How to setup an Edgerouter as VPN Client

VPN clients are getting really popular in the last couple of years and for a good reason. They protect your privacy and allow you to use the internet without any restrictions (Think of watching Netflix series that are not available in your county yet).

Now the downside of VPN is that you will need a client on your device to connect to the VPN server, something that isn’t possible with your smart tv for example. With an Edgerouter though, you can setup the VPN for your whole network.

In this article, I will explain how you can set up the EdgeRouter as a VPN Client for the three largest VPN providers, NordVPN, Surfshark, and ExpressVPN.

To connect to the EdgeRouter over SSH we will use Putty and upload the configuration files to the router we are going to use WinSCP. But any other SSH and FTP client will also do fine for this article

NordVPN and Edgerouter

So lets first start with setting up NordVPN on the EdgeRouter. You will need your login credentials from NordVPN, Putty to connect to your EdgeRouter over SSH and WinSCP to upload a file to the router.

  1. Create a file on your computer and name it vpnauth.txt. Open the file and type in your NordVPN username and password. Each on their own line:

    username
    password
  2. Next, we need to download the NordVPN server configuration. NordVPN has a great tool to find the best server near your location, which you can find here: https://nordvpn.com/servers/tools/.
    In the recommended server block (left side) click on Show all protocols and download the OpenVPN UDP config.

    NordVPN Edgerouter
  3. Open the configuration file (right-click it, open with notepad), we need to make two changes in the file:

    – Change auth-user-pass to auth-user-pass /config/auth/vpnauth.txt
    – Add below the auth-user-pass line the following: route-nopull

    save the file
  4. Now we need to upload the file to our router. Open WinSCP and connect to your router: enter the IP address of the router (If you don’t know the Ip Address of your router you can check this article), and your username and password:

    winscp-edgerouter

    Click on Login, you will get a security warning and a warning from the EdgeRouter itself. Click ok for both warnings.
  5. On the right side in WinSCP, you will see the file on your EdgeRouter. By default, you will be in the folder /home/ubnt. Click on the root folder icon to navigate to the root of the EdgeRouter. You will now see a lot more folder, including config.

    winscp go to root folder

    Open the config folder – and create a new folder with the name auth. Set the permissions to 0777

    winscp create new folder auth
  6. Upload the username password file that we created in step 1 and the configuration file from step 4 to the new folder.
  7. Open Putty and connect to your EdgeRouter.

    SSH Putty Edgerouter

    Log in with the username ubnt and the password of your EdgeRouter.
  8. Enter the command below:
configure #enters configuration mode on your EdgeRouter. You can close it with exit

# We uploaded the files to /config/auth. 
# REPLACE us4313.nordvpn.com.udp.ovpn with the filename that you download!
set interfaces openvpn vtun0 config-file /config/auth/us4313.nordvpn.com.udp.ovpn
set interfaces openvpn vtun0 description 'OpenVPN VPN tunnel'
commit

set service nat rule 5000 description 'OpenVPN Clients'
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface vtun0
set service nat rule 5000 source address 192.168.1.0/24
set service nat rule 5000 type masquerade
commit

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0
set firewall modify SOURCE_ROUTE rule 10 description 'traffic from 192.168.1.0/24 to vtun0'
set firewall modify SOURCE_ROUTE rule 10 source address 192.168.1.0/24
set firewall modify SOURCE_ROUTE rule 10 modify table 1
set interfaces switch switch0 firewall in modify SOURCE_ROUTE
commit

save

The configuration is applied after you pressed save. To check if the VPN Client is working on the EdgeRouter you can enter the following command:

run show log

At the end of the log file, you will see Initialization Sequence Completed. This means that your EdgeRouter is successfully connected to the servers from NordVPN.

ExpressVPN Configuration for the EdgeRouter

The configuration for ExpressVPN is pretty much the same, only a few steps are different. Just like with NordVPN, we need to get an authentication file and configuration file to get started.

  1. Create an account on ExpressVPN.com and go to My Account on the menu. Click on Setup ExpressVPN and then choose Manual Config. Download the configuration file (my_expressvpn_county_city_udp.ovpn)
  2. Open the configuration file with notepad. Change the following:

    – Change auth-user-pass to auth-user-pass /config/auth/vpnauth.txt
    – Add below the auth-user-pass line the following: route-nopull

    Save the file
  3. Next, create a new file on your computer and name it vpnauth.txt. Open the file and type in your ExpressVPN username and password, you will find these the My Account section where you also downloaded the configuration file.

