How to setup an Edgerouter as VPN Client

VPN clients are getting really popular in the last couple of years and for a good reason. They protect your privacy and allow you to use the internet without any restrictions (Think of watching Netflix series that are not available in your county yet).

Now the downside of VPN is that you will need a client on your device to connect to the VPN server, something that isn’t possible with your smart tv for example. With an Edgerouter though, you can setup the VPN for your whole network.

In this article, I will explain how you can set up the EdgeRouter as a VPN Client for the three largest VPN providers, NordVPN, Surfshark, and ExpressVPN.

To connect to the EdgeRouter over SSH we will use Putty and upload the configuration files to the router we are going to use WinSCP. But any other SSH and FTP client will also do fine for this article

NordVPN and Edgerouter

So lets first start with setting up NordVPN on the EdgeRouter. You will need your login credentials from NordVPN, Putty to connect to your EdgeRouter over SSH and WinSCP to upload a file to the router.

  1. Create a file on your computer and name it vpnauth.txt. Open the file and type in your NordVPN username and password. Each on their own line:

    username
    password
  2. Next, we need to download the NordVPN server configuration. NordVPN has a great tool to find the best server near your location, which you can find here: https://nordvpn.com/servers/tools/.
    In the recommended server block (left side) click on Show all protocols and download the OpenVPN UDP config.

    NordVPN Edgerouter
  3. Open the configuration file (right-click it, open with notepad), we need to make two changes in the file:

    – Change auth-user-pass to auth-user-pass /config/auth/vpnauth.txt
    – Add below the auth-user-pass line the following: route-nopull

    save the file
  4. Now we need to upload the file to our router. Open WinSCP and connect to your router: enter the IP address of the router (If you don’t know the Ip Address of your router you can check this article), and your username and password:

    winscp-edgerouter

    Click on Login, you will get a security warning and a warning from the EdgeRouter itself. Click ok for both warnings.
  5. On the right side in WinSCP, you will see the file on your EdgeRouter. By default, you will be in the folder /home/ubnt. Click on the root folder icon to navigate to the root of the EdgeRouter. You will now see a lot more folder, including config.

    winscp go to root folder

    Open the config folder – and create a new folder with the name auth. Set the permissions to 0777

    winscp create new folder auth
  6. Upload the username password file that we created in step 1 and the configuration file from step 4 to the new folder.
  7. Open Putty and connect to your EdgeRouter.

    SSH Putty Edgerouter

    Log in with the username ubnt and the password of your EdgeRouter.
  8. Enter the command below:
configure #enters configuration mode on your EdgeRouter. You can close it with exit

# We uploaded the files to /config/auth. 
# REPLACE us4313.nordvpn.com.udp.ovpn with the filename that you download!
set interfaces openvpn vtun0 config-file /config/auth/us4313.nordvpn.com.udp.ovpn
set interfaces openvpn vtun0 description 'OpenVPN VPN tunnel'
commit

set service nat rule 5000 description 'OpenVPN Clients'
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface vtun0
set service nat rule 5000 source address 192.168.1.0/24
set service nat rule 5000 type masquerade
commit

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0
set firewall modify SOURCE_ROUTE rule 10 description 'traffic from 192.168.1.0/24 to vtun0'
set firewall modify SOURCE_ROUTE rule 10 source address 192.168.1.0/24
set firewall modify SOURCE_ROUTE rule 10 modify table 1
set interfaces switch switch0 firewall in modify SOURCE_ROUTE
commit

save

The configuration is applied after you pressed save. To check if the VPN Client is working on the EdgeRouter you can enter the following command:

run show log

At the end of the log file, you will see Initialization Sequence Completed. This means that your EdgeRouter is successfully connected to the servers from NordVPN.

ExpressVPN Configuration for the EdgeRouter

The configuration for ExpressVPN is pretty much the same, only a few steps are different. Just like with NordVPN, we need to get an authentication file and configuration file to get started.

