Background
I am by no means a network aficionado. I’ve done limited Cisco console work in my IT career, so diving into EdgeOS still took me a couple of days to wrap my head around. Its somewhat similar to Cisco IOS, so if you have familiarity with that, just keep in mind the principles between IOS and EdgeOS are the same except there are different commands to do what you want to.
I bought the EdgeRouter X mainly based on the rave reviews Steve Gibson gave on the Security Now podcast: a $70 CAD / $50 USD router that had a majority of the the enterprise level routing capabilities that you see in expensive Juniper or Cisco gear, without the cost.
I wrote this walk through cause it took me days to figure out what you NEED to do to use the EdgeRouter X as an OpenVPN client only. A lot of the information I came across was to also use it as an OpenVPN server. Also, some of the information wasn’t instructionally (step-by-step) complete, including Ubiquity’s own support posts, or were too involved cause of someone’s personal preference (ex. setting up just specific clients to use the VPN tunnel rather than the whole LAN).
This walk through will take you from unboxing the EdgeRouter X to OpenVPN client connectivity for the whole LAN, hopefully with relative simplicity. I’m writing this assuming you have basic understanding of networking and computer terms. Feedback on how to make this guide better is welcome in the comments!
Initial Setup
The EdgeRouter X does NOT come pre-configured with DHCP services like most commercial routers do. As a result, you will have to do a couple of steps to get it into a “store-bought” state.
- Statically assign your computer’s network adapter to the 192.168.1.0/24 subnet and physically connect to the eth0 port.
- Head over to https://192.168.1.1/ in your browser. Log in with the default credentials:
- username: ubnt
- password: ubnt
- Click on the Wizards tab and go through the WAN+2LAN2 setup.
- This wizard will configure eth0 to be your WAN port, and eth1, eth2, eth3, and eth4 as LAN ports.
- “But I’m using eth0 right now to talk to the router!” I know. Continue any way.
- This wizard also configures DHCP services for your LAN.
- Note: for ease and simplicity of the overall configuration (post OpenVPN client setup), set your DNS servers within the DHCP scope to Google (8.8.8.8 / 8.8.4.4) or Level3 (4.2.2.2 / 4.2.2.3). Doing so will allow you to use the same DHCP leases and DNS settings on your LAN for both VPN and non-VPN connections.
- This wizard will configure eth0 to be your WAN port, and eth1, eth2, eth3, and eth4 as LAN ports.
- Once the Wizard is complete and router reboots, switch your physical network connection from eth0 to eth1, and plug your internet connection into eth0.
- “Oh, I see what you did there…”
Now that the basics are done and we have a typical “store-bought” router setup (1x WAN, 4x LAN) to work with, we can start creating our OpenVPN client connection.
OpenVPN Client Setup
These steps are how I personally got OpenVPN working with TorGuard on both their Shared IP and Static IP services. There might be better ways to do this, and I may not be running efficient routes as a result (remember, I’m not a network guru), but after sifting through online tutorials for 3 days, I can assure you this will get you up and running with the least amount of steps & commands.
There are 4 basic steps involved.
- Create / download / have access to your VPN provider’s *.ovpn file
- Transfer the *.ovpn file (and certificates, if required) to the router
- Create an interface on the router pointing to the *.ovpn file (and certs) for its configuration
- Set a source NAT rule masquerading (routing) all your LAN traffic to the VPN connection.
I will be showing you two different ways of configuring things. The Using Certs section will go over how I set up access to TorGuard’s Shared IP service, which involved point to separate certificate and key files in the OpenVPN config. The Using JUST the *.ovpn File section will go over how I set up access to TorGuard’s Static IP service using, you guess it, just the *.ovpn file (which has the certificate and key information built into it).
Using Certs
These steps setup the EdgeRouter X as an OpenVPN client with providers that use a certificate and key files in conjunction with the *.ovpn file.
1.) Download the config files from TorGuard’s download page (or from your VPN provider). I used the OpenVPN UDP config files.
- Unzip the files and choose the Shared IP site that you want to connect to. In my case, it was TorGuard.USA-SEATTLE.ovpn
2.) Create a new text file called pass.txt.
