Reply
New Member
Posts: 2
Registered: ‎11-07-2017
Kudos: 2

ExpressVPN configuration for EdgeRouter

[ Edited ]

Hi,

 

I just got an EdgeRouter (ER-X-SFP) and I wanted to configure ExpressVPN to have only one of my machines go through the VPN. I couldn't find a step by step guide on how to achieve this but found some useful tips on different websites so I'll share what I did and maybe this will be helpful to others.

 

Note: I'm new to all of this so I hope this configuration is correct and secure.

 

1. Sign up for an ExpressVPN account on www.expressvpn.com and go to your account. Click on Set up ExpressVPN and then Manual Config to get your username and password and OpenVPN config file (my_expressvpn_usa_-_washington_dc_udp.ovpn for instance).

 

2. Modify the auth-user-pass line and add a new line in the ovpn config file:

 

auth-user-pass /config/auth/user-pass.txt
route-nopull 

 

3. Create a file (i.e user-pass.txt) with your username on the first line and password on the second line. Copy this file and the ovpn config file to /config/auth on your router using SCP.

 

4. Configure your router:

 

set interfaces openvpn vtun0 config-file /config/auth/my_expressvpn_usa_-_washington_dc_udp.ovpn
set interfaces openvpn vtun0 description 'ExpressVPN'

set firewall modify express_vpn_route rule 10 description 'ExpressVPN'
set firewall modify express_vpn_route rule 10 source address 192.168.1.41/32
set firewall modify express_vpn_route rule 10 modify table 1

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0

set interfaces switch switch0 firewall in modify express_vpn_route

set service nat rule 5001 description 'ExpressVPN'
set service nat rule 5001 log disable
set service nat rule 5001 outbound-interface vtun0
set service nat rule 5001 type masquerade

Don't forget to commit and save. Basically with this configuration the device with IP 192.168.1.41 (and only this one) should go through the VPN.

 

That's it! This configuration seems to work for me as my Android TV (and only my Android TV) goes through the VPN.

 

Sources:

https://lg.io/2015/01/11/the-ubiquiti-edgerouter-configuring-this-extremely-lowcost-enterprisegrade-...

https://nordvpn.com/tutorials/edgerouter/openvpn/

https://www.youtube.com/watch?v=B9dXiKhDVl0

 

Cheers,

Pierre

Highlighted
Established Member
Posts: 1,615
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: ExpressVPN configuration for EdgeRouter

There is no vtun enable command so remove that. The vtun is enabled by default when configured.

There is a disable command and it is undone by deleting the disable rather than an enable command.
New Member
Posts: 2
Registered: ‎11-07-2017
Kudos: 2

Re: ExpressVPN configuration for EdgeRouter

Thanks for pointing this out.
Emerging Member
Posts: 47
Registered: ‎11-19-2017
Solutions: 3

Re: ExpressVPN configuration for EdgeRouter

Hey guys,

 

I'm having some trouble with this configuration.  I can't seem to get an internal IP on the VPN connection, it stays as TBD.  I've posted my vpn config file below minus the sensitive info.

 

client
dev tun
fast-io
persist-key
persist-tun
nobind
remote usa-tampa-1-ca-version-2.expressnetw.com 1195

remote-random
pull
comp-lzo
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass /config/auth/pass.txt
route-nopull

<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

Any help will be appreciated.

Established Member
Posts: 1,615
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: ExpressVPN configuration for EdgeRouter

Try

 

grep openvpn /var/log/messages

 

to see if that tells you anything.

Emerging Member
Posts: 47
Registered: ‎11-19-2017
Solutions: 3

Re: ExpressVPN configuration for EdgeRouter

Thanks for that bit of guidance.

 

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivitiy)
TLS Error: TLS handshake failed.

I am using a tripple WAN setup on the router, two of which are in a load-balance configuration.  Could it be that the VPN connection does not know which of the WAN interfaces to use?

New Member
Posts: 6
Registered: ‎02-23-2018

Re: ExpressVPN configuration for EdgeRouter

Has anyone managed to get this to work?

 

I am trying to setup my EdgeRouter to connect to ExpressVPN but I would like this connect to be temporary and be able to connect and disconnect on-demand. Is that possible?

I have some devices that do not have VPN client capability and it would be great to setup the router to easily connect to VPN and then disconnect when I do not require it anymore.

Potentially run this command to enable VPN:

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0

And this one to disable the route to VPN:

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface eth0

When I set the vtun0 interface as per the thread, I was also getting a TLS error, has anyone manage to go pass this?

 

Established Member
Posts: 1,615
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: ExpressVPN configuration for EdgeRouter

I use a different vpn provider but I expect lots of people have gotten this to work. Do you have more than one wan? That takes a little extra.

 

As for the on demand part, as has been written on many threads here, interface-routes to eth ports is at best unreliable. Better would be to disable individual modify rules or unlink modify ruleset from lan interfaces.

New Member
Posts: 6
Registered: ‎02-23-2018

Re: ExpressVPN configuration for EdgeRouter

thanks for the reply karog.
Are you able to elaborate on the ruleset of a lan interface?