  1. Create an account on ExpressVPN.com and go to My Account on the menu. Click on Setup ExpressVPN and then choose Manual Config. Download the configuration file (my_expressvpn_county_city_udp.ovpn)
  2. Open the configuration file with notepad. Change the following:

    – Change auth-user-pass to auth-user-pass /config/auth/vpnauth.txt
    – Add below the auth-user-pass line the following: route-nopull

    Save the file
  3. Next, create a new file on your computer and name it vpnauth.txt. Open the file and type in your ExpressVPN username and password, you will find these the My Account section where you also downloaded the configuration file.

    Make sure that the username and password are each on their own line.
  4. We need to upload the files to the EdgeRouter and connect to the router with SSH. Follow steps 4 to 7 from the NordVPN part above here.
  5. After you have uploaded both files to your router we can enter the configuration:
configure #enters configuration mode on your EdgeRouter. You can close it with exit

# We uploaded the files to /config/auth. 
# REPLACE my_expressvpn_county_city_udp.ovpn with the filename that you download!
set interfaces openvpn vtun0 config-file /config/auth/my_expressvpn_county_city_udp.ovpn
set interfaces openvpn vtun0 description 'OpenVPN VPN tunnel'
commit

set service nat rule 5001 description 'OpenVPN Clients'
set service nat rule 5001 log disable
set service nat rule 5001 outbound-interface vtun0
set service nat rule 5001 source address 192.168.1.0/24
set service nat rule 5001 type masquerade
commit

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0
set firewall modify SOURCE_ROUTE rule 10 description 'traffic from 192.168.1.0/24 to vtun0'
set firewall modify SOURCE_ROUTE rule 10 source address 192.168.1.0/24
set firewall modify SOURCE_ROUTE rule 10 modify table 1
set interfaces switch switch0 firewall in modify SOURCE_ROUTE
commit

save

You should now have successfully connected your EdgeRouter to ExpressVPN, allowing every device in your network to use the services from ExpressVPN.

Surfshark OpenVPN configuration for EdgeRouter

Also with Surfshark, we can set up an OpenVPN connection from our EdgeRouter. Surfshark is one the cheapest VPN provider supporting unlimited devices, so if you haven’t picked a VPN yet, make sure you check this article!

Just like the other two, we need to get an authentication file and configuration file to get started.

  1. Create an account at Surfshark.com and click on Devices.
  2. Scroll down to Advanced and select Manual. At the bottom of the page, you will find your service credentials. We will need this later.
  3. Pick a location and download the UDP configuration file
  4. Open the configuration file with notepad. Change the following:
    – Change auth-user-pass to auth-user-pass /config/auth/vpnauth.txt
    – Add below the auth-user-pass line the following: route-nopull
    Save the file
  5. Next, create a new file on your computer and name it vpnauth.txt. Open the file and type in the username and password from the service credentials (see step 2).
  6. Make sure that the username and password are each on their own line.
  7. We need to upload the files to the EdgeRouter and connect to the router with SSH. Follow steps 4 to 7 from the NordVPN part above here.
  8. After you have uploaded both files to your router we can enter the configuration:
configure #enters configuration mode on your EdgeRouter. You can close it with exit

# We uploaded the files to /config/auth. 
# REPLACE us-mia.prod.surfshark.comsurfshark_openvpn_udp.ovpn with the filename that you download!

set interfaces openvpn vtun0 config-file /config/auth/us-mia.prod.surfshark.comsurfshark_openvpn_udp.ovpn
set interfaces openvpn vtun0 description 'OpenVPN VPN tunnel'
commit

set service nat rule 5001 description 'OpenVPN Clients'
set service nat rule 5001 log disable
set service nat rule 5001 outbound-interface vtun0
set service nat rule 5001 source address 192.168.1.0/24
set service nat rule 5001 type masquerade
commit

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0
set firewall modify SOURCE_ROUTE rule 10 description 'traffic from 192.168.1.0/24 to vtun0'
set firewall modify SOURCE_ROUTE rule 10 source address 192.168.1.0/24
set firewall modify SOURCE_ROUTE rule 10 modify table 1
set interfaces switch switch0 firewall in modify SOURCE_ROUTE
commit

save

You should now have successfully connected your EdgeRouter to Surfshark, allowing every device in your network to use the services from Surfshark.

