EdgeRouter - OpenVPN Server with TLS and Multiple WAN


This article will guide users to setup an OpenVPN Server-Client mode using TLS, that is capable of handling multiple WAN interfaces. As of 1.7.0 the LoadBalance Wizard can be run to get a base configuration, followed by the steps below.

In the case of an environment with one WAN connection the user may start with a base configuration using the WAN+2LAN or WAN+2LAN2 wizard and then complete the steps below.

Table of Contents

  1. Example Environment
  2. Steps to Follow
    1. Create Certificate Authority
    2. Create Server Certificate and Key
    3. Move and Rename Files
    4. Create certificates and keys for client(s)
    5. Create Diffie-Helman parameter file
    6. Transfer files to each client
    7. Remove passwords from key files
    8. Configure OpenVPN server on Router1
    9. Configure Client
    10. Configure Firewall
    11. Configure MultiWAN (if applicable)
    12. Verify the Tunnel is Up
  3. Troubleshooting

  Example Environment

Back to Top

Router 1 EdgeRouter setup as OpenVPN Server:

External IP/Name: system1.dyndns.com (can also use an external IP address)

Internal IP:

eth0 WAN1

eth1 WAN2

eth2 LAN

vtun0 OpenVPN Tunnel


Router 2 EdgeRouter setup as OpenVPN Client:

External IP/Name: system2.dyndns.com (can also use an external IP address)

Internal IP:

eth0 WAN

eth1 LAN

vtun0 OpenVPN Tunnel

Note: your environment will likely differ from the information above. Alter information as needed for your unique environment. 

Steps to Follow

Step 1: Create Certificate Authority

Back to Top

1. Login to the CLI as a user and stay in operational mode.

 ssh user@Router1 

2. Enable root level access

 sudo su 

3. Change directory location

 cd /usr/lib/ssl/misc/

4. Generate Certificate Authority

 ./CA.sh -newca

 CA certificate filename (or enter to create) 

Press enter.

 [Enter pem pass phrase:

Create password.

 Verifying - Enter PEM pass phrase:

Verify created password.


5. Fill in information as needed following prompts:

Country Name (2 letter code) [AU]:US
xxx State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Jose
Organization Name (eg, company) [Internet Widgits Pty Ltd]:UBNT
Organizational Unit Name (eg, section) []:Support
Common Name (e.g. server FQDN or YOUR name) []:ER8-Server
Email Address []:support@ubnt.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password123
An optional company name []:UBNT yyy 

This will create /usr/lib/ssl/misc/demoCA with associated files.

 Step 2: Create Server Certificate and Key

Back to Top

 Note: Continued from step 1, you will be logged in as user  and in the /usr/lib/ssl/misc/ directory.

1. Generate Certificate 

 user@Router1:/usr/lib/ssl/misc# ./CA.sh -newreq 

Fill out prompts like above again with information as needed. “Common Name” must be unique.

2. Sign Certificate

 user@Router1:/usr/lib/ssl/misc# ./CA.sh -sign 

Note: This will create newreq.pem, newkey.pem, and newcert.pem in /usr/lib/ssl/misc/ 

 Step 3: Move and Rename Files

Back to Top

Move and rename files to /config/auth/ for preservation during firmware upgrades and clarity.

Note: Again, you will remain logged in as user in the /usr/lib/ssl/misc/ directory.

1. Move cacert.pem

user@Router1:/usr/lib/ssl/misc# mkdir /config/auth/
user@Router1:/usr/lib/ssl/misc# cp demoCA/cacert.pem demoCA/private/cakey.pem /config/auth/

2. Move and rename newcert.pem

 user@Router1:/usr/lib/ssl/misc# mv newcert.pem /config/auth/server.pem 

3. Move and rename newkey.pem

 user@Router1:/usr/lib/ssl/misc# mv newkey.pem /config/auth/server.key 

 Note: the newkey.pem file extension changes to .key.

To confirm these files have transferred to the proper location with the proper name and extension you may type “ls /config/auth/“ to view files.

 Step 4: Create Certificates and Keys for Client(s)

Back to Top

 Note: Logged in as user in operational mode in the /usr/lib/ssl/misc/ directory.

1. Generate Client Certificate

 ./CA.sh -newreq 

Fill out fields like above with unique Common Name for each Client (in this example we will use “cl1” as the Common Name).

2. Sign certificate

 ./CA.sh -sign 

3. Repeat this step for each client using a unique Common Name for each.

4. Move and rename client files

mv newcert.pem /config/auth/cl1.pem
mv newkey.pem /config/auth/cl1.key

Step 5: Create Diffie-Helman Parameter File

Back to Top

Note: Remain logged in as user with root privileges by entering “sudo su”  and in the /usr/lib/ssl/misc/ directory.

