Help setting up separate NordVPN SSID with ER-X + UAP AC Lite.

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Help setting up separate NordVPN SSID with ER-X + UAP AC Lite.

MSwitch

40 posts

Geek

#258594 11-Oct-2019 17:57

Today I got an Edgerouter X and Unifi AP AC Lite so that I could set up a proper VPN router for myself.
I have no background knowledge in networking and have just been stumbling around in the dark until now, getting a lot of help from some great people here and from doing some online research.
I've got both set up and now I think I've gotten to the tricky part where I really don't know what I'm doing, I know it's possible to do but doing it is proving challenging for me.

I effectively want to have 2, maybe 3 SSIDs

1: VPN - US
2: No VPN - regular connection
3: VPN - NZ (would be nice to have this but if a third one is too complicated I can leave it).

I was just planning on using this guide here - https://nordvpn.com/tutorials/edgerouter/openvpn/
But after reading through, I'm pretty sure it's just going to route all my traffic through the VPN I choose.
I don't know how to go about splitting up to 3 networks/SSIDs and then applying this to each individually.

I've tried looking up a guide but can't seem to find exactly what I need, just pieces and I don't feel confident enough at this stage to be able to piece together the information to make it work.

Does anyone know any guides or have any advice I can use?

fe31nz

1229 posts

Uber Geek

#2335857 12-Oct-2019 00:23

The NordVPN setup creates a vtun0 interface. You set up the traffic to and from the vtun0 interface to be via a VLAN you set up, say VLAN 100. In the AP, you set it up so that the VPN SSID connects to VLAN 100 only. To do a second VPN, you would create a vtun1 interface for that VPN, and send the traffic on VLAN 101 on your network. Depending on where you send the VLAN traffic (which Ethernet ports on the ER-X), you could also make it so that Ethernet connected devices could change their settings to use one of the VLANs when they wanted to use the VPN. That might require an Ethernet card that could do VLANs in Windows, I think, but for Linux boxes VLANs can be handled in software.

I have not read through this web page thoroughly, but it looks like it is a HowTo for what you want to do:

https://tech.michaelaltfield.net/2017/08/20/howto-guide-whole-house-vpn-with-ubiquiti-cryptostorm-netflix-safe/

chevrolux

4962 posts

Uber Geek
Inactive user

#2335886 12-Oct-2019 10:04

Follow the nordvpn guide up to step 8.

In step 8 just run:

 
configure 
set interfaces openvpn vtun0 config-file /config/openvpn/uk180.nordvpn.com.udp1194.ovpn 
set interfaces openvpn vtun0 description 'OpenVPN VPN tunnel' 
commit

So now you have an interface that is connect to nordvpn.

Now go and set up your internal 'vpn lan'. Give it an address, dhcp, etc. The DHCP server should assign the new vpn tunnel IP address as the gateway.

Then just source nat rule to nat the new 'vpn lan' network out the tunnel interface you made.

Edit: sorry just to add. You set up the new 'vpn lan' on a VLAN interface...like VLAN 500 or something.
Then on your unifi, you just set up the vpn ssid to be on VLAN 500.

MSwitch

40 posts

Geek

#2335983 12-Oct-2019 15:34

fe31nz:

The NordVPN setup creates a vtun0 interface. You set up the traffic to and from the vtun0 interface to be via a VLAN you set up, say VLAN 100. In the AP, you set it up so that the VPN SSID connects to VLAN 100 only. To do a second VPN, you would create a vtun1 interface for that VPN, and send the traffic on VLAN 101 on your network. Depending on where you send the VLAN traffic (which Ethernet ports on the ER-X), you could also make it so that Ethernet connected devices could change their settings to use one of the VLANs when they wanted to use the VPN. That might require an Ethernet card that could do VLANs in Windows, I think, but for Linux boxes VLANs can be handled in software.

I have not read through this web page thoroughly, but it looks like it is a HowTo for what you want to do:

https://tech.michaelaltfield.net/2017/08/20/howto-guide-whole-house-vpn-with-ubiquiti-cryptostorm-netflix-safe/

Ok, I think I'm getting there. Thanks for the explanation and guide, they're both very helpful.

I managed to set up an NZ VPN so far on my router as per the guide, but it's applying the VPN to all my traffic including the PC I connect over ethernet to the router which I'd rather have using no VPN and then just connect via different VLANs like you explained or the Nord App. Is there anything glaringly obvious that would've caused that to happen?

MSwitch

40 posts

Geek

#2336011 12-Oct-2019 16:08

chevrolux: Follow the nordvpn guide up to step 8.

In step 8 just run:

configure
set interfaces openvpn vtun0 config-file /config/openvpn/uk180.nordvpn.com.udp1194.ovpn
set interfaces openvpn vtun0 description 'OpenVPN VPN tunnel'
commit

So now you have an interface that is connect to nordvpn.

Now go and set up your internal 'vpn lan'. Give it an address, dhcp, etc. The DHCP server should assign the new vpn tunnel IP address as the gateway.

Then just source nat rule to nat the new 'vpn lan' network out the tunnel interface you made.

Edit: sorry just to add. You set up the new 'vpn lan' on a VLAN interface...like VLAN 500 or something.
Then on your unifi, you just set up the vpn ssid to be on VLAN 500.

I think I'm having troubles with source nat rules, I can't seem to make these work.

I followed a guide and managed to get an NZ VPN set up across my whole router with a second vlan (id 30) for 'clean' traffic with no VPN. This isn't quite what I wanted but pressed on and tried to set up a third VLAN (id 50) but can't figure out how to make the source nat rules work (I could pretty easily copy from a guide when setting up VLAN30 with vtun0 but setting up VLAN50 with vtun1 didn't quite work for me.

chevrolux

4962 posts

Uber Geek
Inactive user

#2336030 12-Oct-2019 17:31

If you are wanting the entire lan subnet in your 'vpn lan' to go over the vpn tunnel the nat rule is very simple.

It's just 'source address' = 'vpn lan subnet', out interface = vpn tunnel interface, and the action is masquerade.

MSwitch

40 posts

Geek

#2336041 12-Oct-2019 18:32

I've tried setting up the NAT rule but it doesn't seem to be working. I've got the vtun0 up and running, vlan (id 30) with DHCP and an SSID with the right vlan id. I can connect to the SSID but the traffic doesn't appear to be routed through VPN.

This is effectively what my total config looks like. Is there any obvious mistakes in there?

set interfaces openvpn vtun0 config-file /config/openvpn/nz58.nordvpn.com.udp.ovpn
set interfaces openvpn vtun0 description 'VPN NZ'
set interfaces openvpn vtun0 enable

set service nat rule 5000 description 'VPN NZ'
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface vtun0
set service nat rule 5000 source address 192.168.30.0/24
set service nat rule 5000 type masquerade

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0

set firewall modify SOURCE_ROUTE rule 10 description 'traffic from 192.168.30.0/24 to vtun0'
set firewall modify SOURCE_ROUTE rule 10 source address 192.168.30.0/24
set firewall modify SOURCE_ROUTE rule 10 modify table 1

set interfaces switch switch0 firewall in modify SOURCE_ROUTE

Spyware

3761 posts

Uber Geek

Lifetime subscriber

#2336328 13-Oct-2019 16:20

set interfaces switch switch0.30 firewall in modify SOURCE_ROUTE