This guide will assist you with configuring your EdgeRouter to funnel traffic for certain IPs through PIA VPN servers. Original content acquired from here.
I am using an EdgeRouter 4 running firmware v2.0.8 and OpenVPN v2.4.0
Overall Steps:
- Create a firewall address group. I did this because I have multiple IPs that will use the VPN and if I want to add another host later on, I just have to add the IP in the address group, no need to modify all VPN configuration. You can also use this group in my NAT configuration. If you don’t do the address group you can assign the IP directly in the firewall modify rule.
- Create a firewall modify rule.
- Apply Firewall Modify Rule to LAN Interface.
- Configure NAT for your OpenVPN hosts. Note: This rule should be before your global NAT configuration,
if you put it after it won’t work so your configuration might as well use another rule number
instead of this example that uses ‘5001’. - Configure a static route sending hosts from table 1 (specified in firewall modify rule) through interface vtun1.
- Configure OpenVPN in the router.
- Upload files to /config/auth – Why config/auth? In this dir they won’t get deleted if you do a firmware upgrade.
Configuration:
SSH into the router and get into configuration mode.
configure
Firewall Address Group: Includes the IPs of the hosts I want to route through the Open VPN connection. Below commands will add a couple of IP addresses to the group and name it.
set firewall group address-group PIA_VPN_COMPUTERS address 10.1.1.50 set firewall group address-group PIA_VPN_COMPUTERS address 10.1.1.51 set firewall group address-group PIA_VPN_COMPUTERS description 'PIA Hosts'
Firewall Modify: This rule creates table 1 and indicate that my source hosts (the ones that will be routed through Open VPN)
set firewall modify PIA_VPN_ROUTE rule 1 action modify set firewall modify PIA_VPN_ROUTE rule 1 description 'traffic from Devices to vtun1 (PIA)' set firewall modify PIA_VPN_ROUTE rule 1 modify table 1 set firewall modify PIA_VPN_ROUTE rule 1 source group address-group PIA_VPN_COMPUTERS
Apply Firewall Modify Rule: This rule should be applied inbound to your LAN interface.
Note: If your LAN interface is a vif be sure to apply it at vif not at physical.
Command will be different depending on whether you have a router where you have set up a “switch” (Ex. ) interface or a “bridge” interface (Ex. EdgeRouter 4).
set interfaces switch switch0 firewall in modify PIA_VPN_ROUTE # or set interfaces bridge br0 firewall in modify PIA_VPN_ROUTE
NAT: Configure NAT using interface vtun1 as outbound-interface.
Your source address will be the Firewall Address Group created.
set service nat rule 5001 description openvpn set service nat rule 5001 log disable set service nat rule 5001 outbound-interface vtun1 set service nat rule 5001 protocol all set service nat rule 5001 source group address-group PIA_VPN_COMPUTERS set service nat rule 5001 type masquerade
Static Route: This route will send all hosts from table 1 configured in firewall modify rule to use interface vtun1 as next-hop.
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun1
At this point go ahead and commit your config changes.
commit comment "Beginning commands to configure VPN"
Now, download or setup your ovpn configuration file in the /config/auth folder. For PIA, I downloaded the OPENVPN CONFIGURATION FILES (TCP) from https://www.privateinternetaccess.com/helpdesk/kb/articles/where-can-i-find-your-ovpn-files and copy and pasted the contents into a new config file. Those config files contained the necessary <crl-verify> and <ca> certificate entries. If your config files don’t contain those keys in the file, you’ll need to upload/create those files separately and include a reference to them as you will do for the authentication information.
Use vi or nano to create a new file called pia-tcp.ovpn
sudo -i nano /config/auth/pia-tcp.ovpn
Open the OpenVPN config of your choice (Ex. US West.ovpn) downloaded from the PIA website. Paste the contents into your nano edit window and save using CTRL-X.
Now create a new file to contain your login credentials for PIA.
nano /config/auth/auth-user-pass.txt
Enter in your username on line 1 and password on line 2 with no additional information.
Example:
g123456
longSecretPassword
Re-edit your pia-tcp.ovpn. Find the line with auth-user-pass and add in the path to your auth-user-pass.txt file.
auth-user-pass /config/auth/auth-user-pass.txt
Also, add in these two lines to the end of the config:
mssfix 1420 route-nopull
Now continue configuring the router.
set interfaces openvpn vtun1 config-file /config/auth/pia-tcp.ovpn set interfaces openvpn vtun1 description 'Private Internet Access VPN' set interfaces openvpn vtun1 enable # Is this needed??? commit comment "adding vtun1 config"
Now add firewall rules to allow VPN addresses to access inbound forwarded ports.
set firewall group network-group LAN_NETS network 10.10.1.0/24 commit comment "adding firewall group LAN_NETS" set firewall modify PIA_VPN_ROUTE rule 10 description "No VPN for lan to lan" set firewall modify PIA_VPN_ROUTE rule 10 destination group network-group LAN_NETS set firewall modify PIA_VPN_ROUTE rule 10 action modify set firewall modify PIA_VPN_ROUTE rule 10 modify table main set firewall modify PIA_VPN_ROUTE rule 20 description "no VPN for destination public address" set firewall modify PIA_VPN_ROUTE rule 20 destination group address-group ADDRv4_eth0 set firewall modify PIA_VPN_ROUTE rule 20 action modify set firewall modify PIA_VPN_ROUTE rule 20 modify table main commit comment "adding firewall rules 10 and 20" edit firewall modify PIA_VPN_ROUTE rename rule 1 to rule 25 commit comment "changing PIA_VPN_ROUTE rule order 25 to 1"
Important! Prevent internet access if VPN drops. Source
set protocols static table 1 route 0.0.0.0/0 blackhole distance 255 set protocols static table 1 route 0.0.0.0/0 blackhole description "Prevent internet access when VPN drops" commit comment "final vpn config"
Now make sure we didn’t add a firewall rule that will cause issues accessing the web interface of the router. Try to login via the web interface. If you are able, save the config to the bootloader and reboot.
save exit sudo reboot
To monitor or troubleshoot connections, you can view the “messages” log.
$ tail -f /var/log/messages