A while ago in another thread I explained the steps to configure the EdgeRouter to have just specific hosts go through Private Internet Access VPN. The explanation was here and there because I was answering questions of the person who opened the thread. Afther that I've been getting private messages with questions that may not be answered in that thread. I did a step by step with a detailed explanation of each step of the approach I took to make it work in my router. I tried to make it very clear for a person who has some networking knowledge so he/she can apply this to their preference. I did went into details other than the VPN configuration. I hope this helps.
Steps:
1- Create firewall address group.
I did this because I have multiple IPs that uses the VPN and if I want to add another host later on I just have to add the IP in the address group, no need to modify all VPN configuration.
You can also use this group in my NAT configuration. If you don't do the address group you can assign the IP directly in the firewall modify rule.
2- Create a firewall modify rule.
3- Apply Firewall Modify Rule to LAN Interface.
4- Configure NAT for your OpenVPN hosts. Note: This rule should be before your global NAT configuration, if you put it after it won't work so your configuration
might as well use another rule number instead of this example that uses '5001'.
5- Configure a static route sending hosts from table 1 (specified in firewall modify rule) through interface vtun0.
6- Configure OpenVPN in the router.
7- Upload files to /config/auth - Why config/auth? In this dir they won't get deleted if you do a firmware upgrade.
Configuration:
Firewall Address Group: Includes the IPs of the hosts I want to route through the Open VPN connection.
--------------------------------------------------------------------------------------------------------
set firewall group address-group OPENVPN_COMPUTERS address 10.100.0.20
set firewall group address-group OPENVPN_COMPUTERS address 10.100.0.21
set firewall group address-group OPENVPN_COMPUTERS address 10.100.0.22
set firewall group address-group OPENVPN_COMPUTERS description 'openvpn hosts'
Firewall Modify: This rule creates table 1 and indicate that my source hosts (the ones that will be routed through Open VPN)
-----------------------------------------------------------------------------------------------------------------------------
set firewall modify OPENVPN_ROUTE rule 1 action modify
set firewall modify OPENVPN_ROUTE rule 1 description 'traffic from Devices to vtun0'
set firewall modify OPENVPN_ROUTE rule 1 modify table 1
set firewall modify OPENVPN_ROUTE rule 1 source group address-group OPENVPN_COMPUTERS
Apply Firewall Modify Rule: This rule should be applied inbound to your LAN interface.
Note: If your LAN interface is a vif be sure to apply it at vif not at physical.
----------------------------------------------------------------------------------
set interfaces ethernet eth0 vif 3 firewall in modify OPENVPN_ROUTE
NAT: Configure NAT using interface vtun0 as outbound-interface. Your source address will be the Firewall Address Group created.
----------------------------------------------------------------------------------------------------------------------------------
set service nat rule 5001 description openvpn
set service nat rule 5001 log disable
set service nat rule 5001 outbound-interface vtun0
set service nat rule 5001 protocol all
set service nat rule 5001 source group address-group OPENVPN_COMPUTERS
set service nat rule 5001 type masquerade
Static Route: This route will send all hosts from table 1 configured in firewall modify rule to use interface vtun0 as next-hop.
---------------------------------------------------------------------------------------------------------------------------------------
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0
PIA OpenVPN Configuration: The router's configuration is pointing to a directory where I uploaded the configuration file (.ovpn), username and password file, ca.crt and crl.pem files which is /config/auth.
------------------------------=-------------------------------------------------------------------------------------------------------------
set interfaces openvpn vtun0 config-file /config/auth/eu-netherlands.ovpn
set interfaces openvpn vtun0 description 'Private Internet Access VPN'
These two lines are optional. I explain them at the end.
!set interfaces openvpn vtun0 firewall in name OPENVPN_IN
!set interfaces openvpn vtun0 firewall local name OPENVPN_LOCAL
Files Required to be uploaded to /config/auth
-------------------------------------------------------------------
1: crl.pem - Downloaded from PIA Website
2: ca.crt - Downloaded from PIA Website
3: auth-user-pass.txt - A text File with your PIA username and password. Your username should be in the first line and password in the second. If you open the file it should look like this:
<YOUR_USERNAME>
<YOUR_PASSWORD>
4: Open VPN Configuration file. The file extension can be configured in notepad and saved with .ovpn extension. The configuration should look like this:
client
dev-type tun
proto udp
remote nl.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /config/auth/ca.crt
tls-client
remote-cert-tls server
auth-user-pass /config/auth/auth-user-pass.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify /config/auth/crl.pem
In this file you can change the following lines according to your preferences:
remote nl.privateinternetaccess.com 1194 - The VPN server you want to connect, always use port 1194.
ca /config/auth/ca.crt - If the .crt file is not named 'ca.crt' you should change it to whatever you named it. Be sure to have this file in /config/auth as specified in this configuration.
auth-user-pass /config/auth/auth-user-pass.txt - This is your user and password text file which I named 'auth-user-pass.txt'. If you created the file with another name be sure to put the exact name here so PIA can authenticate.
crl-verify /config/auth/crl.pem - If the .pem file is not named 'crl.pem' you should change it to whatever you named it. Be sure to have this file in /config/auth as specified in this configuration.
I named this file eu-netherlands.ovpn and then made a copy of it changing the remote server only (remote nl.privateinternetaccess.com 1194) line, renaming the file to a familiar name (server name) and upload it to /config/auth.
That way if I want to change servers I just change in the router the following line with the name of the server I want to connect:
set interfaces openvpn vtun0 config-file /config/auth/eu-netherlands.ovpn
My /config/auth directory looks like this:
rtr@rtr:/config/auth$ ls
asia-hongkong.ovpn
ca-toronto.ovpn
eu-france.ovpn
eu-romania.ovpn
uk-london.ovpn
us-east.ovpn
us-seattle.ovpn
auth-user-pass.txt
ca.crt
eu-germany.ovpn
eu-sweden.ovpn
uk-southampton.ovpn
us-florida.ovpn us-texas.ovpn
ca-north-york.ovpn
crl.pem
eu-netherlands.ovpn
eu-switzerland.ovpn
us-california.ovpn
us-midwest.ovpn us-west.ovpn
Note that I have firewall rules applied to vtun0 interface:
set interfaces openvpn vtun0 firewall in name OPENVPN_IN
set interfaces openvpn vtun0 firewall local name OPENVPN_LOCAL
I created firewall rules like the rules you apply in your WAN interface, WAN_IN and WAN_LOCAL, allowing established sessions and denying invalid sessions. This is up to you, it will work either ways but I don't know what is on the other side so I applied these rules.