    Make sure that the username and password are each on their own line.
  4. We need to upload the files to the EdgeRouter and connect to the router with SSH. Follow steps 4 to 7 from the NordVPN part above here.
  5. After you have uploaded both files to your router we can enter the configuration:
configure #enters configuration mode on your EdgeRouter. You can close it with exit

# We uploaded the files to /config/auth. 
# REPLACE my_expressvpn_county_city_udp.ovpn with the filename that you download!
set interfaces openvpn vtun0 config-file /config/auth/my_expressvpn_county_city_udp.ovpn
set interfaces openvpn vtun0 description 'OpenVPN VPN tunnel'
commit

set service nat rule 5001 description 'OpenVPN Clients'
set service nat rule 5001 log disable
set service nat rule 5001 outbound-interface vtun0
set service nat rule 5001 source address 192.168.1.0/24
set service nat rule 5001 type masquerade
commit

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0
set firewall modify SOURCE_ROUTE rule 10 description 'traffic from 192.168.1.0/24 to vtun0'
set firewall modify SOURCE_ROUTE rule 10 source address 192.168.1.0/24
set firewall modify SOURCE_ROUTE rule 10 modify table 1
set interfaces switch switch0 firewall in modify SOURCE_ROUTE
commit

save

You should now have successfully connected your EdgeRouter to ExpressVPN, allowing every device in your network to use the services from ExpressVPN.

Surfshark OpenVPN configuration for EdgeRouter

Also with Surfshark, we can set up an OpenVPN connection from our EdgeRouter. Surfshark is one the cheapest VPN provider supporting unlimited devices, so if you haven’t picked a VPN yet, make sure you check this article!

Just like the other two, we need to get an authentication file and configuration file to get started.

  1. Create an account at Surfshark.com and click on Devices.
  2. Scroll down to Advanced and select Manual. At the bottom of the page, you will find your service credentials. We will need this later.
  3. Pick a location and download the UDP configuration file
  4. Open the configuration file with notepad. Change the following:
    – Change auth-user-pass to auth-user-pass /config/auth/vpnauth.txt
    – Add below the auth-user-pass line the following: route-nopull
    Save the file
  5. Next, create a new file on your computer and name it vpnauth.txt. Open the file and type in the username and password from the service credentials (see step 2).
  6. Make sure that the username and password are each on their own line.
  7. We need to upload the files to the EdgeRouter and connect to the router with SSH. Follow steps 4 to 7 from the NordVPN part above here.
  8. After you have uploaded both files to your router we can enter the configuration:
configure #enters configuration mode on your EdgeRouter. You can close it with exit

# We uploaded the files to /config/auth. 
# REPLACE us-mia.prod.surfshark.comsurfshark_openvpn_udp.ovpn with the filename that you download!

set interfaces openvpn vtun0 config-file /config/auth/us-mia.prod.surfshark.comsurfshark_openvpn_udp.ovpn
set interfaces openvpn vtun0 description 'OpenVPN VPN tunnel'
commit

set service nat rule 5001 description 'OpenVPN Clients'
set service nat rule 5001 log disable
set service nat rule 5001 outbound-interface vtun0
set service nat rule 5001 source address 192.168.1.0/24
set service nat rule 5001 type masquerade
commit

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0
set firewall modify SOURCE_ROUTE rule 10 description 'traffic from 192.168.1.0/24 to vtun0'
set firewall modify SOURCE_ROUTE rule 10 source address 192.168.1.0/24
set firewall modify SOURCE_ROUTE rule 10 modify table 1
set interfaces switch switch0 firewall in modify SOURCE_ROUTE
commit

save

You should now have successfully connected your EdgeRouter to Surfshark, allowing every device in your network to use the services from Surfshark.

Conclusion

The configuration above should work in principle for every VPN provider, you only need an OpenVPN configuration file from your provider to get started. I hope this article helped you with setting up the EdgeRouter as a VPN client.

VPN’s are getting really more common these days, whats is your VPN and why did you start using it? Let me know in the comments below!

Get more stuff like this

IT, Office365, Smart Home, PowerShell and Blogging Tips

I hate spam to, so you can unsubscribe at any time.

