VPN clients are getting really popular in the last couple of years and for a good reason. They protect your privacy and allow you to use the internet without any restrictions (Think of watching Netflix series that are not available in your county yet).
Now the downside of VPN is that you will need a client on your device to connect to the VPN server, something that isn’t possible with your smart tv for example. With an Edgerouter though, you can setup the VPN for your whole network.
In this article, I will explain how you can set up the EdgeRouter as a VPN Client for the three largest VPN providers, NordVPN, Surfshark, and ExpressVPN.
To connect to the EdgeRouter over SSH we will use Putty and upload the configuration files to the router we are going to use WinSCP. But any other SSH and FTP client will also do fine for this article
NordVPN and Edgerouter
So lets first start with setting up NordVPN on the EdgeRouter. You will need your login credentials from NordVPN, Putty to connect to your EdgeRouter over SSH and WinSCP to upload a file to the router.
- Create a file on your computer and name it vpnauth.txt. Open the file and type in your NordVPN username and password. Each on their own line:
username
password - Next, we need to download the NordVPN server configuration. NordVPN has a great tool to find the best server near your location, which you can find here: https://nordvpn.com/servers/tools/.
In the recommended server block (left side) click on Show all protocols and download the OpenVPN UDP config.
- Open the configuration file (right-click it, open with notepad), we need to make two changes in the file:
– Change auth-user-pass to auth-user-pass /config/auth/vpnauth.txt
– Add below the auth-user-pass line the following: route-nopull
save the file - Now we need to upload the file to our router. Open WinSCP and connect to your router: enter the IP address of the router (If you don’t know the Ip Address of your router you can check this article), and your username and password:
Click on Login, you will get a security warning and a warning from the EdgeRouter itself. Click ok for both warnings. - On the right side in WinSCP, you will see the file on your EdgeRouter. By default, you will be in the folder /home/ubnt. Click on the root folder icon to navigate to the root of the EdgeRouter. You will now see a lot more folder, including config.
Open the config folder – and create a new folder with the name auth. Set the permissions to 0777
- Upload the username password file that we created in step 1 and the configuration file from step 4 to the new folder.
- Open Putty and connect to your EdgeRouter.
Log in with the username ubnt and the password of your EdgeRouter. - Enter the command below:
configure #enters configuration mode on your EdgeRouter. You can close it with exit # We uploaded the files to /config/auth. # REPLACE us4313.nordvpn.com.udp.ovpn with the filename that you download! set interfaces openvpn vtun0 config-file /config/auth/us4313.nordvpn.com.udp.ovpn set interfaces openvpn vtun0 description 'OpenVPN VPN tunnel' commit set service nat rule 5000 description 'OpenVPN Clients' set service nat rule 5000 log disable set service nat rule 5000 outbound-interface vtun0 set service nat rule 5000 source address 192.168.1.0/24 set service nat rule 5000 type masquerade commit set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0 set firewall modify SOURCE_ROUTE rule 10 description 'traffic from 192.168.1.0/24 to vtun0' set firewall modify SOURCE_ROUTE rule 10 source address 192.168.1.0/24 set firewall modify SOURCE_ROUTE rule 10 modify table 1 set interfaces switch switch0 firewall in modify SOURCE_ROUTE commit save
The configuration is applied after you pressed save. To check if the VPN Client is working on the EdgeRouter you can enter the following command:
run show log
At the end of the log file, you will see Initialization Sequence Completed. This means that your EdgeRouter is successfully connected to the servers from NordVPN.
ExpressVPN Configuration for the EdgeRouter
The configuration for ExpressVPN is pretty much the same, only a few steps are different. Just like with NordVPN, we need to get an authentication file and configuration file to get started.
- Create an account on ExpressVPN.com and go to My Account on the menu. Click on Setup ExpressVPN and then choose Manual Config. Download the configuration file (my_expressvpn_county_city_udp.ovpn)
- Open the configuration file with notepad. Change the following:
– Change auth-user-pass to auth-user-pass /config/auth/vpnauth.txt
– Add below the auth-user-pass line the following: route-nopull
Save the file - Next, create a new file on your computer and name it vpnauth.txt. Open the file and type in your ExpressVPN username and password, you will find these the My Account section where you also downloaded the configuration file.