1. Generate Diffie-Helman file

 openssl dhparam -out /config/auth/dhp.pem -2 1024 

This process will take some time and generate dhp.pem in /config/auth/  

info_i_25x25white.png NOTE:

There are several different cipher and key length options. This article shows a basic one, you can use another of your preference.

Step 6: Transfer Files to Each Client

Back to Top

This step assumes that the remote router can accept remote ssh connections, i.e. that port 22 (SSH/SCP) is accepting input from the internet.

1. Copy cacert.pem to Client router

 sudo scp /config/auth/cacert.pem user@system2.dyndns.com:/config/auth/ 

2. Copy cl1.pem to client router

 sudo scp /config/auth/cl1.pem user@system2.dyndns.com:/config/auth/ 

3. Copy cl1.key to client router

 sudo scp /config/auth/cl1.key user@system2.dyndns.com:/config/auth/ 

Note: This moves cacert.pem, cl1.pem, and cl1.key to /config/auth/ on Router2.

4. Repeat this process for each client.

Step 7: Remove Passwords from Key Files

Back to Top

On Router1:

1. Enter Sudo

 sudo su 

2. Create new .key with no password

 openssl rsa -in /config/auth/server.key -out /config/auth/server-rmpass.key

Enter password.

3Rename server-rmpass.key to server.key

 mv /config/auth/server-rmpass.key /config/auth/server.key 


On Router2:

1. Enter Sudo

 sudo su 

2. Create new .key with no password

 openssl rsa -in /config/auth/cl1.key -out /config/auth/cl1-rmpass.key 

Enter password.

2. Rename cl1-rmpass.key to cl1.key

 mv /config/auth/cl1-rmpass.key /config/auth/cl1.key 

Step 8: Configure OpenVPN server on Router1

Back to Top

1. Exit out of sudo su and the /usr/lib/ssl/misc/ directory by typing “exit”. Logged in as user@Router1

2. Enter Configure mode


3. Create interface

 set interfaces openvpn vtun0 

4. Enter edit mode for vtun0 interface

 edit interfaces openvpn vtun0 

5. Configure OpenVPN Mode

 set mode server 

6. configure hash

 set hash sha256 

7. set compression

 set openvpn-option —comp-lzo 

8. configure server subnet

 set server subnet 

9. Configure accessible subnet

 set server push-route 

10. Configure location of TLS files

set tls ca-cert-file /config/auth/cacert.pem
set tls cert-file /config/auth/server.pem
set tls key-file /config/auth/server.key
set tls dh-file /config/auth/dhp.pem 

11. set static address of client(s)

set server client <clienthostname> ip

Note: the server subnet needs to be different than the local subnets.

Repeat set server push-route for each LAN that needs to be accessible over the tunnel.

<clienthostname> can be static public IP or hostname like system2.dyndns.com in this example. 

Step 9: Configure Client

Back to Top

In this case the client is another EdgeRouter, however other devices can be configured as clients.

Logged in as user@Router2


1. Create interface

 set interfaces openvpn vtun0 

2. Enter edit mode of vtun0 interface

 edit interfaces openvpn vtun0 

3. Configure OpenVPN mode

 set mode client 

4. Configure hash

 set hash sha256 

5. Set compression

 set openvpn-option —comp-lzo 

6. Configure address of OpenVPN server

 set remote-host <hostname or public IP of Router1> 

7. Configure location of TLS files

set tls ca-cert-file /config/auth/cacert.pem
set tls cert-file /config/auth/cl1.pem
set tls key-file /config/auth/cl1.key

Step 10: Configure Firewall

Back to Top

1. Open UDP port 1194 on both Router1 and Router2

edit firewall name WAN_LOCAL rule <#>
set description OpenVPN
set action accept
set destination port 1194
set log disable
set protocol udp 

Note: rule number will need to be an unused rule number in the WAN_LOCAL ruleset. 

Step 11: Configure MultiWAN (if applicable)

Back to Top

This step is only needed if multiple WAN interfaces are added after configuring the OpenVPN Tunnel follow this Policy-based Routing guide.

Step 12: Verify the Tunnel is Up

Back to Top

1. Verify tunnel is up. An active tunnel could take approximately 1 minute to connect and show after changes have been committed.

a. On Router configured as OpenVPN Server

 show openvpn status server 

b. On Router configured as OpenVPN Client

 show openvpn status client 



Back to Top

Show openvpn configuration

show interfaces openvpn vtunX 


To view traffic on tunnel  with tcpdump

From CLI in operational mode

 sudo tcpdump -i vtunX 

Note: in this example the interface is vtun0 

Related Articles