How to set up an openvpn server on your ubiquiti edgerouter for secure remote access a comprehensive step-by-step guide for EdgeRouter OpenVPN deployment
Yes, you can set up an OpenVPN server on your Ubiquiti EdgeRouter for secure remote access. This guide will walk you through the entire process—from planning and certificates to the actual EdgeRouter configuration, client setup, and practical tips to keep everything secure. By the end, you’ll have a reliable VPN that lets you reach your home or small office network from anywhere with strong encryption and manageable client configurations. For extra protection on public networks, you might also consider NordVPN. 
What you’ll get from this guide
- A practical, step-by-step path to set up an OpenVPN server on EdgeRouter
- Clear prerequisites and planning advice to avoid common misconfigurations
- How to generate and deploy certificates for server and clients
- Detailed OpenVPN server and firewall rules tailored for EdgeOS
- A ready-to-use client configuration template OVPN and how to deploy it on Windows, macOS, Linux, iOS, and Android
- Security best practices, testing steps, and troubleshooting tips
- A solid FAQ to answer the most common questions
Introduction to OpenVPN on EdgeRouter
OpenVPN is a tried-and-true VPN protocol that’s widely supported across platforms. It’s robust, flexible, and relatively easy to audit, which makes it a solid choice for home labs and small offices using EdgeRouter gear. EdgeRouter devices run EdgeOS, which provides a fairly straightforward CLI and GUI approach to OpenVPN configuration. The general flow is simple: you generate a certificate authority CA, issue a server certificate and a TLS key, import these into EdgeRouter, and then configure the OpenVPN server to use those files. On the client side, you create or embed the client certificate and key inside an OpenVPN profile that points to your EdgeRouter’s public IP or dynamic DNS name.
Global context and data points you can lean on
- OpenVPN remains one of the most compatible VPN solutions across Windows, macOS, Linux, iOS, and Android, which reduces the friction of client setup.
- EdgeRouter devices are designed to handle small to medium remote-access VPN scenarios well, especially when you have a few dozen concurrent connections at most.
- TLS-auth ta.key and strong ciphers like AES-256-CBC or AES-256-GCM, paired with SHA-256, are standard in secure OpenVPN deployments today.
- For remote workers and small teams, VPNs provide a straightforward way to access internal resources without exposing them directly to the internet.
Prerequisites and planning
Before you touch the EdgeRouter, a little planning saves a lot of headache.
-
Network and IP plan
- Decide which LAN you want remote clients to reach e.g., 192.168.1.0/24 or 10.10.0.0/24.
- Choose a VPN subnet that doesn’t clash with your LAN e.g., 10.8.0.0/24.
- Confirm your EdgeRouter has a public IP static or dynamic. If you have a dynamic IP, set up dynamic DNS DDNS to keep the VPN reachable.
-
Hardware and firmware
- Ensure your EdgeRouter runs a recent EdgeOS version that supports OpenVPN natively.
- Check the device’s CPU capabilities. OpenVPN relies on CPU for encryption, so a faster CPU yields better performance for more simultaneous clients.
-
Certificate authority and keys
- You’ll generate a CA, a server certificate and key, a TLS key ta.key, and a client certificate plus key.
- Plan for certificate lifetimes e.g., 1–2 years and how you’ll rotate them when they expire.
-
Security considerations
- Use TLS-auth ta.key to prevent TLS/SSL intrusion attempts.
- Choose strong ciphers and avoid obsolete algorithms.
- Plan for revocation: know how you’ll revoke a compromised client certificate if needed.
-
Tools you’ll commonly use
- A Linux workstation or VM to generate the CA, server, and client certificates with Easy-RSA or a similar tool.
- SCP or SFTP to move the generated files to the EdgeRouter.
- A text editor to prepare client.ovpn content.
Generating certificates and keys offline, best practice
OpenVPN on EdgeRouter requires a CA, server cert, server key, and client certificates. It’s safer to generate these offline on a trusted machine.
- Install Easy-RSA on a Linux computer or use OpenVPN’s easy-rsa package.
- Create a new CA and a server certificate:
- Initialize a new PKI directory.
