EdgeRouter-X路由器（下文简称ER-X）是UBNT早些年出的一款小巧的5口千兆路由器，在国内被誉为弱电箱神器。
本文以OpenVPN服务端的搭建及客户端连接文件的配置为主题做个记录。
方法参考自官网帮助中心

服务端配置

1. 通过SSH连接ER-X路由，可登录管理后台通过右上角的CLI进入，也可通过putty或xshell等软件工具进行连接；

2. 确保时间正确

   show date
   Sun Mar 17 09:24:29 CST 2024
   

3. 以root用户身份登录

   sudo su
   

4. 生成一个 Diffie-Hellman （DH） 密钥文件，并将其放在 /config/auth 目录中（这一步较慢，也可以通过另一个工具在windows快速生成后再用winscp等工具放入/config/auth目录，方法点击此处，主要是安装后，两条指令分别生成server与client端的key文件 openvpn-generate init 与 openvpn-generate client）。

   openssl dhparam -out /config/auth/dh.pem -2 2048
   

5. 更改当前目录至/usr/lib/ssl/misc

   cd /usr/lib/ssl/misc
   

6. 生成根证书（将 替换为您想要的密码）,将位置和组织字段替换为您自己的信息。

   ./CA.pl -newca
   PEM Passphrase: <secret>
   Country Name: CN
   State Or Province Name: HuNan
   Locality Name: Changsha
   Organization Name: itvro
   Organizational Unit Name: Support
   Common Name: root
   Email Address: support@abcde.com
   

7. 将新创建的证书 + 密钥复制到 /config/auth 目录

   cp demoCA/cacert.pem /config/auth
   cp demoCA/private/cakey.pem /config/auth
   

8. 生成服务器证书

   ./CA.pl -newreq
   Country Name: CN
   State Or Province Name: HuNan
   Locality Name: Changsha
   Organization Name: itvro
   Organizational Unit Name: Support
   Common Name: server
   Email Address: support@abcde.com
   

9. 对服务器证书进行签名

   ./CA.pl -sign
   Certificate Details:
       Validity
           Not Before: Mar 17 09:44:29 CST 2024
           Not After : Mar 17 09:44:29 CST 2025
       Subject:
           countryName               = CN
           stateOrProvinceName       = HuNan
           localityName              = Changsha
           organizationName          = itvro
           organizationalUnitName    = Support
           commonName                = server
           emailAddress              = support@abcde.com
   
   Certificate is to be certified until Mar 17 09:44:29 CST 2025 (365 days)
   Sign the certificate? [y/n]: y
   1 out of 1 certificate requests certified, commit? [y/n] y
       

10. 将服务器证书和密钥文件移动并重命名为 /config/auth 目录

    mv newcert.pem /config/auth/server.pem
    mv newkey.pem /config/auth/server.key
    

11. 为第一个 OpenVPN 客户端生成、签名和移动证书和密钥文件

    ./CA.pl -newreq
    Common Name: client1
    
    ./CA.pl -sign
    Certificate Details:
        Validity
            Not Before: Mar 17 09:47:22 CST 2024
            Not After : Mar 17 09:47:22 CST 2025
        Subject:
            countryName               = CN
            stateOrProvinceName       = HuNan
            localityName              = Changsha
            organizationName          = itvro
            organizationalUnitName    = Support
            commonName                = client1
            emailAddress              = support@abcde.com
    
    Certificate is to be certified until Mar 17 09:47:22 CST 2025 (365 days)
    Sign the certificate? [y/n]: y
    
    1 out of 1 certificate requests certified, commit? [y/n] y
    
    mv newcert.pem /config/auth/client1.pem
    mv newkey.pem /config/auth/client1.key
    

12. 对第二个 OpenVPN 客户端重复该过程,例如：

    ./CA.pl -newreq
    Common Name: client2
    
    ./CA.pl -sign
    
    mv newcert.pem /config/auth/client2.pem
    mv newkey.pem /config/auth/client2.key
    

13. 为非 root 用户添加对客户端密钥文件的读取权限

    chmod 644 /config/auth/client1.key
    chmod 644 /config/auth/client2.key
    

14. 进入配置模式

    configure
    

15. 将 OpenVPN 流量的防火墙规则添加到WAN_LOCAL防火墙策略中

    set firewall name WAN_LOCAL rule 30 action accept
    set firewall name WAN_LOCAL rule 30 description openvpn
    set firewall name WAN_LOCAL rule 30 destination port 1194
    set firewall name WAN_LOCAL rule 30 protocol udp
    

16. 配置 OpenVPN 虚拟隧道接口

    set interfaces openvpn vtun0 mode server
    set interfaces openvpn vtun0 server subnet 10.8.0.0/24
    set interfaces openvpn vtun0 server push-route 192.168.10.0/24
    set interfaces openvpn vtun0 server name-server 192.168.10.1
    

17. 将服务器证书/密钥和 DH 密钥链接到虚拟隧道接口

    set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
    set interfaces openvpn vtun0 tls cert-file /config/auth/server.pem
    set interfaces openvpn vtun0 tls key-file /config/auth/server.key
    set interfaces openvpn vtun0 tls dh-file /config/auth/dh.pem
    

18. 将虚拟隧道接口添加到DNS转发接口列表中

    set service dns forwarding listen-on vtun0
    

19. 提交更改并保存配置

    commit ; save
    

客户端配置

1. 打开OpenVPN配置文件夹

   C:\Program Files\OpenVPN\config\
   

2. 创建一个新文件夹（可选）和一个 OpenVPN 配置文件 （erx.ovpn）
3. 将证书和客户端密钥文件从 EdgeRouter /config/auth 目录传输到 OpenVPN 客户端，仅cacert.pem,client1.key,client1.pem即可

4. 将以下信息添加到 erx.ovpn 配置文件中（将 替换为 EdgeRouter 的外部 IP 地址或主机名）

   client
   dev tun
   proto udp
   remote <server> 1194
   float
   resolv-retry infinite 
   nobind
   persist-key 
   persist-tun 
   verb 3
   ca cacert.pem 
   cert client1.pem
   key client1.key
   

5. 要通过 VPN 连接发送所有流量，请在 er.ovpn 配置文件中附加以下行

   redirect-gateway def1
   

6. 完成客户端配置，可以用OpenVPN来连接到服务器啦