Make sure that the username and password are each on their own line. - We need to upload the files to the EdgeRouter and connect to the router with SSH. Follow steps 4 to 7 from the NordVPN part above here.
- After you have uploaded both files to your router we can enter the configuration:
configure #enters configuration mode on your EdgeRouter. You can close it with exit # We uploaded the files to /config/auth. # REPLACE my_expressvpn_county_city_udp.ovpn with the filename that you download! set interfaces openvpn vtun0 config-file /config/auth/my_expressvpn_county_city_udp.ovpn set interfaces openvpn vtun0 description 'OpenVPN VPN tunnel' commit set service nat rule 5001 description 'OpenVPN Clients' set service nat rule 5001 log disable set service nat rule 5001 outbound-interface vtun0 set service nat rule 5001 source address 192.168.1.0/24 set service nat rule 5001 type masquerade commit set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0 set firewall modify SOURCE_ROUTE rule 10 description 'traffic from 192.168.1.0/24 to vtun0' set firewall modify SOURCE_ROUTE rule 10 source address 192.168.1.0/24 set firewall modify SOURCE_ROUTE rule 10 modify table 1 set interfaces switch switch0 firewall in modify SOURCE_ROUTE commit save
You should now have successfully connected your EdgeRouter to ExpressVPN, allowing every device in your network to use the services from ExpressVPN.
Surfshark OpenVPN configuration for EdgeRouter
Also with Surfshark, we can set up an OpenVPN connection from our EdgeRouter. Surfshark is one the cheapest VPN provider supporting unlimited devices, so if you haven’t picked a VPN yet, make sure you check this article!
Just like the other two, we need to get an authentication file and configuration file to get started.
- Create an account at Surfshark.com and click on Devices.
- Scroll down to Advanced and select Manual. At the bottom of the page, you will find your service credentials. We will need this later.
- Pick a location and download the UDP configuration file
- Open the configuration file with notepad. Change the following:
– Change auth-user-pass to auth-user-pass /config/auth/vpnauth.txt
– Add below the auth-user-pass line the following: route-nopull
Save the file - Next, create a new file on your computer and name it vpnauth.txt. Open the file and type in the username and password from the service credentials (see step 2).
- Make sure that the username and password are each on their own line.
- We need to upload the files to the EdgeRouter and connect to the router with SSH. Follow steps 4 to 7 from the NordVPN part above here.
- After you have uploaded both files to your router we can enter the configuration:
configure #enters configuration mode on your EdgeRouter. You can close it with exit # We uploaded the files to /config/auth. # REPLACE us-mia.prod.surfshark.comsurfshark_openvpn_udp.ovpn with the filename that you download! set interfaces openvpn vtun0 config-file /config/auth/us-mia.prod.surfshark.comsurfshark_openvpn_udp.ovpn set interfaces openvpn vtun0 description 'OpenVPN VPN tunnel' commit set service nat rule 5001 description 'OpenVPN Clients' set service nat rule 5001 log disable set service nat rule 5001 outbound-interface vtun0 set service nat rule 5001 source address 192.168.1.0/24 set service nat rule 5001 type masquerade commit set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0 set firewall modify SOURCE_ROUTE rule 10 description 'traffic from 192.168.1.0/24 to vtun0' set firewall modify SOURCE_ROUTE rule 10 source address 192.168.1.0/24 set firewall modify SOURCE_ROUTE rule 10 modify table 1 set interfaces switch switch0 firewall in modify SOURCE_ROUTE commit save
You should now have successfully connected your EdgeRouter to Surfshark, allowing every device in your network to use the services from Surfshark.
Conclusion
The configuration above should work in principle for every VPN provider, you only need an OpenVPN configuration file from your provider to get started. I hope this article helped you with setting up the EdgeRouter as a VPN client.
VPN’s are getting really more common these days, whats is your VPN and why did you start using it? Let me know in the comments below!
What a superb article, truly superb. Thanks for the effort here. I have a big question though…
I am new to this stuff, it’s a real stretch for me but I think I can follow the guide. However I have an Edgerouter 10X, is that the same and will it work?
I need to switch IP/connections many times per day, hence I have always used VPN apps on my machines in the past. Some screenshots would have been a great addition to the article, showing what it looks like on screen and how to change connection. How easy is it to change connections?
Oh and also, is there a way to tell the router to let some devices bypass the VPN, or have one device connecting to one server, while others connect to different connections?
