I was bored one day, and I thought it would be fun to make a private VPN service easy to use. I figured there’s no easier way than to connect to a wireless SSID and be automatically on the VPN. In my home network, I have an EdgeRouter™ 4 as my main router that is connected to a switch with a few APs. This setup was very easy to use but the CPU on the router made the internet speeds 15-30Mbps in both directions. I still would recommend doing it for private web browsing. The guide below will hopefully help others try it as well.
Topology:
[VPN]—[Internet]—[EdgeRouter]—[L2 Switch]—[APs]
Step1: Building your new internal network for VPN access.
The first thing you need to do is set up a new network separate from your existing network. I used 192.168.20.0/24 with a VLAN tag of 20. As the EdgeRouter-4 doesn’t properly support sub-interfaces I had to set up the new network on a free router port. (Trust me everything will work but DHCP if you use sub-interfaces). I then just made VLAN 20 on the Switch and piped the VLAN to my APs. I finally mapped a new SSID to VLAN 20. I set up the IP on the router and set up DHCP and made sure it works. Don’t worry about internet access at this point.
Step2: Getting OpenVPN files ready
The EdgeRouter-4 can be used as an OpenVPN VPN client as well as a server. In this setup, we will be using it as a VPN client. Go to your private VPN service and get an OpenVPN file “.ovpn”.
My OpenVPN file needed two modifications. I had to add the line route-nopull in the .ovpn file before the cert, so the VPN client won’t install a default route to the VPN breaking your internet access. If your “.ovpn” requires a user/pass you can make a pass.txt file with the first line being your username and the 2nd line of the file being the password and save it. You will then need to also add a pointer to the file in the .ovpn file like this. “auth-user-pass /config/user-data/pass.txt”
Lines you will need in your OpenVPN file:
route-nopull
auth-user-pass /config/user-data/pass.txtExample pass.txt:
pass.txt: file content
user
passStep3: Add your files to the router.
Now that you have the files ready. SSH into your router and use the “sudu su” command to get into the shell. Place the OpenVPN and pass.txt files into the /config/user-data/ directory.
root@router:/config/user-data# ls
vpnfile.ovpn pass.txtStep 4: Connect to the VPN:
We are going to create an interface called vtun0 that will be used as the VPN entry point. The first command will provide the location of your ovpn file, and the second command is for naming it. When these two commands have been entered you should see the new interface with a VPN IP address. If not check the logs on the router.
set interfaces openvpn vtun0 config-file /config/user-data/vpnfile.ovpn
set interfaces openvpn vtun0 description 'VPN-Name'Step 5: Setup Policy-based routing.
With EdgeRouter PBR you first build separate route(s) and give them a table number. You then make an ACL that matches the traffic you want and point it to use that table number.
Step 5a: Make a table 2 route
set protocols static table 2 interface-route 0.0.0.0/0 next-hop-interface vtun0Step 5b: Make firewall PBR rule that matches the source from VLAN 20 to use the route in table 2
set firewall modify VPN_PBR rule 100 action modify
set firewall modify VPN_PBR rule 100 description 'Route traffic from vlan20 to VPN'
set firewall modify VPN_PBR rule 100 modify table 2
set firewall modify VPN_PBR rule 100 source address 192.168.20.0/24Step 6: Apply the ACL to the router port to apply your PBR config to a port. I was using port eth2 for VLAN 20
set interfaces ethernet eth2 firewall in modify VPN_PBRStep 7: Add NAT to vtun0
I included the config I have from my router. You can just do it in the GUI if you want.
nat {
rule 5000 {
description VPN
log disable
outbound-interface vtun0
protocol all
source {
address 192.168.20.0/24
}
type masquerade
You should then be good to go. Just connect to your SSID for VLAN 20 and you should be routed out of your VPN. I hope you were able to get it working!
Note: that this little EdgeRouter is not the most powerful thing and speeds will be around 15-30Mbps in both directions.