.8.8.8 / 8.8.4.4) or Level3 (4.2.2.2 / 4.2.2.3). Doing so will allow you to use the same DHCP leases and DNS settings on your LAN for both VPN and non-VPN connections.
4. Once the Wizard is complete and router reboots, switch your physical network connection from eth0 to eth1, and plug your internet connection into eth0.
   • “Oh, I see what you did there…”

Now that the basics are done and we have a typical “store-bought” router setup (1x WAN, 4x LAN) to work with, we can start creating our OpenVPN client connection.

OpenVPN Client Setup

These steps are how I personally got OpenVPN working with TorGuard on both their Shared IP and Static IP services. There might be better ways to do this, and I may not be running efficient routes as a result (remember, I’m not a network guru), but after sifting through online tutorials for 3 days, I can assure you this will get you up and running with the least amount of steps & commands.

There are 4 basic steps involved.

• Create / download / have access to your VPN provider’s *.ovpn file
• Transfer the *.ovpn file (and certificates, if required) to the router
• Create an interface on the router pointing to the *.ovpn file (and certs) for its configuration
• Set a source NAT rule masquerading (routing) all your LAN traffic to the VPN connection.

I will be showing you two different ways of configuring things. The Using Certs section will go over how I set up access to TorGuard’s Shared IP service, which involved point to separate certificate and key files in the OpenVPN config.  The Using JUST the *.ovpn File section will go over how I set up access to TorGuard’s Static IP service using, you guess it, just the *.ovpn file (which has the certificate and key information built into it).

Using Certs

These steps setup the EdgeRouter X as an OpenVPN client with providers that use a certificate and key files in conjunction with the *.ovpn file.

1.) Download the config files from TorGuard’s download page (or from your VPN provider). I used the OpenVPN UDP config files.

• Unzip the files and choose the Shared IP site that you want to connect to.  In my case, it was TorGuard.USA-SEATTLE.ovpn

2.) Create a new text file called pass.txt.

• Put the username for your VPN service on the first line, and the password for the VPN service on the second line.
• Save the file.

3.) Edit the *.ovpn file with any text editor and adjust the following:

•  on the line the says ‘ca’, make it:

  • ca /config/auth/ca.crt

• on the line that says ‘tls-auth’, make it:

  • tls-auth /config/auth/ta.key 1

• on the line that says ‘auth-user-pass’, make it:

  • auth-user-pass /config/auth/pass.txt

• Save the changes.
• Note: depending on your service provider the ca and remote-cert-tls lines in the *.opvn file might need to point to *.pem files instead. Check with your service provider for the necessary adjustments.

4.) Transfer the following files over to the EdgeRouter X via SSH. You can use FileZilla to do it using a GUI, or you can use SCP to do it via command line, either works.

• the *.ovpn file goes to /config/
• the *.crt / *.pem / *.key files go to /config/auth/
• the pass.txt file also goes to /config/auth/

5.) Open an SSH command line (using terminal on MacOS, putty on Windows, or using the CLI button within the router’s config page) and:

• Log into the router:

  • ssh ubnt@192.168.1.1

• issue the following commands:

  • # configure
    # set interfaces openvpn vtun0 config-file /config/nameofyourconnection.ovpn
    # commit
    # save

• AS SOON AS YOU COMMIT, THE VPN TUNNEL WILL BE INITIATED.
  • Be prepared to be offline if things go right! Step 6 will get you back online (via the VPN)
    
• You can now go to the router’s web console page and see that a new vtun0 interface has been added to the Dashboard. This is where you can Enable / Disable the interface to turn on/off the VPN connection.
  • The interface will always say Connected even when the interface is disabled. That is ok, as the masquerades in Step 6 will determine where your LAN traffic goes.
• Note 1: nameyourconnection refers to the name of the .ovpn file that you transferred to the /config/ directory in Step 4.
• Note 2: if there’s a way to do this via the EdgeRouter X’s Config Tree, please let me know and I’ll add it to the guide, as this is the only part of the process that I found that REQUIRES command line.