Thanks again
Has anyone had any luck in penning a incoming port from a vtun?
I have a open port with my VPN provider (Torguard) on a tunnel.
I can open ports ok on WAN, but same logic doesn’t work on vtun
Background I have 2 tunnels, policy based routing (source addr groups) and black hole route in case one tunnel goes down.
Let me know if you want details on any of that.
Beautiful guide.
I use SurfShark. Is it possible route only clients connected to a VLAN through the VPN, leaving connected to ISP other clients connected to main network, or other VLANs?
For exemple if I crate a VLAN as:
set interfaces ethernet eth1 vif 300 description VLAN300
set vlans VLAN300 vlan-id 300
Regards
Great post! Even greater is it worked for me the first time (pure luck)! 🙂
ExpressVPN, EdgeRouter 12 – my ER12 is configured with eth0-7 as a L2 switch (all my local stuff attached to one of these ports) with eth9 going to my cable modem.
Two comments and I welcome any and all responses:
1) First, as with many others, my performance is so bad I really cannot use this. Download goes from about 270 Mbps to 22 — that is greater than 90% decrease! I really would not have expected this since the ER12 is a relatively “hot” device
2) But, confusing (and maybe enlightening to someone reading this) is that my upload speed is virtually unchanged at 36 Mbps
My ignorance might be getting in the way here but why should I be able to SEND data up with 0 (or minimal) degradation when data coming down is so much slower? Does this in any way reflect on the VPN server (or protocol or other VPN black magic) I am using? Note that when using ExpressVPN on my MacBook Pro (and not the router) connected to the same ExpressVPN server, download speed is only cut about 10% instead of more than 90%. Same VPN server, same local computer running the speed test. Really sounds like something in the ER12 just isn’t right.
To summarize, two “questions”: 1) why such bad download performance on the ER12 and, 2) why no degradation issues during upload?
Hi Rud
Thanks for the instructions for NordVPN.
Can you explain why the set firewall statements are required to isolate the tunnel from the lan? I have an edge router-4 with different subnets on eth1 and eth2. The firewall statements prevent communication on devices between the subnets which is not desirable.
Thanks for the article. It works like a sharm!
Except that my NPM (Nginx Proxy Manager) doesn’t work anymore after using the VPN. Do you have any clue what the cause can be? I have DDNS active and the IP address is changed to the one I received from Surfshark.
Can someone share what speeds they are getting with a Edgerouter 4? I have an ER-X and based on it’s CPU you will only get around 15Mbps especially if the auth is using SHA512 which is what nordvpn is using. aes-256-cbc and sha512. I really would like to know what is the openvpn speed from an ER-4 using nord or any other vpn provider.
im getting an array of errors on edgeOS (ubiquiti usg), mainly during setup:
“[ service nat rule 5000 outbound-interface vtun0 ]
NAT configuration warning: interface vtun0 does not exist on this system:
then on the logs:
USG openvpn[12203]: TLS: Initial packet from [AF_INET]*.*.*.*:1194,
Aug 16 19:53:55 USG openvpn[12203]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Aug 16 19:53:55 USG openvpn[12203]: TLS Error: TLS handshake failed
Aug 16 19:53:55 USG openvpn[12203]: SIGUSR1[soft,tls-error] received, process restarting
also cant see how to hardcode a rule that allows -p 1194 udp to be open on the router??
any ideas welcome.
USG does not support TLS1.2, therefore you’ll have this issue.
Aloha Ruud,
I got it to work and use the expressvpn on my edgerouter. how do I turn it off and not use the vpn?
Mahalo,
Louis
configure
delete interfaces openvpn vtun0
commit
save;exit
Question: do you start this process from a “reset” EdgeRouter or from one that has been LAN/WAN configured (wizard)? Thanks.
With the LAN and WAN already configured 😉
Hi Ruud,
thanks for sharing this.
I have one question though.
This is about all the NAT rules etc one needs to setup. Isn’t it just much simpler to add a masquerade for tun0 for all traffic (before the masquerade for WAN) and you are done?
Just trying to understand why one needs to setup all these rules.
thanks,
Raoul
Hi Ruud,
please disregard my comment on masquerade, figured that one out.
I do however have another problem:
First I have a EdgeMAX4, so without switch.
Further I have VLANs and I want to have a ip range on a vla go through the vpn.
