The Ubiquiti EdgeMax Router is a fantastic new high-performance, cheap (base model is ~US$100) router and firewall. It runs EdgeOS, which is based on the open source Vyatta project. This makes it a perfect OpenVPN Client. I recently set one of these bad boys up as an OpenVPN Client, and found there wasn’t a huge amount of information online on how to do this. The main help I got was a forum thread.
Here’s the procedure I followed to setup my Ubiquiti EdgeMax Lite as an OpenVPN Client:
Note: I’m going to assume you have a bit of router proficiency. A lot of configuration in EdgeOS can be done via the Web GUI, but most of the VPN setup needs to be done via the command line interface.
Step 0: Setup your OpenVPN Server
This guide assumes you already have an OpenVPN Access Server setup and running. I setup one using a Digital Ocean Droplet. The have a great guide on setting up the OpenVPN Access Server using Ubuntu. Before proceeding, please use a desktop client to check the VPN works correctly.
I’m also going to assume you’re on the latest version of the EdgeOS Software. I set mine up using version v1.4.0 (the latest at the time of writing).
Step 1: Get Basic Internet Connectivity Setup
I followed the Ubiquiti SoHo EdgeMax Example to get basic routing and NAT setup. Ensure you can access the internet via your new router.
Step 2: Download your OVPN File from the Access Server
The OVPN file makes it easy to get your client setup. Login to your Access Server’s Web GUI and download the user-locked file. You need to SSH File Transfer this to your EdgeMax. I used the CyberDuck SFTP Client for Mac. Use the standard “ubnt”/”ubnt” credentials to login. You should upload to: /config/vpn-client1.ovpn
To allow for a username/password login rather than a certificate based login, I needed to modify the OVPN file to add the following directive:
Then create a file called pass.txt. On the first line is your username, and on the second line is your password. Upload this to
Step 3: Configure Ubiquiti EdgeMax
Login to your EdgeMax’s CLI, either via SSH or via the Web GUI. Here’s the commands you need to run:
set interfaces openvpn vtun0 config-file /config/vpn-client1.ovpn
Reboot your router for good measure, then immediately login to the Web GUI and open the “Log Monitor” (found under tools). You should start seeing openvpn entries.
This means your OpenVPN is now setup. Depending on how your Access Server is configured, you may need to add some routes. The only one I needed to add was to tell it to send all traffic for 0.0.0.0/1 to tun0. This can be setup through the GUI. You’ll also probably need to setup another Source NAT.
If it isn’t working, here are some things to check:
- Does the clock on the EdgeMax match the clock on the Access Server? When a SSL certificate exchange is done, the times must be somewhat accurate in order to work.
- Can you access the OpenVPN ports, or have they been firewalled? I have had a lot of success running OpenVPN over TCP port 443 (SSL), so perhaps try that.
- If you are behind a restrictive firewall and/or a proxy you will need to take extra steps in order to get this to work. It is possible. I’ll write about this in an upcoming article.