Configuring a Tunnel between a EdgeRouter X and PFSense

PFSense is great because it can be installed as a VM in a datacenter and handle enterprise grade routing and reporting. EdgeRouters are great because they’re readily available and at a very reasonable cost.

Both support Openvpn which tends to be a reliable easy to use VPN protocol that allows the vpn client to not have a static IP address. There is no GUI for Openvpn on the EdgeRouter but it is pre-installed and can be easily be configured in the console.

Once you’ve configured the OpenVPN server in the PFSense interface, there is a export feature that allows a ovpn file to be created that contains the configuration information required for the client side (EdgeRouter).

I initially had issue as the config file included a “pull” command that the Edgerouter complained was not valid without the TLS-Server or TLS-Client specified.   I manually edited the file and removed the “pull” line and then the tunnel connected without issue.

From the EdgeRouter config, do:

# configure
# set interfaces openvpn vtun0 config-file /config/nameofyourconnection.ovpn
# commit
# set service nat rule 5020 description 'masquerade for Tunnel'
# set service nat rule 5020 outbound-interface vtun0
# set service nat rule 5020 type masquerade
# set service nat rule 5020 protocol all
# commit # save

Other Notes:

  • Log files in EdgeOS are in the /var/log/messages file
  • I manually added a push route command to the client config file
    push "route 192.168.3.0 255.255.255.0"
  • EdgeOS 2.x uses OpenVPN 1.2.4 as does PFSense 2.4.x
  • Tunnel status is at: /var/run/openvpn/status/vtunX
  • To update, delete the interface and re-create. Delete with delete interfaces openvpn vtun0

References:

https://community.ui.com/questions/OpenVPN-cipher-options-on-EdgeMax-Lite/ed1f212e-c769-4e0b-963d-4f7a6c24616b#answer/888754aa-06f3-47e8-a0de-c085119e61f0

https://mediarealm.com.au/articles/ubiquiti-edgemax-router-openvpn-client-setup/

Published by

Dar Zuch

Find me on Linkedin at: https://ca.linkedin.com/in/darzuch

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.