- Put the username for your VPN service on the first line, and the password for the VPN service on the second line.
- Save the file.
3.) Edit the *.ovpn file with any text editor and adjust the following:
- on the line the says ‘ca’, make it:
-
ca /config/auth/ca.crt
-
- on the line that says ‘tls-auth’, make it:
-
tls-auth /config/auth/ta.key 1
-
- on the line that says ‘auth-user-pass’, make it:
-
auth-user-pass /config/auth/pass.txt
-
- Save the changes.
- Note: depending on your service provider the ca and remote-cert-tls lines in the *.opvn file might need to point to *.pem files instead. Check with your service provider for the necessary adjustments.
4.) Transfer the following files over to the EdgeRouter X via SSH. You can use FileZilla to do it using a GUI, or you can use SCP to do it via command line, either works.
- the *.ovpn file goes to /config/
- the *.crt / *.pem / *.key files go to /config/auth/
- the pass.txt file also goes to /config/auth/
5.) Open an SSH command line (using terminal on MacOS, putty on Windows, or using the CLI button within the router’s config page) and:
- Log into the router:
-
ssh ubnt@192.168.1.1
-
- issue the following commands:
-
# configure # set interfaces openvpn vtun0 config-file /config/nameofyourconnection.ovpn # commit # save
-
- AS SOON AS YOU COMMIT, THE VPN TUNNEL WILL BE INITIATED.
- Be prepared to be offline if things go right! Step 6 will get you back online (via the VPN)
- Be prepared to be offline if things go right! Step 6 will get you back online (via the VPN)
- You can now go to the router’s web console page and see that a new vtun0 interface has been added to the Dashboard. This is where you can Enable / Disable the interface to turn on/off the VPN connection.
- The interface will always say Connected even when the interface is disabled. That is ok, as the masquerades in Step 6 will determine where your LAN traffic goes.
- Note 1: nameyourconnection refers to the name of the .ovpn file that you transferred to the /config/ directory in Step 4.
- Note 2: if there’s a way to do this via the EdgeRouter X’s Config Tree, please let me know and I’ll add it to the guide, as this is the only part of the process that I found that REQUIRES command line.
6.) Add a LAN masquarade to point your LAN traffic to the new vtun0 interface
- In the router’s admin webpage (https://192.168.1.1), click on Firewall/NAT, then click on the NAT tab.
- Click the Add Source NAT Rule button
- Description – ‘masquerade for vtun0’
- Outbound Interface – select ‘vtun0’
- Translation – select ‘Use Masquerade’
- Protocol – select ‘All protocols’
- Click Save
- Drag the new vtun0 line above the WAN line, then click ‘Save Rule Order’
- This ensures that the LAN routing to the VPN is processed before that WAN. When the VPN tunnel is active, the vtun0 masquerade is used. When the tunnel is disabled, the WAN masquerade is used.
If something goes wrong, you can check the Logs to see if there were any issues establishing the OpenVPN connection.
- In the router’s admin webpage (https://192.168.1.1), click on Toolbox, the Log Monitor
- See if there are any messages that say:
- “Initiation sequence completed” – which indicates the connection was successful, or
- “xxxxx.xxx file not found” – which means theres a typo / mismatch between the *.ovpn file and the files on the router. Check & fix your paths & file names.
Using JUST the *.ovpn File
TorGuard has this nifty feature where they will create a *.ovpn file for the connection of your choosing and include the cert info in the file. This makes setting up the connection even easier, as the only adjustment you need to make to the *.ovpn file is to point the ‘auth-user-pass’ line to your pass.txt file in /config/auth.
Here’s the setup step by step.
1.) Download the *.ovpn config file and ensure (using a text editor) it has your provider’s and info in it.
2.) Create a new text file called pass.txt.
- Put the username for your VPN service on the first line, and the password for the VPN service on the second line.
- Save the file.
3.) Edit the *.ovpn file with any text editor and adjust the following:
- on the line that says ‘auth-user-pass’, make it:
-
auth-user-pass /config/auth/pass.txt
-
- Save the changes.
4.) Transfer the following files over to the EdgeRouter X via SSH. You can use FileZilla to do it using a GUI, or you can use SCP to do it via command line, either works.