- Build the CA with a strong passphrase.
- Generate the server certificate and key, making sure the Common Name CN is descriptive e.g., edgevpn-server.
- Create a TLS-auth key ta.key for TLS channel authentication.
- Generate a client certificate and key for each remote user or device e.g., client1, client2.
- Bundle the necessary files:
- CA certificate ca.crt
- Server certificate server.crt and server key server.key
- TLS auth key ta.key
- Client certificate client1.crt and client key client1.key
Preparing files for EdgeRouter
- Copy ca.crt, server.crt, server.key, and ta.key to EdgeRouter:
- Example paths: /config/auth/openvpn/ca.crt, /config/auth/openvpn/server.crt, /config/auth/openvpn/server.key, /config/auth/openvpn/ta.key
- Copy client1.crt and client1.key to appropriate locations for later reference, such as /config/auth/openvpn/clients/client1/
Configuring the OpenVPN server on EdgeRouter
EdgeRouter uses EdgeOS, and OpenVPN can be configured via the CLI or the GUI. Here’s a thorough, step-by-step CLI approach you can adapt.
- Create basic server settings
- These commands set the server to run in UDP mode, on port 1194, with a tun device and a 10.8.0.0/24 network for clients:
- set vpn openvpn server-mode server
- set vpn openvpn protocol udp
- set vpn openvpn port 1194
- set vpn openvpn dev tun
- set vpn openvpn server-net 10.8.0.0/24
- set vpn openvpn push “redirect-gateway def1”
- set vpn openvpn push “dhcp-option DNS 1.1.1.1”
- set vpn openvpn push “dhcp-option DNS 8.8.8.8”
- These commands set the server to run in UDP mode, on port 1194, with a tun device and a 10.8.0.0/24 network for clients:
- Configure certificates and keys
- Tell EdgeRouter where to find ca.crt, server.crt, server.key, and ta.key:
- set vpn openvpn ca-cert-file /config/auth/openvpn/ca.crt
- set vpn openvpn server-cert-file /config/auth/openvpn/server.crt
- set vpn openvpn server-key-file /config/auth/openvpn/server.key
- set vpn openvpn tls-auth-key /config/auth/openvpn/ta.key
- Tell EdgeRouter where to find ca.crt, server.crt, server.key, and ta.key:
- Enable TLS-auth and server authentication
- Depending on the EdgeOS version, you may need to specify the TLS mode and verify client certificates:
- set vpn openvpn tls-auth-key-direction 1
- Depending on the EdgeOS version, you may need to specify the TLS mode and verify client certificates:
- Client configuration directory and addressing
- If you’re planning to assign per-client options, set a client-config-dir CCD:
- set vpn openvpn server-client-config-dir /config/openvpn/ccd
- Optionally define the subnet to avoid overlap with LAN:
- set vpn openvpn server-network 10.8.0.0/24
- If you’re planning to assign per-client options, set a client-config-dir CCD:
- Authentication and encryption
- Choose strong crypto and authentication:
- set vpn openvpn encryption aes-256-cbc
- set vpn openvpn auth SHA256
- Choose strong crypto and authentication:
- Interface exposure and firewall rules
- Allow inbound VPN traffic from WAN to the EdgeRouter:
- set firewall name VPN-IN rule 10 action accept
- set firewall name VPN-IN rule 10 protocol udp
- set firewall name VPN-IN rule 10 destination-port 1194
- set interfaces ethernet eth0 firewall in name VPN-IN adjust eth0 to your WAN interface
- Allow inbound VPN traffic from WAN to the EdgeRouter:
- NAT and routing
- If you want VPN clients to reach the LAN and use EdgeRouter as the gateway:
- set vpn openvpn server mode server
- set dnsmasq or DHCP relay configured so VPN clients receive proper IPs
- ensure you have NAT rules for VPN subnet to WAN
- If you want VPN clients to reach the LAN and use EdgeRouter as the gateway:
- Save and apply
- Commit the changes and save:
- commit
- save
- Reboot or restart OpenVPN service if needed:
- restart vpn openvpn
Notes:
- restart vpn openvpn
- Commit the changes and save:
- The exact command syntax can vary slightly by EdgeOS version and whether you’re configuring a single OpenVPN server or multiple sites. If you see a mismatch, refer to the EdgeRouter’s CLI reference for your firmware version and ensure all file paths match your actual import locations.
