This describes how to setup a permanent tunnel to privateinternetaccess.
First download the certificates from privateinternetaccess here: https://www.privateinternetaccess.com/openvpn/openvpn.zip
Unzip the .pem and .crt file to /config/openvpn-client on the edgerouter. Create a file called “client.ovpn” in the same folder with this content
client dev tun proto udp resolv-retry infinite nobind persist-key persist-tun cipher aes-128-cbc auth sha1 tls-client remote-cert-tls server auth-user-pass /config/openvpn-client/passwd.txt comp-lzo verb 1 reneg-sec 0 crl-verify /config/openvpn-client/crl.rsa.2048.pem ca /config/openvpn-client/ca.rsa.2048.crt disable-occ route-nopull #remote aus-melbourne.privateinternetaccess.com 1198 #remote aus.privateinternetaccess.com 1198 #remote brazil.privateinternetaccess.com 1198 #remote ca.privateinternetaccess.com 1198 #remote ca-toronto.privateinternetaccess.com 1198 #remote denmark.privateinternetaccess.com 1198 #remote fi.privateinternetaccess.com 1198 #remote france.privateinternetaccess.com 1198 #remote germany.privateinternetaccess.com 1198 #remote hk.privateinternetaccess.com 1198 #remote in.privateinternetaccess.com 1198 #remote ireland.privateinternetaccess.com 1198 #remote israel.privateinternetaccess.com 1198 #remote italy.privateinternetaccess.com 1198 #remote japan.privateinternetaccess.com 1198 #remote mexico.privateinternetaccess.com 1198 #remote nl.privateinternetaccess.com 1198 #remote nz.privateinternetaccess.com 1198 #remote no.privateinternetaccess.com 1198 #remote ro.privateinternetaccess.com 1198 #remote sg.privateinternetaccess.com 1198 #remote sweden.privateinternetaccess.com 1198 #remote swiss.privateinternetaccess.com 1198 #remote turkey.privateinternetaccess.com 1198 #remote uk-london.privateinternetaccess.com 1198 #remote uk-southampton.privateinternetaccess.com 1198 #remote us-california.privateinternetaccess.com 1198 #remote us-chicago.privateinternetaccess.com 1198 #remote us-east.privateinternetaccess.com 1198 #remote us-florida.privateinternetaccess.com 1198 #remote us-midwest.privateinternetaccess.com 1198 #remote us-newyorkcity.privateinternetaccess.com 1198 #remote us-seattle.privateinternetaccess.com 1198 #remote us-siliconvalley.privateinternetaccess.com 1198 #remote us-texas.privateinternetaccess.com 1198 #remote us-west.privateinternetaccess.com 1198
You uncomment the one destination you want you traffic to exit from. Then you add a file /config/openvpn-client/passwd.txt with this format:
username password
That is you VPN credentials for privateinternetaccess.
Now you create the tunnel in the edgerouter config:
set interfaces openvpn vtun1 config-file /config/openvpn-client/client.ovpn set interfaces openvpn vtun1 description 'Outbound NAT through privateinternetaccess'
And then you setup the routing through the VPN:
set firewall group address-group OPENVPN_CLIENTS address 192.168.80.11 set firewall group address-group OPENVPN_CLIENTS address 192.168.70.0/24 set service nat rule 5010 description 'Outbound NAT through privateinternetaccess' set service nat rule 5010 outbound-interface vtun1 set service nat rule 5010 protocol all set service nat rule 5010 type masquerade set firewall modify SOURCE_ROUTE rule 10 action modify set firewall modify SOURCE_ROUTE rule 10 description 'traffic via vpn' set firewall modify SOURCE_ROUTE rule 10 modify table 1 set firewall modify SOURCE_ROUTE rule 10 source group address-group OPENVPN_CLIENTS set interfaces ethernet eth3 vif 70 firewall in modify SOURCE_ROUTE set interfaces ethernet eth3 vif 80 firewall in modify SOURCE_ROUTE
Here is what is happening:
- In the first lines we define all the ip’s and subnets we want to be routed through the VPN.
- Then we make a nat rule that tells to masquerade all traffic through the VPN tunnel.
- Then we define a firewall source-routing rule that routes traffic from the OPENVPN_CLIENTS group through the VPN.
- And finally we bind the source-route rule to the interfaces where the clients could be.