26 thoughts on “How to setup an Edgerouter as VPN Client”

  1. hi Ruud, thanks for your article. I refer to “How to setup an Edgerouter as VPN Client”. I have a MikroTik Desktop Gigabit Router-RB2011iL-IN and Nord VPN, as mentioned in the first part of your article. My router is different from the Edgerouter in the above article.
    Question: how would the configuration be different for my router?

    Thank you very much,
    Joop Vis – South Africa

  2. I have spent all afternoon to get this working. Edgerouter accepts all commands, but DL speed falls down from 205Mb/s to 5.5. Tried 4 different servers from UK and from NL, all same results… Only way to get it right again is a hard factory reset of the ERX.
    There are ways to delete VPN setting in Putty (Or ERX’s CLI), but the response is always: “Nothing to delete (the specified node does not exist)”

  3. Hello Ruud,
    At the advice of NordVPN techies I switched to the NordLynx protocol, which is indeed much faster.Will the above also work for this protocol?
    Also, if you have time, could you write how to program Edgerouter X so one can safely access the LAN from the outside world?
    Many thanks Ruud!

  4. Hi, thanks for the guide, in my EdgeRouter 10x I had to include this line for it to work:

    set firewall modify SOURCE_ROUTE rule 10 action modify

  5. Hi I followed your guide step by step, my issue is i want to restrict vtun0 to my vlan user for tath i have switch0.2 with address 192.168.3.0/24, i have done the same steps that u mentioned but in source address i putted my vlan address. when i enable openvpn i dont get internet on my primary lan also. can u help me in setting up. Thanks in advance

    my Wan is pppoe
    My Lan eth1 is 192.168.1.0/24
    My Lan eth2 is 192.168.2.0/24
    Then i have Vlan on Switch 0 vif 2 : 192.168.3.0/24

    I want all vlan 2 traffic to pass through Open Vpn tunnel and all other through PPPoE .

  6. Hi Ruud,
    I followed the instruction to install NordVPN on my Edgerouter X. All went well, NordVPN server NL473 was advised so I used these settings. After running the script, I checked and it turned out the server was in Rumania, and my DL speed went down from 310 Mbps to 15.9…. auch… Luckily I had a backup file to undo the script, but I am still wondering why this happened, and if there is a way to be sure that the server is indeed the one that one seeks?
    Thanks for all your great articles!

  7. Hi Ruud,
    I followed the instruction to install NordVPN on my Edgerouter X. All went well, NordVPN server NL473 was advised so I used these settings. After running the script, I checked and it turned out the server was in Rumania, and my DL speed went down from 310 Mbps to 15.9…. auch… Luckily I had a backup file to undo the script, but I am still wondering why this happened, and if there is a way to be sure that the server is indeed the one that one seeks?
    Thanks for all your great articles.

    • Hi Arie,

      That the download speed drops is normal, but that shouldn’t be more than 30%. You can also pick a server your self, try one in the UK to see if you get a better result.

  8. set interfaces switch switch0 firewall in modify SOURCE_ROUTE

    give me an error

    Value validation failed
    Set failed
    [edit]
    [email protected]# set interfaces switch switch0 firewall in modify SOURCE_ROUTE
    interface switch switch0: does not exist

    • Change switch to ethernet, and switch0 to ethX (eth0 or eth1 or eth2, or whatever physical ethernet port goes to your LAN for the VPN).

      Switch is a virtual group of ethernet connections (I think). If you are not using switches, or if you want to use the VPN on all connections to a physical ethernet port:

      switch (virtual) = ethernet (physical port)
      switch1 (name of switch) = eth1 (name of physical port on router)

      The names can vary; eth0, eth1, eth2 can all be included in one virtual switch. But that gets complicated so I just use the physical ethernet port.

  9. Hi,

    I was wondering if you have step to step guide on how to configure step by step Cisco Sg350-10p for a home network. several home computers including laptops, home lighting – Philip Hue, Sonos, printers, smart Tvs, streaming boxes, game console. Currently have modem router combo from Verizon cable company, etc. Thank you in advance.

    • It should be possible, but I can’t test it right now. I think the main part is pretty much the same, but it seems you will need to add this masquerade:

      set service nat rule 5004 description "masq to vpn vtun0"
      set service nat rule 5004 destination address 0.0.0.0/0
      set service nat rule 5004 outbound-interface vtun0
      set service nat rule 5004 type masquerade

Leave a Comment

0 Shares
Tweet
Pin
Share
Share