- the *.ovpn file goes to /config/
- the pass.txt file also goes to /config/auth/
5.) Open an SSH command line (using terminal on MacOS, putty on Windows, or using the CLI button within the router’s config page) and:
- Log into the router:
-
ssh ubnt@192.168.1.1
-
- issue the following commands:
-
# configure # set interfaces openvpn vtun0 config-file /config/nameofyourconnection.ovpn # commit # save
-
- AS SOON AS YOU COMMIT, THE VPN TUNNEL WILL BE INITIATED.
- Be prepared to be offline if things go right! Step 6 will get you back online (via the VPN)
6.) Add a LAN masquarade to point your LAN traffic to the new vtun0 interface
- In the router’s admin webpage (https://192.168.1.1), click on Firewall/NAT, then click on the NAT tab.
- Click the Add Source NAT Rule button
- Description – ‘masquerade for vtun0’
- Outbound Interface – select ‘vtun0’
- Translation – select ‘Use Masquerade’
- Protocol – select ‘All protocols’
- Click Save
- Drag the new vtun0 line above the WAN line, then click ‘Save Rule Order’
Super simple.
I wish I had known about the single *.ovpn option before I started, as my vtun0 is setup using certs (for shared IP VPN), but my vtun1 is setup using a single config file (for static IP VPN).
What’s next on my config list?
Well, in reality, I don’t need Shared IP VPN (vtun0) on the router, I just need that on my computer, and TorGuard has a Mac client for that. What I will likely want as a permant set up is the Apple TV to using the Static IP VPN (vtun1). The next configuration goal will be to:
- setup a DHCP static assignment for the Apple TV (easy to do in the UI)
- setup a client-group that the Apple TV will be apart of
- assign that client-group to the vtun1 connection.
Once complete, I’ll be able to have all device uses the WAN, except for the Apple TV which will always use vtun1. That way I won’t have to start up and shut down vtun1 on the router to use the static IP VPN with the Apple TV.
Thanks for reading, feel free to comment on how I can make this guide better without getting into too much custom work.
Cheers.
Great write-up! I have a couple of questions. My Openvpn remote server was setup with Roadwarrior script for ease. I require no username/password. My authentication is based on a pre-shared key. So, my *.ovpn file has no “auth-user-pass” line. However, there is an “auth” for hash level (SHA512).
LikeLike
Thanks! Looks like your comment might be incomplete. Happy to answer any questions.
LikeLike
I went through this last night & the hash tags threw me, i tried it 5 or 6 times but I didn’t get vtun0 showing up in my dashboard?
LikeLike
Great post, very helpful. Can you expand your guide with instruction for setting up the openvpn tunnel with a pppoe interface? thanks.
LikeLike
Hi, you saved me *days* of figuring out how to set this up. Thank you!
LikeLike
You’re welcome!
LikeLike
Hi, first of all, let me thank you for your 5 stars guide 😉
I have done as you said (including the part Drag the new vtun0 line above the WAN line, then click ‘Save Rule Order’), and my vpn connection is up and running!
but I have on question
If for any circuntances my vpn connection falls down (due to vpn server side), I can’t access to the internet? Do I need to have a sort of backup in case my vpn falls down to allow my local devices to surf on internet?
TIA
LikeLike
Hi, thanks for the feedback! Glad you found it useful.
To answer your question, if the remote VPN server is having “getting your traffic out to the internet” issues, you’re right in that you would not be able to access the internet. In that case, you would simply need to access the router’s webpage and disable the vtun0 interface. Once disabled, the LAN masquerade would automatically flip back over to using the WAN interface.
If the VPN server was having “accepting client connections” issues, vtun0 may eventually go back to being disabled (due to connection attempt timeouts). Once the connect attempts time out, the interface would go back to being disabled and you’d be online again. Don’t quote me on that though, cause I haven’t used the ER-X as a router in a while. I’m currently using the USG, and the ER-X (at the moment) is a switch. It may be the case that the ERX would try to connect continuously to the vpn server, so vtun0 would always remain enabled and stop you from getting out to the internet. If that’s the case, same as above, you would have to disable vtun0 to resume having a normal internet connection.
Cheers!