So this is what I have (rest is the same)
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0
set firewall modify SOURCE_ROUTE rule 10 description ‘traffic from 192.168.11.7x to vtun0’
set firewall modify SOURCE_ROUTE rule 10 source address 192.168.11.70-192.168.11.79
set firewall modify SOURCE_ROUTE rule 10 modify table 1
set interfaces ethernet eth2 vif 11 firewall in modify SOURCE_ROUTE
commit
the traffic from these IP addresses does go out over vtun0, but on the webpage of the ER4 the Rx count on vtun0 remains 0, so apparently nothing is coming back.
I do use the same OpenVPN server with multiple computers (MAC, IoS and Windows) without problem. What am I doing wrong?
I tried doing this on my EdgeRouter Lite 3 running v2.0.9-hotfix.1 and in response to the “set interfaces openvpn vtun0 config-file /config/auth/us8540.nordvpn.com.udp.ovpn” command I get “Invalid command.” Is this not supported on the Lite?
Hi Rudy,
OpenVpn on the edgerouter is crushing my internet speed. Using the ExressVPN app on the laptop I can get 300mbps in both directions from France to UK whereas I am lucky to get 8mbps through the edgerouter. Short of finding a faster endpoint is there another way of improving speed by using lightway protocol for instance or a less secure protocol – I am only using to access TV so full on security is not required. Thanks
After commit it says configuration failed cannot open vpn
I failed to pull a backup of my edgerouter. My throughput dropped from 400 to 16. Are there any instructions on how to back out all the changes that you posted for the Surfshark section?
Never mind I was able to back the commands out fully.
Why would you setup OpenVPN on an edgerouter when it supports IPSec hardware offloading?
My VPN provider doesn’t support IPSec
Sorry, I meant Rudy!
Ruud is fine 😉
Hi Ruud
Awesome guide thank you.
I can now connect to the ExpressVPN service great. However I am getting DNS leaks. Is there any advice you can give to troubleshoot this? Unfortunately ExpressVPN don’t provide a dedicated dns server address so I can’t just force it via dhcp. How do I force dns queries down the tunnel ?
Thanks in advance
You will need to create a static router for the DNS:
set protocols static interface-route 1.1.1.1/32 next-hop-interface vtun0set protocols static interface-route 1.1.0.0/32 next-hop-interface vtun0
I almost got this working. It says EdgeRouter is successfully connected but then the ver next log line is:
write UDP: Operation not permitted (code=1)
there’s no traffic passing. I factory reset the router and tried again before posting.
Any ideas? thanks
Hello Ruud
Hope you can help me with this:
I followed you manual with EdgerouterX-Nordvpn and everything was fine, however since I´m load balancing between 2 carriers I´m strugling with stability, some sites respond ok, others not; looks that it will work fine only having 1 single interface with only one carrier.
While load balancing I tried to change AD from DHCP to have only one default route, and have the VPN use that path with no success.
I also tried to create an alternate load balancing group from a specific subnet to take one of the 2 ISPs, and also in the VPN to filter traffic for that specific subnet, I mean, trying to force traffic into a specific interface… no luck as well.
I tried to have one WAN interface active, and the other as failover only, forcing the traffic to use only one interface but network connecivity is intermittent while surfing the web.
Looks like it will work only if I have a single WAN interface active… Do you know a method to force all traffic to a single interface so that the VTUN interface can route all the traffic into that path? Thanks in advance
Thanks so much. Do i need to adjust those IPs according to my internal subnet which is 192.168.5.x?
Thanks
No the 1.1.1.1 and 1.1.0.0 are the DNS server that you want to use. So you route all the traffic to the DNS server through the VPN.
Hello, Ruud, William,
Excellent guide, Ruud, and thank you for your effort. I think the DNS Servers here would be 1.1.1.1 and 1.0.0.1. If, however, Cloudflare DNS also runs a server at 1.1.0.0, that is good to know. The first (1.1.1.1) probably responds all the time anyway, so the second (1.1.0.0) isn’t being queried at all. Cloudflare DNS might never need a 2nd or backup server (1.0.0.1), but good to have the 2nd DNS server just in case.
Keep up the good work. I’ll try to send coffee via Patreon!
Great article – almost exactly what I am looking for. This might be useful to many people: If possible, can you please add how to route just a range of IP addresses through ExpressVPN, instead of everything? The idea being to be able to “re-geolocate” a SmartTV, Roku, etc. for geolock situations. THANKS!