- If you’re using a GUI, you’ll find OpenVPN under VPN > OpenVPN. The GUI will mirror these settings, but the text-based steps are valuable for understanding and troubleshooting.
Generating client configurations client.ovpn
You’ll provide a client profile that contains all necessary information. A typical client.ovpn file looks like this:
client
dev tun
proto udp
remote YOUR_EDGE_ROUTER_PUBLIC_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tant
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
key-direction 1
—–BEGIN CERTIFICATE—–
… CA certificate contents …
—–END CERTIFICATE—–
… Client certificate contents …
—–BEGIN PRIVATE KEY—–
… Client private key contents …
—–END PRIVATE KEY—–
—–BEGIN OpenVPN Static key V1—–
… TLS-auth key contents …
—–END OpenVPN Static key V1—–
Tips for client deployment
- Windows: Install OpenVPN Connect or the official OpenVPN GUI, then import client.ovpn.
- macOS: Use Tunnelblick or the official OpenVPN client, import client.ovpn.
- Linux: Use openvpn client with config file. e.g., sudo openvpn –config client.ovpn.
- iOS/Android: Use the official OpenVPN Connect app and import client.ovpn.
- If you’re behind a CGNAT or dynamic IP, ensure your DDNS name is wired into the client.ovpn remote setting.
DNS leaking and split tunneling
- Split tunneling: If you only want VPN traffic to go through the VPN while keeping some traffic direct to the internet, you’ll need to configure push options carefully or define per-client-route rules in CCD files.
- DNS: To prevent DNS leaks, push a private DNS server like a home DNS server or a trusted public DNS to clients, and consider disabling non-VPN DNS in clients where possible.
Firewall rules and NAT deep dive
- An OpenVPN server needs a firewall rule to accept inbound UDP on port 1194 from WAN.
- It also needs NAT rules so that VPN clients can reach devices on the LAN and so outbound traffic appears to come from the EdgeRouter’s WAN IP if you want that behavior.
- Consider restricting VPN access to known IPs or regions if you want to reduce exposure, though that will complicate remote work.
Testing and verification
- Test connectivity from a client location with a public IP. Confirm that you can establish the VPN and that you can reach devices on the LAN.
- Check for DNS leaks by visiting a DNS leakage test site after connecting to the VPN.
- Verify traffic routing by visiting a public IP lookup site and confirming that your outgoing IP matches your EdgeRouter’s WAN IP when connected through VPN.
- Confirm split tunneling if configured behaves as expected: certain traffic should bypass the VPN, while other traffic passes through the tunnel.
Security best practices
- Use TLS-auth ta.key to protect against TLS renegotiation attacks.
- Keep EdgeRouter firmware up to date. apply security patches promptly.
- Rotate server and client certificates on a reasonable schedule and immediately revoke compromised credentials.
- Use strong, unique credentials for admin access. enable two-factor authentication on the management interface if available.
- Monitor VPN logs for unusual access patterns and configure alerting if possible.
Maintenance, renewal, and scalability
- Certificate renewal: Plan to renew CA and server certificates every 1–2 years, and revoke and replace client certificates as needed.
- Scalability: If you’re expanding to more users, you can issue additional client certificates and, if necessary, set up multiple OpenVPN instances or a larger subnet to avoid address conflicts.
- Backups: Keep secure backups of your CA private key, server private key, and a safe copy of the client profiles in a secure location.
Troubleshooting common issues
- VPN won’t start: Check that the server certificate and CA certificate paths are correct. verify file permissions on /config/auth/openvpn and restart the service.
- Client cannot connect: Confirm the EdgeRouter’s WAN IP is reachable, verify firewall rules, and validate that the correct port and protocol are exposed.
- TLS handshake failures: Ensure ta.key is present on both server and client configurations and that the tls-auth direction is configured correctly.
