How to setup an Edgerouter as VPN Client

VPN clients are getting really popular in the last couple of years and for a good reason. They protect your privacy and allow you to use the internet without any restrictions (Think of watching Netflix series that are not available in your county yet).

Now the downside of VPN is that you will need a client on your device to connect to the VPN server, something that isn’t possible with your smart tv for example. With an Edgerouter though, you can setup the VPN for your whole network.

In this article, I will explain how you can setup the EdgeRouter as a VPN Client for the two largest VPN providers, NordVPN and ExpressVPN.

NordVPN and Edgerouter

So lets first start with setting up NordVPN on the EdgeRouter. You will need your login credentials from NordVPN, Putty to connect to your EdgeRouter over SSH and WinSCP to upload a file to the router.

  1. Create a file on your computer and name it vpnauth.txt. Open the file and type in your NordVPN username and password. Each on their own line:

    username
    password
  2. Next, we need to download the NordVPN server configuration. NordVPN has a great tool to find the best server near your location, which you can find here: https://nordvpn.com/servers/tools/.
    In the recommended server block (left side) click on Show all protocols and download the OpenVPN UDP config.

    NordVPN Edgerouter
  3. Open the configuration file (right-click it, open with notepad), we need to make two changes in the file:

    – Change auth-user-pass to auth-user-pass /config/auth/vpnauth.txt
    – Add below the auth-user-pass line the following: route-nopull

    save the file
  4. Now we need to upload the file to our router. Open WinSCP and connect to your router: enter the IP address of the router (If you don’t know the Ip Address of your router you can check this article), and your username and password:

    winscp-edgerouter

    Click on Login, you will get a security warning and a warning from the EdgeRouter itself. Click ok for both warnings.
  5. On the right side in WinSCP, you will see the file on your EdgeRouter. By default, you will be in the folder /home/ubnt. Click on the root folder icon to navigate to the root of the EdgeRouter. You will now see a lot more folder, including config.

    winscp go to root folder

    Open the config folder – and create a new folder with the name auth. Set the permissions to 0777

    winscp create new folder auth
  6. Upload the username password file that we created in step 1 and the configuration file from step 4 to the new folder.
  7. Open Putty and connect to your EdgeRouter.

    SSH Putty Edgerouter

    Log in with the username ubnt and the password of your EdgeRouter.
  8. Enter the command below:
configure #enters configuration mode on your EdgeRouter. You can close it with exit

# We uploaded the files to /config/auth. 
# REPLACE us4313.nordvpn.com.udp.ovpn with the filename that you download!
set interfaces openvpn vtun0 config-file /config/auth/us4313.nordvpn.com.udp.ovpn
set interfaces openvpn vtun0 description 'OpenVPN VPN tunnel'
commit

set service nat rule 5000 description 'OpenVPN Clients'
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface vtun0
set service nat rule 5000 source address 192.168.1.0/24
set service nat rule 5000 type masquerade
commit

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0
set firewall modify SOURCE_ROUTE rule 10 description 'traffic from 192.168.1.0/24 to vtun0'
set firewall modify SOURCE_ROUTE rule 10 source address 192.168.1.0/24
set firewall modify SOURCE_ROUTE rule 10 modify table 1
set interfaces switch switch0 firewall in modify SOURCE_ROUTE
commit

save

The configuration is applied after you pressed save. To check if the VPN Client is working on the EdgeRouter you can enter the following command:

run show log

At the end of the log file, you will see Initialization Sequence Completed. This means that your EdgeRouter is successfully connected to the servers from NordVPN.

ExpressVPN Configuration for the EdgeRouter

The configuration for ExpressVPN is pretty much the same, only a few steps are different. Just like with NordVPN, we need to get an authentication file and configuration file to get started.

  1. Create an account on ExpressVPN.com and go to My Account on the menu. Click on Setup ExpressVPN and then choose Manual Config. Download the configuration file (my_expressvpn_county_city_udp.ovpn)
  2. Open the configuration file with notepad. Change the following:

    – Change auth-user-pass to auth-user-pass /config/auth/vpnauth.txt
    – Add below the auth-user-pass line the following: route-nopull

    Save the file
  3. Next, create a new file on your computer and name it vpnauth.txt. Open the file and type in your ExpressVPN username and password, you will find these the My Account section where you also downloaded the configuration file.

    Make sure that the username and password are each on their own line.
  4. We need to upload the files to the EdgeRouter and connect to the router with SSH. Follow the steps 4 to 7 from the NordVPN part above here.
  5. After you have uploaded both files to your router we can enter the configuration:
configure #enters configuration mode on your EdgeRouter. You can close it with exit

# We uploaded the files to /config/auth. 
# REPLACE my_expressvpn_county_city_udp.ovpn with the filename that you download!
set interfaces openvpn vtun0 config-file /config/auth/my_expressvpn_county_city_udp.ovpn
set interfaces openvpn vtun0 description 'OpenVPN VPN tunnel'
commit

set service nat rule 5001 description 'OpenVPN Clients'
set service nat rule 5001 log disable
set service nat rule 5001 outbound-interface vtun0
set service nat rule 5001 source address 192.168.1.0/24
set service nat rule 5001 type masquerade
commit

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0
set firewall modify SOURCE_ROUTE rule 10 description 'traffic from 192.168.1.0/24 to vtun0'
set firewall modify SOURCE_ROUTE rule 10 source address 192.168.1.0/24
set firewall modify SOURCE_ROUTE rule 10 modify table 1
set interfaces switch switch0 firewall in modify SOURCE_ROUTE
commit

save

You should now have successfully connected your EdgeRouter to ExpressVPN, allowing every device in your network to use the services from ExpressVPN.

Conclusion

The configuration above should work in principle for every VPN provider, you only need an OpenVPN configuration file from your provider to get started. I hope this article helped you with setting up the EdgeRouter as a VPN client.

VPN’s are getting really more common these days, whats is your VPN and why did you start using it? Let me know in the comments below!

Get more stuff like this

IT, Office365, Smart Home, PowerShell and Blogging Tips

I hate spam to, so you can unsubscribe at any time.

7 thoughts on “How to setup an Edgerouter as VPN Client”

  1. Hi,

    I was wondering if you have step to step guide on how to configure step by step Cisco Sg350-10p for a home network. several home computers including laptops, home lighting – Philip Hue, Sonos, printers, smart Tvs, streaming boxes, game console. Currently have modem router combo from Verizon cable company, etc. Thank you in advance.

    • It should be possible, but I can’t test it right now. I think the main part is pretty much the same, but it seems you will need to add this masquerade:

      set service nat rule 5004 description "masq to vpn vtun0"
      set service nat rule 5004 destination address 0.0.0.0/0
      set service nat rule 5004 outbound-interface vtun0
      set service nat rule 5004 type masquerade

Leave a Comment