Hi, Rudy. Thanks for the tutorial. I was reading a prior comment where a guy was asking how to access local computers while conected to the VPN VLAN. Your answer was that he had to segregate the networks in his ER-4 router. I have a ER-6P could you point the directions to make it work? Thanks in advance!
Hello Rudy, Have any of your network tried this with SurfShark? I’m keen not to lose 90% perf by implementing it as some users have experienced.
Do you know if you have any positive feedback after implementation with SurfShark?
BTW I followed you EdgeRouter install and it really improved my buffering/performance.
Hello,
Thank you for this guide. With your tutorial I successfully installed ExpressVPN on my Edgerouter x. I configured for the VPN server in A’dam. So, that is for only one VPN server.
What is the easiest way to be able to connect to other VPN servers, just as in the ExpressVPN app?
Thanks
There isn’t really an easy way, you will need a new configuration file. Or at least change your current configuration file with the server details of the other VPN location.
Hi Rudy,
Since the article was great but the download speed degradation was bothering me I purchased an EdgeRouter 4 with more CPU power.
Most of the configuration listed works, but I’m getting 2 errors / warnings that prevent me from setting up properly, can you help me figure out what to do / change?
First warning happens after the second commit command:
ubnt@EdgeRouter-4# commit
[ service nat rule 5000 outbound-interface vtun0 ]
NAT configuration warning: interface vtun0 does not exist on this system
The second happens here:
ubnt@EdgeRouter-4# set interfaces switch switch0 firewall in modify SOURCE_ROUTE
interface switch switch0: does not exist
Value validation failed
Set failed
Thanks in advance!
on the line “set interfaces switch switch0 firewall in modify SOURCE_ROUTE”, change switch0 to say eth1 or whatever port you are using for your internal network. Remember the ports start with eth0 (which I use for my WAN), and then eth1 & 2 for my internal network.)
Hope this helps!
Oh yeah… ethernet ethX and switch switch0 works. How can I set it to my VLAN.123?
#set interfaces vlan switch0.123 firewall in modify SOURCE_ROUT
say… The specified configuration node is not valid
Is this VLAN setup configuration possible? If yes, how? Thanks in advance!
Hi Rudy,
Thanks again, great article. I managed to get the OpenVPN working instantly using a different VPN provider though. However… the performance drop is too much to cope with, in my experience the download speed dropped by 80%.
Using the same VPN server and their app which uses IKEv2 protocol my download speed only dropped like 10%.
Would it be possible for you to describe how to configure VPN using the IKEv2 protocol on the router (if at all possible)? If so I’d be willing to compensate you as I bet many others would as well 😉
Hello,
can you give me an example how the format look to and username and password looks?
Step 3 Next, create a new file on your computer and name it vpnauth.txt. Open the file and type in your ExpressVPN username and Next, create a new file on your computer and name it vpnauth.txt. Open the file and type in your ExpressVPN username and password, you will find these the My Account section where you also downloaded the configuration file.
Make sure that the username and password are each on their own line., you will find these the My Account section where you also downloaded the configuration file.
Make sure that the username and password are each on their own line.
Thank you!
You can also do it the same way as in the ExpressVPN section: “ExpressVPN Configuration for the EdgeRouter”. Where I use a vpnauth.txt file for the username and password.
I have the same drop on bps when using the edgerouter as VPN client. From 200 to 30 Mbps. that is a lot. If I use the app/software delivered with the vpn provider I go from 200 to 180Mbps using the same VPN IP ofcourse.
I notice in the log that when negotiation the cypher encryption the edgerouter want to use the cipher AES-256-CBC and the remote server the other one GBR i think it was. So i changed the last part CBC to GBR but that was also not working at all.
So I will stick to the software from the VPN provider.
Hi, I was so happy to find this post. However I get an error after the first commit OpenVPN configuration error: Failed to start OpenVPN tunnel. Not sure where to go from here. Any help would be appreciated. I am using ExpressVPN and Edgerouter Lite.
Hi, I’ve set up a VPN with ProtonVPN which works fine, at multiple servers, but saw a drop in bandwith to 20 Mbps in two cases (both without VPN 100 Mbps and 50 Mbps: other connection). I used IKEv2, UDP protocol, had max 40% load of server, unlimited bandwidth.
