Setting up an OpenVPN Server with multiple WANs can be really frustrating and there is almost nothing about it on the internet. With a bit of effort, we managed to get it done. And now we show you how.
This tutorial is intended for people with basic skills in network administration as well as for those using the Linux operating system in general and EdgeOS in particular. Assuming a multi-WAN setup as stated by UBNT we go through a tutorial of LasLabs with additional settings needed with multi-WAN. The OpenVPN server will be reachable from one particular WAN.
EdgeMax is the operating system running on Ubiquiti. Their EdgeRouters are powerful, relatively low-cost, and feature-rich devices. Two features we use are load-balancing over multiple WANs and an OpenVPN server running on the router.
Set up load balancing
The first step is to set up load balancing as described in  With this setup, IP packets are marked by the firewall with mark 1 for ISP-1 and mark 2 for ISP-2. The static routing table then matches the connection mark and selects the WAN accordingly. Note that you can set arbitrary marking rules within the modify ruleset, such as matching port numbers or source and destination addresses. For some websites for example, it is necessary to stick to the same WAN. Otherwise these sites will log you out as soon as you change the WAN and thus also your external IP. For reasons of simplicity, we will use the configuration example  with the following setting:
- ISP-1 with 192.0.2.1 at the ISP’s modem and 192.0.2.2 at the edge router
- ISP-2 with 203.0.113.1 at the ISP’s modem and 203.0.113.2 at the edge router
- 172.16.0.0/24 subnet for your LAN
Of course, you will need to replace these addresses with your own.
Set up a hostname for the vpn connection
The vpn connection will go through ISP-1. We will need a hostname pointing to an IP addressing the Edge router’s port. In our case this IP will be 192.0.2.2. If your ISP’s modem/router NATs your EdgeRouter, the hostname will, of course, need to point to the external address. In this case, you will need to setup port forwarding of UDP port 1194 to the Edge router. This tutorial will subsequently use the domain myvpn.codefluegel.com for sample IP 192.0.2.2.
Set up the X.509 certificates
Create the files and set up the certificates for the CA, the OpenVPN server and the clients as shown by LasLabs, in section “EdgeRouter Lite-Server” (step 1 to 8). In our example, we will use myvpn.codefluegel.com as common name of the host.pem certificate. We end up storing the following files in /config/auth:
- the CA certificate “cacert.pem”
- the server certificate file “host.pem”
- the encrypted server key file “host.key”
- the Diffie-Helman file “dhp.pem”
Set up the router configuration
Now we need to set up the virtual device vtun0. Analogously to  we use a 192.168.70.0\24 subnet for the vtun0 device. You should not do anything which does not require root priviledges as a root user. So make sure you do this setup as a normal user (e.g. ubnt). The following commands are taken from  server setup (step 9 to 11) and adapted to our IP setting
configur e edit interfaces openvpn vtun0 set mode server set server subnet 192.168.70.0/24 set tls ca-cert-file /config/auth/cacert.pem set tls cert-file /config/auth/host.pem set tls key-file /config/auth/host.key set tls dh-file /config/auth/dhp.pem set server push-route 172.16.0.0/24 set server client stefan_vpn.codefluegel.com ip 192.168.70.20
Repeat the last command for all client certificates. The host name must be the common name of the certificate, the IP is the static ip assigned to a client. One important addition is necessary for OpenVPN to work with our multi-WAN setup. We need the response packets leaving vtun0 to go over ISP-1. This is accomplished by setting the connection mark to 1
set openvpn-option "--mark 1"
The firewall configuration depends heavily on your setup. For that reason, we will not go into detail here. What you need to ensure is that:
- UDP port 1194 is opened
- Access from vtun0 to your network is opened as needed
With a zone-based firewall setting, e.g. vtun0 could be placed within the same zone as the local network device in order to allow vpn access to the whole LAN.
After the commit, you will be asked for the key password of the server certificate. If you want to setup OpenVPN via the router’s web frontend in the Config Tree, you cannot do this without removing the password from the key file. Thus, it is recommended to configure at least the SSL portion of the virtual device using the configure tool.
Following these steps you should have a working OpenVPN server with multiple WANs. Congratulations! If you need help – feel free to contact us.