How to set up an OpenVPN server on an EdgeMax router with multiple WANs

Setting up an OpenVPN Server with multiple WANs can be really frustrating and there is almost nothing about it on the internet. With a bit of effort, we managed to get it done. And now we show you how.

 

This tutorial is intended for people with basic skills in network administration as well as for those using the Linux operating system in general and EdgeOS in particular. Assuming a multi-WAN setup as stated by UBNT we go through a tutorial of LasLabs with additional settings needed with multi-WAN. The OpenVPN server will be reachable from one particular WAN.

EdgeMax is the operating system running on Ubiquiti. Their EdgeRouters are powerful, relatively low-cost, and feature-rich devices. Two features we use are load-balancing over multiple WANs and an OpenVPN server running on the router.

Set up load balancing

The first step is to set up load balancing as described in [1] With this setup, IP packets are marked by the firewall with mark 1 for ISP-1 and mark 2 for ISP-2. The static routing table then matches the connection mark and selects the WAN accordingly. Note that you can set arbitrary marking rules within the modify ruleset, such as matching port numbers or source and destination addresses. For some websites for example, it is necessary to stick to the same WAN. Otherwise these sites will log you out as soon as you change the WAN and thus also your external IP. 

For reasons of simplicity, we will use the configuration example [1] with the following setting:

  • ISP-1 with 192.0.2.1 at the ISP’s modem and 192.0.2.2 at the edge router
  • ISP-2 with 203.0.113.1 at the ISP’s modem and 203.0.113.2 at the edge router
  • 172.16.0.0/24 subnet for your LAN

Of course, you will need to replace these addresses with your own.

Networkdiagram Load Balancing Edgemax Router OpenVPN Server

 

Set up a hostname for the vpn connection

The vpn connection will go through ISP-1. We will need a hostname pointing to an IP addressing the Edge router’s port. In our case this IP will be 192.0.2.2. If your ISP’s modem/router NATs your EdgeRouter, the hostname will, of course, need to point to the external address. In this case, you will need to setup port forwarding of UDP port 1194 to the Edge router. This tutorial will subsequently use the domain myvpn.codefluegel.com for sample IP 192.0.2.2.

Set up the X.509 certificates

Create the files and set up the certificates for the CA, the OpenVPN server and the clients as shown by LasLabs, in section “EdgeRouter Lite-Server” (step 1 to 8). In our example, we will use myvpn.codefluegel.com as common name of the host.pem certificate. We end up storing the following files in /config/auth:

  • the CA certificate “cacert.pem”
  • the server certificate file “host.pem”
  • the encrypted server key file “host.key”
  • the Diffie-Helman file “dhp.pem”

 

Set up the router configuration

Now we need to set up the virtual device vtun0. Analogously to [2] we use a 192.168.70.0\24 subnet for the vtun0 device. You should not do anything which does not require root priviledges as a root user. So make sure you do this setup as a normal user (e.g. ubnt). The following commands are taken from [2] server setup (step 9 to 11) and adapted to our IP setting

configur
e
edit interfaces openvpn vtun0

set mode server

set server subnet 192.168.70.0/24

set tls ca-cert-file /config/auth/cacert.pem

set tls cert-file /config/auth/host.pem

set tls key-file /config/auth/host.key

set tls dh-file /config/auth/dhp.pem

set server push-route 172.16.0.0/24

set server client stefan_vpn.codefluegel.com ip 192.168.70.20


Repeat the last command for all client certificates. The host name must be the common name of the certificate, the IP is the static ip assigned to a client.

One important addition is necessary for OpenVPN to work with our multi-WAN setup. We need the response packets leaving vtun0 to go over ISP-1. This is accomplished by setting the connection mark to 1

set openvpn-option "--mark 1"

 

Adapt firewall

The firewall configuration depends heavily on your setup. For that reason, we will not go into detail here. What you need to ensure is that:

  • UDP port 1194 is opened
  • 
Access from vtun0 to your network is opened as needed

With a zone-based firewall setting, e.g. vtun0 could be placed within the same zone as the local network device in order to allow vpn access to the whole LAN.

 

Save settings

commit
save

After the commit, you will be asked for the key password of the server certificate. If you want to setup OpenVPN via the router’s web frontend in the Config Tree, you cannot do this without removing the password from the key file. Thus, it is recommended to configure at least the SSL portion of the virtual device using the configure tool.

Following these steps you should have a working OpenVPN server with multiple WANs. Congratulations! If you need help – feel free to contact us.

Referenced Links:
[1] EdgeMAX – Policy-based routing with WAN load-balancing
[2] Configure OpenVPN with X.509 – Ubiquiti EdgeRouter Lite