Would this work? Keeping the vtun0 interface up all the time with the static route for the Table 1 as per above and only change the source address when needed?

Enable VPN to a specific IP (Android TV):
set firewall modify express_vpn_route rule 10 source address 192.168.1.200/32

Disable VPN for the Android TV (set the source to a dummy address:
set firewall modify express_vpn_route rule 10 source address 192.168.1.250/32

This could probably be done via a SSH script. I will do some testing on the weekend.
Established Member
Posts: 1,615
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: ExpressVPN configuration for EdgeRouter

@julienme Sure, if you only have one rule to change, then changing the source addr to an unused one would work.

 

The modify rules are in a named ruleset and hooked to a LAN interface like eth1 in the interfaces section sub firewall section with the IN keyword. Deleting this would disable the vpn since the modify rules would never be seen. Setting the IN again would enable it. This would be (unnoticably) more efficient since the rules would never have to be checked.

 

You could write a script (stored under /config to preserve it across upgrades). It could take an argument like enable vs disable and call the script say vpnstatus so as to call it with vpnstatus enable and vpnstatus disable. The script contents should be something like:

 

#!/bin/vbash

# test here if already in desired state and if so exit

source /opt/vyatta/etc/functions/script-template

configure

# change vpn state

commit

Then from some other machine you can do something like:

 

ssh edgerouter vpnstatus enable

where edgerouter is the name of your router. For Windows, you can use plink.

New Member
Posts: 6
Registered: ‎02-23-2018

Re: ExpressVPN configuration for EdgeRouter

thanks a lot, I'm still new in this so it may take a while to configure but I need to get my OpenVPN connection up and running first.
New Member
Posts: 6
Registered: ‎02-23-2018

Re: ExpressVPN configuration for EdgeRouter

Right, I think I got this to work, I just now need to work on the on-demand connection

set interfaces openvpn vtun0 config-file /config/auth/fr.ovpn
set interfaces openvpn vtun0 description 'ExpressVPN'
set firewall modify express_vpn_route rule 10 description 'ExpressVPN'
set firewall modify express_vpn_route rule 10 source address 192.168.1.200/32
set firewall modify express_vpn_route rule 10 modify table 1
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0
set service nat rule 5001 description 'ExpressVPN'
set service nat rule 5001 log disable
set service nat rule 5001 outbound-interface vtun0
set service nat rule 5001 type masquerade
set interfaces ethernet eth1 firewall in modify express_vpn_route

I can swing the source IP between a dummy and real source address
New Member
Posts: 6
Registered: ‎02-23-2018

Re: ExpressVPN configuration for EdgeRouter

[ Edited ]

I'm not able to run the script, even when loading the cmd template, it is not executing the change, am I doing something wrong?

user@ubnt:/config/auth$ cat enable-vpn
#!/bin/vbash
source /opt/vyatta/etc/functions/script-template
configure
set firewall modify express_vpn_route rule 10 source address 192.168.1.111/32
commit
#save
exit

user@ubnt:/config/auth$ ./enable-vpn
-vbash: ./enable-vpn: /bin/vbash^M: bad interpreter: No such file or directory

Established Member
Posts: 1,615
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: ExpressVPN configuration for EdgeRouter

[ Edited ]

It looks like you have a ctrl-M after vbash. This is Linux where end of line should be linefeed/ctrl-J only, not windows CR LF. That is for every line of course.

 

The error is telling you it can't find /bin/vbash^M

 

Note ^M is CR of CR LF.

Emerging Member
Posts: 47
Registered: ‎11-19-2017
Solutions: 3

Re: ExpressVPN configuration for EdgeRouter

I still haven't been able to set this up,  I also read that EdgeRouters OpenVPN performance may hinder maximum use of the connection/maximum available from ExpressVPN.

 

My work-around is to set up ExpressVPN on a pfSense VM, then use the EdgeRouter to route desired traffic through the VPN using a VLAN ethx.y route.

 

There's a really good guide on the ExpressVPN site for configuring pfSense, thus far I have the connection established on pfSense but I'm still trying to get the routing aspect working.  

New Member
Posts: 6
Registered: ‎02-23-2018

Re: ExpressVPN configuration for EdgeRouter

Thank you guys for the info. I was able to correct the script issue and I'm now able to do what I want.

In regards to the performance issues, I am not limited as yet but I will keep an eye on the usage and using a pfSense system is a great idea.
New Member
Posts: 1
Registered: ‎07-06-2018

Re: ExpressVPN configuration for EdgeRouter

Use another VPN its easy to configure or save & secure FastestVPN its a better option.

New Member
Posts: 19
Registered: ‎10-18-2016

Re: ExpressVPN configuration for EdgeRouter

 

Thanks for the guide, I am able to get this to work but I have a quesiton

Is it possible to have two VPN connections ? for example one is an US ip using vtun0 and the other one is UK ip using vtun1

Established Member
Posts: 1,615
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: ExpressVPN configuration for EdgeRouter

@eveningside, yes you can multiple VPN connections. Of course, you need to use something like Policy Based Routing to determine which packets go thru which VPN.

Reply