With a VPN client installed on a desktop in the same network, without the vpn on the edgerouter of course, I reached 90Mbps, the bottleneck has to be the Edgerouter. Any thoughts on this?
Yeah, the problem is the CPU of the Edgerouter X. OpenVPN is completely software driven, so the speed of the CPU really determines the speed you can get over OpenVPN. The ER-4 is better suited in this case.
Hello Ruud.
Thank you so much for sharing this great how-to guide – I followed it and everything worked right away!
I see the firewall rule is set to be valid for the whole 192.168.1.0 network.
Now I am wondering if it is possible to somehow make the firewall rule valid for only source UDP video protocol ? Or for destination sites like YouTube or Twitch ?
In other words, I want to route outbound UDP video through vtun0 and all other traffic through eth0 (WAN).
Is this possible ?
Thanks in advance!
Hi Ruud,
I used your guide to install Expressvpn on my Edgerouter X and it worked fine. Unfortunately, my download speeds dropped from 275 mpbs to 17 mpbs. If i disable the VPN, my download speeds return to 275 mpbs. I am not sure why. Any help would be appreciated.
Have you tried another VPN server?
Yes, I have tried 4 different ones with the same result.
Thanks Ruud, this helped a lot.
Is there a way to access my devices behind my Edgerouter when the tunnel is on?
For example, camera feeds, NAS, or Windows server.
I have a DDNS setup with DYNDNS.
Or am I going to have to utilize separate ports on my ER4 and not use VLANs?
You will need a separate port indeed. If you route all your traffic up the VPN connection, then the only way to enter your network is through to the opposite side of the VPN, but that ain’t going work. So indeed, split your network is the best way to go here.
Is there a way to route the traffic from 2 specific devices OUTSIDE of the expressVPN and instead go via the usual WAN?
Or better yet, a way to route traffic outside of the VPN based on the destination DOMAIN NAME (Not the IP).
Hey – I wanted to say THANK YOU for taking the time to write and share this. I’ve been fighting to figure out how to setup express vpn on my new edgemax for days.
I’m left with 2 questions now that it is working.
1) How might I TEMPORARILY disabled the VPN when needed? As at present, disney+ will not work if connected to a VPN.
2) How might I use a dynamic IP service or similar to somehow get my PLEX server available to the outside world again?
I TOTALLY understand if you don’t have an answer or indeed the time to reply. I feel cheeky enough even asking.
Whatever the case, thank you so very much again for sharing your knowledge and time with the rest of us as we all try to get better.
You can disable the VPN with
set interface OpenVPN vtun0 disable. For your Plex server, you can look into dynamic DNS, this might be a solution for youGreat article Rudy, thanks! I’m going to try this tonight but I was curious as to how to restore the configuration changes made.. in case I mess up.
The disable comment above helps a bit, but any thoughts on how to rollback all configuration changes made during the setup? Or; what should I backup and restore?
Hi Koen,
For a full rollback for the settings, I would indeed recommend to make a backup and restore it. That is probably the easiest way, besides disabling the VPN connecting.
hi Ruud, thanks for your article. I refer to “How to setup an Edgerouter as VPN Client”. I have a MikroTik Desktop Gigabit Router-RB2011iL-IN and Nord VPN, as mentioned in the first part of your article. My router is different from the Edgerouter in the above article.
Question: how would the configuration be different for my router?
Thank you very much,
Joop Vis – South Africa
Hi Joop,
Sorry, I don’t have any experience with MikroTik routers.
I have spent all afternoon to get this working. Edgerouter accepts all commands, but DL speed falls down from 205Mb/s to 5.5. Tried 4 different servers from UK and from NL, all same results… Only way to get it right again is a hard factory reset of the ERX.
There are ways to delete VPN setting in Putty (Or ERX’s CLI), but the response is always: “Nothing to delete (the specified node does not exist)”
Hello Ruud,
At the advice of NordVPN techies I switched to the NordLynx protocol, which is indeed much faster.Will the above also work for this protocol?
Also, if you have time, could you write how to program Edgerouter X so one can safely access the LAN from the outside world?
Many thanks Ruud!
It should be possible, let me look into it.
Any way to do it without Open VPN (Just a l2TP or PPTP client – Server, User, Pass)?
