PFSense is great because it can be installed as a VM in a datacenter and handle enterprise grade routing and reporting. EdgeRouters are great because they’re readily available and at a very reasonable cost.
Both support Openvpn which tends to be a reliable easy to use VPN protocol that allows the vpn client to not have a static IP address. There is no GUI for Openvpn on the EdgeRouter but it is pre-installed and can be easily be configured in the console.
Once you’ve configured the OpenVPN server in the PFSense interface, there is a export feature that allows a ovpn file to be created that contains the configuration information required for the client side (EdgeRouter).
I initially had issue as the config file included a “pull” command that the Edgerouter complained was not valid without the TLS-Server or TLS-Client specified. I manually edited the file and removed the “pull” line and then the tunnel connected without issue.
From the EdgeRouter config, do:
# configure
# set interfaces openvpn vtun0 config-file /config/nameofyourconnection.ovpn
# commit
# set service nat rule 5020 description 'masquerade for Tunnel'
# set service nat rule 5020 outbound-interface vtun0
# set service nat rule 5020 type masquerade
# set service nat rule 5020 protocol all
# commit
# save
Other Notes:
- Log files in EdgeOS are in the
/var/log/messages
file - I manually added a push route command to the client config file
push "route 192.168.3.0 255.255.255.0"
- EdgeOS 2.x uses OpenVPN 1.2.4 as does PFSense 2.4.x
- Tunnel status is at:
/var/run/openvpn/status/vtunX
- To update, delete the interface and re-create. Delete with
delete interfaces openvpn vtun0
References:
https://mediarealm.com.au/articles/ubiquiti-edgemax-router-openvpn-client-setup/