===== Ubiquiti EdgeRouter OpenVPN =====
{{tag>Ubiquiti EdgeRouter OpenVPN Routing}}

In this example the network 192.168.1.0/24 on eth1 needs access the internet across an ExpressVPN connection and be unable able access the internet when the ExpressVPN connection is down.  The network 192.168.1.0/24 also needs to be able to access the networks on eth2 and eth3 regardless of the status of the ExpressVPN connection.

<code>
user@firewall:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description
---------    ----------                        ---  -----------
eth0         51.61.71.81/30                    u/u  Internet
eth1         192.168.1.0/24                    u/u  LAN-1
eth2         192.168.2.0/24                    u/u  LAN-2
eth3         192.168.3.0/24                    u/u  LAN-3
</code>

Connect to ExpressVPN and download a manual configuration file.

Modify the manual configuration file by;
  * Changing ''auth-user-pass'' to ''auth-user-pass /config/auth/auth.txt''
  * Adding ''route-nopull'' below ''auth-user-pass /config/auth/auth.txt''

Create a file named auth.txt with the following items;
<file>
ExpressVPNManualConfigurationUsername
ExpressVPNManualConfigurationPassword
</file>

Upload via scp the ExpressVPN manual configuration file and the auth.txt file to ''/config/auth/''.


Create the OpenVPN interface.
<code>
set interfaces openvpn vtun0 config-file /config/auth/my_epxressvpn_country_-_city_udp.ovpn
set interfaces openvpn vtun0 description 'ExpressVPN OpenVPN Tunnel'
</code>

Create a masquerade NAT rule.
<code>
set service nat rule 5100 description 'ExpressVPN OpenVPN Tunnel'
set service nat rule 5100 destination
set service nat rule 5100 log disable
set service nat rule 5100 outbound-interface vtun0
set service nat rule 5100 source address 192.168.1.0/24
set service nat rule 5100 type masquerade
</code>

Create the static default routes.
<code>
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0
set protocols static table 2 route 0.0.0.0/0 blackhole
</code>

Create the policy based routing firewall rule.
<code>
set firewall modify SOURCE_ROUTE rule 200 action modify
set firewall modify SOURCE_ROUTE rule 200 description 'Traffic from 192.168.1.0/24 to vtun0'
set firewall modify SOURCE_ROUTE rule 200 modify table 1
set firewall modify SOURCE_ROUTE rule 200 source address 192.168.1.0/24
set firewall modify SOURCE_ROUTE rule 210 action modify
set firewall modify SOURCE_ROUTE rule 210 description 'Traffic from 192.168.1.0/24 to blackhole'
set firewall modify SOURCE_ROUTE rule 210 modify table 2
set firewall modify SOURCE_ROUTE rule 210 source address 192.168.1.0/24
</code>

Apply the PBR firewall rule to the LAN interface.
<code>
set interfaces ethernet eth1 firewall in modify SOURCE_ROUTE
</code>

Add destination subnet exceptions to the PBR firewall rule.
<code>
set firewall modify SOURCE_ROUTE rule 100 action modify
set firewall modify SOURCE_ROUTE rule 100 description 'Local subnet on eth2'
set firewall modify SOURCE_ROUTE rule 100 destination address 192.168.2.0/24
set firewall modify SOURCE_ROUTE rule 100 modify table main
set firewall modify SOURCE_ROUTE rule 110 action modify
set firewall modify SOURCE_ROUTE rule 110 description 'Local subnet on eth3'
set firewall modify SOURCE_ROUTE rule 110 destination address 192.168.3.0/24
set firewall modify SOURCE_ROUTE rule 110 modify table main
</code>