VPN Gateway with EdgeMax
This tutorial will show you how to setup a gateway on your Pritunl server. The gateway will allow the vpn clients to access a remote local network and the local network to also access the vpn clients. Below is the topology for this example where the local network is 10.50.0.0/24 and the vpn network is 10.60.0.0/24. Once complete devices on the 10.50.0.0/24 network will have access to the devices on the 10.60.0.0/24 network and the devices on the 10.60.0.0/24 will have access to the devices on the 10.50.0.0/24 network. This will not require opening any ports or modifying the firewall on the 10.50.0.1 router. A Premium or Enterprise license is required for this configuration.
This tutorial will use either the Ubiquity EdgeRouter X a $50 5-port gigabit router, the faster Ubiquity EdgeRouter Lite a $100 3-port gigabit router or the Ubiquity EdgeRouter POE a $170 5-port POE gigabit router. The routers can be purchased on Amazon using the links below.
EdgeRouter Initial Setup
First connect a computer to the eth0 port on the EdgeRouter and give the computer a static IP address of 192.168.1.2 with 255.255.255.0 subnet. The gateway does not need to be set. Once connected go to https://192.168.1.1 and login using the default username and password ubnt.
EdgeRouter System Settings
In the EdgeRouter web console open the System settings and set the host name to Pritunl. Set the gateway address and name server, in this example 10.50.0.1 is used. Then go to the Users tab and choose the Config action for the ubnt user and set a password.
EdgeRouter IP Address
Once the system settings are configured go the dashboard and choose the Config action of the eth0 interface. Give the interface an IP address that is available on your local network. In this example the local network is 10.50.0.0/24 and the address 10.50.0.30/24 will be used. Once the address is set you will no longer be able to access the web console at 192.168.1.1. After the address is set, connect the eth0 port of the EdgeRouter to your local networks router or switch. Then remove the static IP on your desktop and connect it to the local network. Then go to the address you gave the EdgeRouter which is https://10.50.0.30 in this example and login to the web console.
Create Pritunl User
Login to the Pritunl web console and stop any running servers on that are attached to the Organization that you will be using for the EdgeRouter user. Then add a user with a network link to 10.50.0.0/24 and start the server. This will instruct the Pritunl server to route 10.50.0.0/24 traffic to the client that will be running on the EdgeRouter.
Install Pritunl EdgeRouter Plugin
Download and install the Pritunl EdgeRouter Plugin this will allow adding and managing Pritunl vpn profiles from the EdgeRouter web console. After downloading the plugin go to the Wizards section and select the + in the sidebar. Then name the wizard Pritunl and upload the plugin package.
Import Pritunl Profile
Download the profile for the new user and then open the Pritunl plugin that was added earlier and click Add New. Set the Interface to vtun0 then open the downloaded profile and copy the contents to the Profile field. Once done click Apply. After the profile has been added the vtun0 interface should show as Connected on the dashboard.
Add Static Route
Clients on the Pritunl server will now have access to the 10.50.0.0/24 network but the devices on the network will not know where to route responding traffic. To allow the 10.50.0.0/24 network to reach the Priunl vpn network 10.60.0.0/24 a static route must be added to direct 10.60.0.0/24 to the EdgeRouter at 10.50.0.30. This process will depend on what router you are using and the topology and configuration of your network. Alternatively you can use a NAT described below. If you are also using an additional EdgeRouter for the 10.50.0.0/24 network router the settings below will add the static route. These settings should be run on the router at 10.50.0.1 not on the EdgeRouter at 10.50.0.30
Add NAT on EdgeRouter (Alternative to Static Route)
If a static route cannot be used alternatively a NAT on the EdgeRouter can be used. This will NAT the vpn clients on 10.60.0.0/24 when communicating with 10.50.0.0/24. This will avoid needing static routes but will prevent the devices on the 10.50.0.0/24 network from directly communicating to the 10.60.0.0/24 vpn network. This can be done in the NAT section on the EdgeRouter web console. Select Add Source NAT Rule then select eth0 as the Outbound Interface and the vpn network 10.60.0.0/24 as the Src Address.
Once the gateway is setup vpn clients will then be able to access the 10.50.0.0/24 network and devices on the 10.50.0.0/24 network will be able to access the 10.60.0.0/24 vpn network.