OpenVPN via Privateinternetaccess

This describes how to setup a permanent tunnel to privateinternetaccess.

First download the certificates from privateinternetaccess here: https://www.privateinternetaccess.com/openvpn/openvpn.zip

Unzip the .pem and .crt file to /config/openvpn-client on the edgerouter. Create a file called “client.ovpn” in the same folder with this content

client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /config/openvpn-client/passwd.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify /config/openvpn-client/crl.rsa.2048.pem
ca /config/openvpn-client/ca.rsa.2048.crt
disable-occ
route-nopull

#remote aus-melbourne.privateinternetaccess.com 1198
#remote aus.privateinternetaccess.com 1198
#remote brazil.privateinternetaccess.com 1198
#remote ca.privateinternetaccess.com 1198
#remote ca-toronto.privateinternetaccess.com 1198
#remote denmark.privateinternetaccess.com 1198
#remote fi.privateinternetaccess.com 1198
#remote france.privateinternetaccess.com 1198
#remote germany.privateinternetaccess.com 1198
#remote hk.privateinternetaccess.com 1198
#remote in.privateinternetaccess.com 1198
#remote ireland.privateinternetaccess.com 1198
#remote israel.privateinternetaccess.com 1198
#remote italy.privateinternetaccess.com 1198
#remote japan.privateinternetaccess.com 1198
#remote mexico.privateinternetaccess.com 1198
#remote nl.privateinternetaccess.com 1198
#remote nz.privateinternetaccess.com 1198
#remote no.privateinternetaccess.com 1198
#remote ro.privateinternetaccess.com 1198
#remote sg.privateinternetaccess.com 1198
#remote sweden.privateinternetaccess.com 1198
#remote swiss.privateinternetaccess.com 1198
#remote turkey.privateinternetaccess.com 1198
#remote uk-london.privateinternetaccess.com 1198
#remote uk-southampton.privateinternetaccess.com 1198
#remote us-california.privateinternetaccess.com 1198
#remote us-chicago.privateinternetaccess.com 1198
#remote us-east.privateinternetaccess.com 1198
#remote us-florida.privateinternetaccess.com 1198
#remote us-midwest.privateinternetaccess.com 1198
#remote us-newyorkcity.privateinternetaccess.com 1198
#remote us-seattle.privateinternetaccess.com 1198
#remote us-siliconvalley.privateinternetaccess.com 1198
#remote us-texas.privateinternetaccess.com 1198
#remote us-west.privateinternetaccess.com 1198

You uncomment the one destination you want you traffic to exit from. Then you add a file /config/openvpn-client/passwd.txt with this format:

username
password

That is you VPN credentials for privateinternetaccess.

Now you create the tunnel in the edgerouter config:

set interfaces openvpn vtun1 config-file /config/openvpn-client/client.ovpn
set interfaces openvpn vtun1 description 'Outbound NAT through privateinternetaccess'

And then you setup the routing through the VPN:

set firewall group address-group OPENVPN_CLIENTS address 192.168.80.11
set firewall group address-group OPENVPN_CLIENTS address 192.168.70.0/24
set service nat rule 5010 description 'Outbound NAT through privateinternetaccess'
set service nat rule 5010 outbound-interface vtun1
set service nat rule 5010 protocol all
set service nat rule 5010 type masquerade
set firewall modify SOURCE_ROUTE rule 10 action modify
set firewall modify SOURCE_ROUTE rule 10 description 'traffic via vpn'
set firewall modify SOURCE_ROUTE rule 10 modify table 1
set firewall modify SOURCE_ROUTE rule 10 source group address-group OPENVPN_CLIENTS
set interfaces ethernet eth3 vif 70 firewall in modify SOURCE_ROUTE
set interfaces ethernet eth3 vif 80 firewall in modify SOURCE_ROUTE

Here is what is happening:

  • In the first lines we define all the ip’s and subnets we want to be routed through the VPN.
  • Then we make a nat rule that tells to masquerade all traffic through the VPN tunnel.
  • Then we define a firewall source-routing rule that routes traffic from the OPENVPN_CLIENTS group through the VPN.
  • And finally we bind the source-route rule to the interfaces where the clients could be.

Leave a Reply

Your email address will not be published.