Skip to content

EdgeRouter OpenVPN Setup

In this post, I will help you through configuring an OpenVPN connection. I have found out that could not find a good configuration guide that configures everything I wanted in one post. I had to use 4-6 different websites to configure my OpenVPN on the EdgeRouter.. so i’ve decided to create a guide myself.

So about VPN.. In short, what is a VPN? You can think of a VPN connection like encrypted tunnels used to connect computers on different networks over the internet. VPNs can be used to provide yourself with a secure connection when using the internet on a public network, like a public wifi hotspot. They are also being used a lot to create a secure, remote connection to your (work or home) local network.

I have chosen to use the OpenVPN protocol instead of other well known protocols like PPTP (older, more insecure, easily detacable and blockable) or L2TP/IPSec (easily detacable and blockable but available on most operating systems).
I like the OpenVPN protocol because it is easy to setup, open source, more secure than PPTP and can be used with port 443 (https) which makes it almost undetectable and shown as normal HTTPS traffic. The downside of OpenVPN is that it uses a third-party app instead of the built-in software from Windows or your phone.

Different types of VPN tunneling

When configuring the VPN, you will need to chose how you want to use it. You can chose to use a split-tunnel or a full-tunnel.

  • Split-tunnel allows you to access your local network resources but normal internet traffic is not going through the tunnel and is not encrypted
  • full-tunnel allows you to access your local network resources and your normal internet traffic is going through the tunnel and is encrypted. But you can probably cannot access local resources, unless you are already connected to them.

I have chosen to use the full tunnel, because I want secure internet access and access to my local resources. You can also add a route to your work network to access its resources through vpn. I haven’t tested that.

Click the READ MORE button to start going though the actual configuration

Create OpenVPN client/server certificates

OpenVPN uses the same cryptography that is being use to browse HTTPS websites. This means we need our own client/server certificates to secure our connection between the client and the edgerouter openvpn server.

At first, we will generate a Diffe-Hellman file. This will allow the clients and the server to generate shared keys between their sessions without transmitting the key over the internet. If someone gets your server certificate, they wont be able to decrypt the traffic. Running this command will take a long time.. sit back, take some coffee and wait..

openssl dhparam -out /config/auth/dhp.pem -2 2048

Now we can start to create our certificates. There is a script on the edgerouter that will help us generate the certificates.

sudo -s
cd /usr/lib/ssl/misc
./ -newca

You will be asked a few questions, make sure you answer all of them. You will have to do this a few times when creating the certificates. Name the certificate in the Common Name as root. Make sure you remember the passwords you have entered!
The ./ -newca command will create a new directory called /demoCA. This folder will have the private/cakey.pem (private key) file and cacert.pem file (public key for your clients).

After this, we will need to create a public/private keypair for the server. Give this one the Common Name server and repeat this step again for Client1.

./ -newreq
./ -sign

mv newcert.pem /config/auth/server.pem
mv newkey.pem /config/auth/server.key
./ -newreq 
./ -sign

mv newcert.pem /config/auth/client1.pem
mv newkey.pem /config/auth/client1.key

Remove the password from the client + server keys. This allows the clients to connect using only the provided certificate.

openssl rsa -in /config/auth/server.key -out /config/auth/server-no-pass.key
openssl rsa -in /config/auth/client1.key -out /config/auth/client1-no-pass.key

Overwrite the existing keys with the no-pass versions.

mv /config/auth/server-no-pass.key /config/auth/server.key 
mv /config/auth/client1-no-pass.key /config/auth/client1.key

Configure OpenVPN server (EdgeRouter)

Now that the client and server certificates are created and downloaded, we can set up the OpenVPN configuration on the Edgerouter. I will use as the network for the VPN clients and my local network is on I will also use port 443 for the VPN tunnel. Because the Edgerouter webconsole is alo on 443, i will change the webconsole to port 4443.

Use the CLI from the Edgerouter to configure the OpenVPN with the following commands;

service gui https-port 4443
set interfaces openvpn vtun0
set interfaces openvpn vtun0 description "OpenVPN server"
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 local-port 443
set interfaces openvpn vtun0 encryption aes256
set interfaces openvpn vtun0 hash sha256
set interfaces openvpn vtun0 server subnet
set interfaces openvpn vtun0 server push-route
set interfaces openvpn vtun0 server name-server
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
set interfaces openvpn vtun0 tls cert-file /config/auth/host.pem
set interfaces openvpn vtun0 tls key-file /config/auth/host.key
set interfaces openvpn vtun0 tls dh-file /config/auth/dh.pem
set interfaces openvpn vtun0 openvpn-option --tls-server
set interfaces openvpn vtun0 openvpn-option --persist-key
set interfaces openvpn vtun0 openvpn-option --persist-tun
set interfaces openvpn vtun0 openvpn-option "--user nobody"
set interfaces openvpn vtun0 openvpn-option "--group nogroup"
set interfaces openvpn vtun0 openvpn-option "--push route-gateway"
set interfaces openvpn vtun0 openvpn-option "--push redirect-gateway def1"

When you have entered this you will have:

  • Your VPN configured on network Your VPN server will have and cliens will start with
  • You have configured AES256 and SHA256 instead of the default SHA1 encryption. This will slightly decrease performance but will be much more secure
  • Configured as de DNS server, but you can chose whatever DNS server you like
  • Configured the OpenVPN server on port 443 so it will look like normal HTTPS traffic
  • With ‘–push route-gateway′ and ‘–push redirect-gateway def1′ you will be using full-tunneling. Delete those lines to have a split-tunnel

Configure firewall

We need to make sure that OpenVPN traffic on port 443 can go through the firewall and that NAT is allowed through the OpenVPN network. I use NAT and a NAT group as you can see in my previous post(s).

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description "OpenVPN"
set firewall name WAN_LOCAL rule 30 destination port 443
set firewall name WAN_LOCAL rule 30 log enable
set firewall name WAN_LOCAL rule 30 protocol tcp
set firewall group network-group LAN

Configure OpenVPN client (Windows 10)

For the Windows 10 OpenVPN client, i have created the following .ovpn file for the above OpenVPN configuration.
Place this config file in C:\Program Files\OpenVPN\config.

Also place the cacert.pem, client1.key and client1.pem files in this directory. You can download these files from the /config/auth/ directory on the Edgerouter with WinSCP.

dev tun
proto tcp
remote x.x.x.x 443
resolv-retry infinite 
redirect-gateway def1
user nobody
group nobody
verb 3
ca cacert.pem 
cert client1.pem
key client1.key
cipher AES-256-CBC
auth SHA256
Published inUncategorized


    • Hi David, cacert.pem is created after running ./ -newca in the beginning of the post. This will create a /demoCA folder. there is a cakey.pem (private) and cacert.pem (public) file in there.

  1. Shaun Shaun

    I am prompted for ./demoCA/private/./cakey.pem pass phrase while generating the root CA certificate, but cakey.pem doesn’t exist yet. What could be going on?

  2. Ben Ben

    Hi Robin,

    Thanks for the tutorial! Unfortunately I got stuck at the first steps… Where do I create the diffs hetman file and the certificates? If I try to ssh into my router it cannot find the script to generate the certificates.

    I think I am missing something…

Leave a Reply

Your email address will not be published. Required fields are marked *