One thing that’s really handy for your Ubiquiti EdgeRouter is to have it act as a VPN client. This gives all hosts on your network the ability to access the remote VPN without having to login. Setting it up with pfSense is straightforward and pretty easy with the right tools.
In our case, we’re using pfSense as the VPN server. Setting up pfSense is
beyond the scope of this particular guide, but there is a handy tool that makes
setup much simpler. In the package manager, install the
package. This gives you a handy way to export certificates and configuration
for many VPN clients. In our case, we’ll upload this file to the router in the
Edit the Config Files
Before we upload the files to the router, there’s a few changes we need to make. Open the OpenVPN config file (ends in .ovpn) and edit the line with
tls-auth to have absolute paths for the certificates. In my case, I put the openvpn files in /config/ovpn, so I changed the lines to look like:
pkcs12 /config/ovpn/filename.p12 tls-auth /config/ovpn/filename.key 1
Optional: Setup automatic password entry
It’s also handy to setup the router to automatically enter the username and password for the VPN connection. This way, it can bring the interface up automatically whenever the router reboots. To do this, add new line to your config file that looks like
auth-user-pass /config/ovpn/auth.txt, again subbing in your absolute path for where you plan to place your config files. Then create a new file, auth.txt, with the following content, subbing in your username and password:
Setup the Interface
Copy the files you downloaded to your router. Since the router supports SSH, you can use SCP to transfer the files. I put my files in
/config/ovpn, but you can put your files most anywhere.
Login to the CLI of your router and start configuration (run
configure). Create the new VPN interface by issuing
edit interfaces openvpn vtun0. Set the interface to use the config file you just uploaded by issuing
set config-file /path/to/your/config.ovpn.
You can set a name for the interface using
set description "Interface Description".
Commit and save your changes (run
Now that the interface is setup, we need to tell our router how we’d like to send traffic over. pfSense sets VPN clients to use an isolated network, so we’ll have to add a static route for all the remote networks we’d like our router to be able to access.
Login to the web interface of the router, and go to the “Routing” tab. Add a new route, setting the remote network and the IP address of the pfSense server’s VPN interface. If you’re not sure of this, connect to the VPN using a computer and use traceroute to get the first hop.
We also need to setup NAT. In theory, you can do this without NAT, but I haven’t bothered setting it up yet. Head over to the “Firewall/NAT” tab, and go to the NAT section. Add a new source NAT rule, and set it to match the image.