LikeLike
Hello,
great article. Please do follow up when you setup the client group for the apple tv.
LikeLike
Thanks for the feedback. Not sure when I’ll be able to do a follow up (using a USG now instead of the ERX), but I’ll update this post once I do.
Cheers!
LikeLike
Hello, I followed all steps (used the *.ovpn directly). I use pivpn to create the *.ovpn.
To test this file I used it in a vpn-client (Viscosity). I made several ovpn for multiple clients. All work fine using a windows client. When I try to setup the edgerouter as a client I get no error but it doesn’t connect as a client. Any suggestions.
LikeLike
Hi, great guide.
Got my VPN tunnel up and running. I can access ‘the other site’ by accessing the webserver. I even can SSH to the server, but for some reason I cannot make my softphone on my compter register? Anyone any experience …. (already disabled SIP ALG)
LikeLiked by 1 person
Hi, Thanks a lot for this article !
My EdgeRouter has v2.0.6 and I had to replace the line
“auth-user-pass /config/auth/pass.txt” with “askpass” because this option doen’t exist anymore in the new openvpn version.
I’ve tried “askpass /config/auth/pass.txt” but I can’t manage to make it works.
I have also replaced the line “dev tun” with “dev-type tun” because my openvpn server is a PiVPN but I’m not sure it’s usefull.
My throughput is 16 Mbps down and 20 Mbps up with the VPN enabled.
LikeLike
Geat write up… Did you do the next configuration bit you mentioned ie ‘Well, in reality, I don’t need Shared IP VPN (vtun0) on the router, I just need that on my computer, and TorGuard has a Mac client for that. What I will likely want as a permant set up is the Apple TV to using the Static IP VPN (vtun1).’ I am trying to do a similar thing (have eth1/2 using WAN and eth3 using vpn etc) and struggling.
LikeLike
Thanks! I haven’t done any follow ups on this since writing this article, as I’ve switch over to a USG as my main router. The wife is asking for US Netflix again though (I’m in Canada), and with me working from home, this desired configuration is going to be a must. I’ll do a follow up article when the setup is complete.
LikeLike
Wow! exactly what i was looking for!!! Super thanks!. My VPN provider also gave me the all-inclusive ovpn file and was looking for a way to configure this as client on Edgerouter. Hard to find untill i found this article. Made my config efforts a breeze…..first-time-right!
LikeLiked by 1 person
I know it’s been a while since you put this up, but it is helpful. I would like to setup my edgerouter to connect to our openVPN and work, but we do not use a user and password, instead we use certs and the OVPN file is locked with a pre-shared key (just a password). So how does that change your instructions?
Thanks!
LikeLike
This worked perfectly for me, however I did what you mentioned near the end (only routing specific IPs over the TorGuard/OVPN connection and the rest using your WAN), unfortunately ONLY the machines I sent out over the OVPN were working; I could not get the rest of my LAN to go out over the standard WAN interface. Any suggestions?
LikeLike
Great guide, could you please add instructions to put a single ip (a TV ) on the VPN? Do I need to set it up as WAN+2LAN2?
LikeLike
Ryan – was able to get the tunnel active no problem. Im still having some problems. I’m trying to just have my TV on x.x.x.39 or eth2 tunnel. Also, seems that new DNS servers should be sent but doesn’t. How can I do that?
LikeLike
Hello Ryan, I got everything working per the example above. However I need just my TV port on my router, either by IP address or physical port, to use the tunnel. Or maybe a group of ports for the different TVs in my house. I’d really like to hear from you or anyone who knows how.
LikeLike
What if we want to remove the VPN how to do this for the single file ovpn method? Thanks for this btw!
LikeLike
Hi Ryan,
This was great- thanks. It worked on the first try, as opposed to my attempts to do something similar with pfSense which required a lot more effort to figure out.
One thing to point out that might help someone in the future: the OpenVPN configuration file from my particular VPN provider did not have the “auth-user-pass” line. Instead it has “auth SHA512”. I left it as-is and when I set up the interface via the Edge CLI, it asked me for my VPN username and password. Works fine.
LikeLike
Greate howto!
What about next steps (VPN only for certain devices)?
I was trying to do it myself, but finished with router reset.
LikeLike