Sure, check out this article: https://help.ui.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server
That does not show how to make the router a client
Sorry about that. I haven’t configured an EdgeRouter myself as an OpenVPN client. But maybe this topic will point you in the right direction.
Thank you, Rudy, for the excellent article.
Question, How do I disable de VPN setup? on Edge Router?
Try:
configuredelete vpn l2tp
commit
Hi, thanks for the guide, in my EdgeRouter 10x I had to include this line for it to work:
set firewall modify SOURCE_ROUTE rule 10 action modify
Hi I followed your guide step by step, my issue is i want to restrict vtun0 to my vlan user for tath i have switch0.2 with address 192.168.3.0/24, i have done the same steps that u mentioned but in source address i putted my vlan address. when i enable openvpn i dont get internet on my primary lan also. can u help me in setting up. Thanks in advance
my Wan is pppoe
My Lan eth1 is 192.168.1.0/24
My Lan eth2 is 192.168.2.0/24
Then i have Vlan on Switch 0 vif 2 : 192.168.3.0/24
I want all vlan 2 traffic to pass through Open Vpn tunnel and all other through PPPoE .
That’s also my case. Maybe work: “set interfaces switch switch0 vif 2 firewall in modify SOURCE_ROUTE”
Hi Ruud,
I followed the instruction to install NordVPN on my Edgerouter X. All went well, NordVPN server NL473 was advised so I used these settings. After running the script, I checked and it turned out the server was in Rumania, and my DL speed went down from 310 Mbps to 15.9…. auch… Luckily I had a backup file to undo the script, but I am still wondering why this happened, and if there is a way to be sure that the server is indeed the one that one seeks?
Thanks for all your great articles!
Hi Ruud,
I followed the instruction to install NordVPN on my Edgerouter X. All went well, NordVPN server NL473 was advised so I used these settings. After running the script, I checked and it turned out the server was in Rumania, and my DL speed went down from 310 Mbps to 15.9…. auch… Luckily I had a backup file to undo the script, but I am still wondering why this happened, and if there is a way to be sure that the server is indeed the one that one seeks?
Thanks for all your great articles.
Hi Arie,
That the download speed drops is normal, but that shouldn’t be more than 30%. You can also pick a server your self, try one in the UK to see if you get a better result.
set interfaces switch switch0 firewall in modify SOURCE_ROUTE
give me an error
Value validation failed
Set failed
[edit]
ubnt@ubnt# set interfaces switch switch0 firewall in modify SOURCE_ROUTE
interface switch switch0: does not exist
Change switch to ethernet, and switch0 to ethX (eth0 or eth1 or eth2, or whatever physical ethernet port goes to your LAN for the VPN).
Switch is a virtual group of ethernet connections (I think). If you are not using switches, or if you want to use the VPN on all connections to a physical ethernet port:
switch (virtual) = ethernet (physical port)
switch1 (name of switch) = eth1 (name of physical port on router)
The names can vary; eth0, eth1, eth2 can all be included in one virtual switch. But that gets complicated so I just use the physical ethernet port.
@J For setting up USG VPN server / client use google.
Create new network like VPN Server L2TP Remote User VPN (L2TP) 10.1.88.0/24
Create Radius profile with VPN user
or check : https://help.ubnt.com/hc/en-us/articles/115005445768-UniFi-L2TP-Remote-Access-VPN-with-USG-as-RADIUS-Server
Hi,
I was wondering if you have step to step guide on how to configure step by step Cisco Sg350-10p for a home network. several home computers including laptops, home lighting – Philip Hue, Sonos, printers, smart Tvs, streaming boxes, game console. Currently have modem router combo from Verizon cable company, etc. Thank you in advance.
Hi Raphael,
I know that NordVPN isn’t supporting Cisco routers anymore. If you can get it working with ExpressVPN I really don’t know.
Nice How to!, could you do another one : How to set up Site to Site VPN for an Unifi USG for example ?
Regards Lars
Good idea, I will put it up the list.
Would it be possible to setup an UniFi USG as VPN Client?
It should be possible, but I can’t test it right now. I think the main part is pretty much the same, but it seems you will need to add this masquerade:
set service nat rule 5004 description "masq to vpn vtun0"set service nat rule 5004 destination address 0.0.0.0/0
set service nat rule 5004 outbound-interface vtun0
set service nat rule 5004 type masquerade