Ubiquiti EdgeRouter OpenVPN

In this example the network 192.168.1.0/24 on eth1 needs access the internet across an ExpressVPN connection and be unable able access the internet when the ExpressVPN connection is down. The network 192.168.1.0/24 also needs to be able to access the networks on eth2 and eth3 regardless of the status of the ExpressVPN connection.

user@firewall:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description
---------    ----------                        ---  -----------
eth0         51.61.71.81/30                    u/u  Internet
eth1         192.168.1.0/24                    u/u  LAN-1
eth2         192.168.2.0/24                    u/u  LAN-2
eth3         192.168.3.0/24                    u/u  LAN-3

Connect to ExpressVPN and download a manual configuration file.

Modify the manual configuration file by;

Create a file named auth.txt with the following items;

ExpressVPNManualConfigurationUsername
ExpressVPNManualConfigurationPassword

Upload via scp the ExpressVPN manual configuration file and the auth.txt file to /config/auth/.

Create the OpenVPN interface.

set interfaces openvpn vtun0 config-file /config/auth/my_epxressvpn_country_-_city_udp.ovpn
set interfaces openvpn vtun0 description 'ExpressVPN OpenVPN Tunnel'

Create a masquerade NAT rule.

set service nat rule 5100 description 'ExpressVPN OpenVPN Tunnel'
set service nat rule 5100 destination
set service nat rule 5100 log disable
set service nat rule 5100 outbound-interface vtun0
set service nat rule 5100 source address 192.168.1.0/24
set service nat rule 5100 type masquerade

Create the static default routes.

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0
set protocols static table 2 route 0.0.0.0/0 blackhole

Create the policy based routing firewall rule.

set firewall modify SOURCE_ROUTE rule 200 action modify
set firewall modify SOURCE_ROUTE rule 200 description 'Traffic from 192.168.1.0/24 to vtun0'
set firewall modify SOURCE_ROUTE rule 200 modify table 1
set firewall modify SOURCE_ROUTE rule 200 source address 192.168.1.0/24
set firewall modify SOURCE_ROUTE rule 210 action modify
set firewall modify SOURCE_ROUTE rule 210 description 'Traffic from 192.168.1.0/24 to blackhole'
set firewall modify SOURCE_ROUTE rule 210 modify table 2
set firewall modify SOURCE_ROUTE rule 210 source address 192.168.1.0/24

Apply the PBR firewall rule to the LAN interface.

set interfaces ethernet eth1 firewall in modify SOURCE_ROUTE

Add destination subnet exceptions to the PBR firewall rule.

set firewall modify SOURCE_ROUTE rule 100 action modify
set firewall modify SOURCE_ROUTE rule 100 description 'Local subnet on eth2'
set firewall modify SOURCE_ROUTE rule 100 destination address 192.168.2.0/24
set firewall modify SOURCE_ROUTE rule 100 modify table main
set firewall modify SOURCE_ROUTE rule 110 action modify
set firewall modify SOURCE_ROUTE rule 110 description 'Local subnet on eth3'
set firewall modify SOURCE_ROUTE rule 110 destination address 192.168.3.0/24
set firewall modify SOURCE_ROUTE rule 110 modify table main