6.) Add a LAN masquarade to point your LAN traffic to the new vtun0 interface

• In the router’s admin webpage (https://192.168.1.1), click on Firewall/NAT, then click on the NAT tab.
• Click the Add Source NAT Rule button
  • Description – ‘masquerade for vtun0’
  • Outbound Interface – select ‘vtun0’
  • Translation – select ‘Use Masquerade’
  • Protocol – select ‘All protocols’
  • Click Save
• Drag the new vtun0 line above the WAN line, then click ‘Save Rule Order’
  • This ensures that the LAN routing to the VPN is processed before that WAN. When the VPN tunnel is active, the vtun0 masquerade is used. When the tunnel is disabled, the WAN masquerade is used.

If something goes wrong, you can check the Logs to see if there were any issues establishing the OpenVPN connection.

• In the router’s admin webpage (https://192.168.1.1), click on Toolbox, the Log Monitor
• See if there are any messages that say:
  • “Initiation sequence completed” – which indicates the connection was successful, or
  • “xxxxx.xxx file not found” – which means theres a typo / mismatch between the *.ovpn file and the files on the router. Check & fix your paths & file names.

Using JUST the *.ovpn File

TorGuard has this nifty feature where they will create a *.ovpn file for the connection of your choosing and include the cert info in the file. This makes setting up the connection even easier, as the only adjustment you need to make to the *.ovpn file is to point the ‘auth-user-pass’ line to your pass.txt file in /config/auth.

Here’s the setup step by step.

1.) Download the *.ovpn config file and ensure (using a text editor) it has your provider’s and info in it.

2.) Create a new text file called pass.txt.

• Put the username for your VPN service on the first line, and the password for the VPN service on the second line.
• Save the file.

3.) Edit the *.ovpn file with any text editor and adjust the following:

• on the line that says ‘auth-user-pass’, make it:

  • auth-user-pass /config/auth/pass.txt

• Save the changes.

4.) Transfer the following files over to the EdgeRouter X via SSH. You can use FileZilla to do it using a GUI, or you can use SCP to do it via command line, either works.

• the *.ovpn file goes to /config/
• the pass.txt file also goes to /config/auth/

5.) Open an SSH command line (using terminal on MacOS, putty on Windows, or using the CLI button within the router’s config page) and:

• Log into the router:

  • ssh ubnt@192.168.1.1

• issue the following commands:

  • # configure
    # set interfaces openvpn vtun0 config-file /config/nameofyourconnection.ovpn
    # commit
    # save

• AS SOON AS YOU COMMIT, THE VPN TUNNEL WILL BE INITIATED.
  • Be prepared to be offline if things go right! Step 6 will get you back online (via the VPN)

6.) Add a LAN masquarade to point your LAN traffic to the new vtun0 interface

• In the router’s admin webpage (https://192.168.1.1), click on Firewall/NAT, then click on the NAT tab.
• Click the Add Source NAT Rule button
  • Description – ‘masquerade for vtun0’
  • Outbound Interface – select ‘vtun0’
  • Translation – select ‘Use Masquerade’
  • Protocol – select ‘All protocols’
  • Click Save
• Drag the new vtun0 line above the WAN line, then click ‘Save Rule Order’

Super simple.

I wish I had known about the single *.ovpn option before I started, as my vtun0 is setup using certs (for shared IP VPN), but my vtun1 is setup using a single config file (for static IP VPN).

What’s next on my config list?

Well, in reality, I don’t need Shared IP VPN (vtun0) on the router, I just need that on my computer, and TorGuard has a Mac client for that. What I will likely want as a permant set up is the Apple TV to using the Static IP VPN (vtun1). The next configuration goal will be to:

• setup a DHCP static assignment for the Apple TV (easy to do in the UI)
• setup a client-group that the Apple TV will be apart of
• assign that client-group to the vtun1 connection.

Once complete, I’ll be able to have all device uses the WAN, except for the Apple TV which will always use vtun1.  That way I won’t have to start up and shut down vtun1 on the router to use the static IP VPN with the Apple TV.

Thanks for reading, feel free to comment on how I can make this guide better without getting into too much custom work.

Cheers.