Conclusion

The configuration above should work in principle for every VPN provider, you only need an OpenVPN configuration file from your provider to get started. I hope this article helped you with setting up the EdgeRouter as a VPN client.

VPN’s are getting really more common these days, whats is your VPN and why did you start using it? Let me know in the comments below!

Get more stuff like this

IT, Office365, Smart Home, PowerShell and Blogging Tips

I hate spam to, so you can unsubscribe at any time.

38 thoughts on “How to setup an Edgerouter as VPN Client”

  1. Hi, I was so happy to find this post. However I get an error after the first commit OpenVPN configuration error: Failed to start OpenVPN tunnel. Not sure where to go from here. Any help would be appreciated. I am using ExpressVPN and Edgerouter Lite.

  2. Hi, I’ve set up a VPN with ProtonVPN which works fine, at multiple servers, but saw a drop in bandwith to 20 Mbps in two cases (both without VPN 100 Mbps and 50 Mbps: other connection). I used IKEv2, UDP protocol, had max 40% load of server, unlimited bandwidth.
    With a VPN client installed on a desktop in the same network, without the vpn on the edgerouter of course, I reached 90Mbps, the bottleneck has to be the Edgerouter. Any thoughts on this?

    • Yeah, the problem is the CPU of the Edgerouter X. OpenVPN is completely software driver, so the speed of the CPU really determines the speed you can get over OpenVPN. The ER-4 is better suited in this case.

  3. Hello Ruud.

    Thank you so much for sharing this great how-to guide – I followed it and everything worked right away!

    I see the firewall rule is set to be valid for the whole 192.168.1.0 network.

    Now I am wondering if it is possible to somehow make the firewall rule valid for only source UDP video protocol ? Or for destination sites like YouTube or Twitch ?

    In other words, I want to route outbound UDP video through vtun0 and all other traffic through eth0 (WAN).

    Is this possible ?

    Thanks in advance!

  4. Hi Ruud,

    I used your guide to install Expressvpn on my Edgerouter X and it worked fine. Unfortunately, my download speeds dropped from 275 mpbs to 17 mpbs. If i disable the VPN, my download speeds return to 275 mpbs. I am not sure why. Any help would be appreciated.

  5. Thanks Ruud, this helped a lot.

    Is there a way to access my devices behind my Edgerouter when the tunnel is on?
    For example, camera feeds, NAS, or Windows server.
    I have a DDNS setup with DYNDNS.

    Or am I going to have to utilize separate ports on my ER4 and not use VLANs?

    • You will need a separate port indeed. If you route all your traffic up the VPN connection, then the only way to enter your network is through to the opposite side of the VPN, but that ain’t going work. So indeed, split your network is the best way to go here.

  6. Is there a way to route the traffic from 2 specific devices OUTSIDE of the expressVPN and instead go via the usual WAN?

    Or better yet, a way to route traffic outside of the VPN based on the destination DOMAIN NAME (Not the IP).

  7. Hey – I wanted to say THANK YOU for taking the time to write and share this. I’ve been fighting to figure out how to setup express vpn on my new edgemax for days.

    I’m left with 2 questions now that it is working.

    1) How might I TEMPORARILY disabled the VPN when needed? As at present, disney+ will not work if connected to a VPN.

    2) How might I use a dynamic IP service or similar to somehow get my PLEX server available to the outside world again?

    I TOTALLY understand if you don’t have an answer or indeed the time to reply. I feel cheeky enough even asking.

    Whatever the case, thank you so very much again for sharing your knowledge and time with the rest of us as we all try to get better.

  8. hi Ruud, thanks for your article. I refer to “How to setup an Edgerouter as VPN Client”. I have a MikroTik Desktop Gigabit Router-RB2011iL-IN and Nord VPN, as mentioned in the first part of your article. My router is different from the Edgerouter in the above article.
    Question: how would the configuration be different for my router?