- DNS leaks: Ensure the client profile is pushing a DNS server and that the client’s system isn’t using a conflicting DNS resolver.
- Performance issues: Encryption overhead can impact CPU usage. consider reducing the number of concurrent connections or upgrading hardware if you’re hitting a performance ceiling.
Frequently asked questions
Frequently Asked Questions
How do I know if OpenVPN is the right choice for my EdgeRouter setup?
OpenVPN is a solid choice for broad compatibility and strong security. If you need wide cross-platform support and a mature set of features, OpenVPN is reliable. If you’re prioritizing performance and simpler client setup, you might also explore WireGuard, but ensure your EdgeRouter and clients support it and that you’re comfortable with the trade-offs.
Do I need a static IP for my EdgeRouter to host OpenVPN?
A static IP makes remote access simpler because your clients always know where to connect. If you have a dynamic IP, use a dynamic DNS DDNS service to keep a stable hostname pointing to your EdgeRouter.
How many clients can connect at once?
The number of concurrent clients you can support depends on your EdgeRouter model and CPU. For most home setups with a handful of users, a few dozen connections is feasible on mid-range EdgeRouter hardware. If you expect more, monitor CPU load and consider upgrading hardware or tuning the VPN configuration for efficiency.
How do I revoke a compromised client certificate?
Revoke the client certificate on your CA, distribute a new CA bundle to all remaining clients if needed, and replace the compromised client’s certificate and key. If you used a per-client CCD setup, revoke the specific client’s credentials and update the corresponding client config.
Can I run OpenVPN and WireGuard at the same time on EdgeRouter?
Yes, you can run different VPN services in parallel, but you’ll need to manage separate ports, separate security configurations, and ensure there’s no resource contention. Many users run both for compatibility and performance testing. What is expressvpn on my pc a comprehensive guide to setup, features, performance, security, and comparisons
Should I enable split tunneling, or force all traffic through VPN?
Split tunneling can improve performance for non-work traffic, but it can reduce security if not configured carefully. If you handle sensitive resources or remote access to the entire network, a full-tunnel redirect-all-traffic approach is typically more secure.
How do I generate client.ovpn files for Windows, macOS, iOS, and Android?
Use the same base client certificate and key, embed the CA, client cert, and client key into a single client.ovpn file, and provide platform-appropriate OpenVPN clients. Windows and macOS tools typically support importing a single .ovpn file. iOS and Android use the OpenVPN Connect app.
Can I use a different port or protocol for OpenVPN?
Yes. UDP is typically preferred for OpenVPN because of lower latency, but TCP can be used if you’re behind restrictive networks. You can configure a different port e.g., 443 to blend with common HTTPS traffic, but ensure firewall rules and port forwarding are updated accordingly.
How do I test my OpenVPN setup from outside my home network?
Use a mobile data connection or a remote network to connect to your EdgeRouter’s public IP or DDNS hostname. Once connected, verify access to internal resources, check DNS behavior, and confirm that traffic routes as expected.
What are common causes of DNS leaks with OpenVPN, and how can I fix them?
DNS leaks occur when the client uses a local DNS resolver instead of the VPN’s DNS. Push a trusted DNS server via the VPN profile and disable non-VPN DNS on clients if possible. Verify with a DNS leak test after connecting. Vpn lat review unpacking features pricing cancellation refunds and real user feedback
Final notes
Setting up an OpenVPN server on your EdgeRouter gives you a powerful, flexible way to access your home or small office network securely from anywhere. This approach emphasizes careful planning subnets, certificates, and firewall rules, a solid certificate strategy, and mindful security practices. As your needs evolve, you can adjust client provisioning, expand to multiple OpenVPN servers if needed, or evaluate modern alternatives like WireGuard while weighing compatibility and security requirements.
If you’d like to learn more or see a hands-on video walkthrough, I’ve found real-world setups from other network enthusiasts that mirror these steps and offer helpful visual guidance. And if you’re looking for extra online privacy and protection beyond your own network, NordVPN remains a popular option for securing on-the-go browsing—here’s a quick way to check it out through a trusted affiliate link: .