    Thank you very much,
    Joop Vis – South Africa

  9. I have spent all afternoon to get this working. Edgerouter accepts all commands, but DL speed falls down from 205Mb/s to 5.5. Tried 4 different servers from UK and from NL, all same results… Only way to get it right again is a hard factory reset of the ERX.
    There are ways to delete VPN setting in Putty (Or ERX’s CLI), but the response is always: “Nothing to delete (the specified node does not exist)”

  10. Hello Ruud,
    At the advice of NordVPN techies I switched to the NordLynx protocol, which is indeed much faster.Will the above also work for this protocol?
    Also, if you have time, could you write how to program Edgerouter X so one can safely access the LAN from the outside world?
    Many thanks Ruud!

  11. Hi, thanks for the guide, in my EdgeRouter 10x I had to include this line for it to work:

    set firewall modify SOURCE_ROUTE rule 10 action modify

  12. Hi I followed your guide step by step, my issue is i want to restrict vtun0 to my vlan user for tath i have switch0.2 with address 192.168.3.0/24, i have done the same steps that u mentioned but in source address i putted my vlan address. when i enable openvpn i dont get internet on my primary lan also. can u help me in setting up. Thanks in advance

    my Wan is pppoe
    My Lan eth1 is 192.168.1.0/24
    My Lan eth2 is 192.168.2.0/24
    Then i have Vlan on Switch 0 vif 2 : 192.168.3.0/24

    I want all vlan 2 traffic to pass through Open Vpn tunnel and all other through PPPoE .

  13. Hi Ruud,
    I followed the instruction to install NordVPN on my Edgerouter X. All went well, NordVPN server NL473 was advised so I used these settings. After running the script, I checked and it turned out the server was in Rumania, and my DL speed went down from 310 Mbps to 15.9…. auch… Luckily I had a backup file to undo the script, but I am still wondering why this happened, and if there is a way to be sure that the server is indeed the one that one seeks?
    Thanks for all your great articles!

  14. Hi Ruud,
    I followed the instruction to install NordVPN on my Edgerouter X. All went well, NordVPN server NL473 was advised so I used these settings. After running the script, I checked and it turned out the server was in Rumania, and my DL speed went down from 310 Mbps to 15.9…. auch… Luckily I had a backup file to undo the script, but I am still wondering why this happened, and if there is a way to be sure that the server is indeed the one that one seeks?
    Thanks for all your great articles.

    • Hi Arie,

      That the download speed drops is normal, but that shouldn’t be more than 30%. You can also pick a server your self, try one in the UK to see if you get a better result.

  15. set interfaces switch switch0 firewall in modify SOURCE_ROUTE

    give me an error

    Value validation failed
    Set failed
    [edit]
    [email protected]# set interfaces switch switch0 firewall in modify SOURCE_ROUTE
    interface switch switch0: does not exist

    • Change switch to ethernet, and switch0 to ethX (eth0 or eth1 or eth2, or whatever physical ethernet port goes to your LAN for the VPN).

      Switch is a virtual group of ethernet connections (I think). If you are not using switches, or if you want to use the VPN on all connections to a physical ethernet port:

      switch (virtual) = ethernet (physical port)
      switch1 (name of switch) = eth1 (name of physical port on router)

      The names can vary; eth0, eth1, eth2 can all be included in one virtual switch. But that gets complicated so I just use the physical ethernet port.

  16. Hi,

    I was wondering if you have step to step guide on how to configure step by step Cisco Sg350-10p for a home network. several home computers including laptops, home lighting – Philip Hue, Sonos, printers, smart Tvs, streaming boxes, game console. Currently have modem router combo from Verizon cable company, etc. Thank you in advance.

    • It should be possible, but I can’t test it right now. I think the main part is pretty much the same, but it seems you will need to add this masquerade:

      set service nat rule 5004 description "masq to vpn vtun0"
      set service nat rule 5004 destination address 0.0.0.0/0
      set service nat rule 5004 outbound-interface vtun0
      set service nat rule 5004 type masquerade

Leave a Comment

0 Shares
Tweet
Pin
Share
Share