• Have an already working roadwarrior OpenVPN server setup. Get the subnet info of the network you plan on accessing remotely (you'll used this later when entering routing info and choosing the subnet for your VPN client/router.
• Go to ubnt.com and download the latest firmware for the ER-X.
• Configure your network card with an IP address of 192.168.1.2 and a subnet of 255.255.255.0
• Connect an Ethernet cable to from your computer to ETH0 of the ER-X.
• Open a web browser and go to 192.168.1.1, the default username/password is ubnt/ubnt.
• Go to “System” then click on “Upgrade System Image” → “Upload a file” and browse to the firmware you just downloaded.
• * After the reboot update the bootloader by logging into the cli and running

  add system boot-image

  then do a manual reboot.

• Via the web GUI go to “System” and reset the device to default.
• Again via the web GUI Use Wizard and choose: WAN+2LAN2 → eth0 = WAN with DHCP and enable the default firewall; LAN, use only one LAN, set new IP/subnet range which will be a subnet that is different from the router you are plugging this device into and also different from the subnet of the remote network you're going to access, enable DHCP. Create a new admin user and record it.
• Disconnect your Ethernet cable from eth0 and plug into eth1, set your network card to DHCP, log back into web GUI using new IP.
• Connect eth0 to your existing router.
• Via the web GUI go to “System” and set the timezone, enable NTP

https://tscheinok.wordpress.com/2017/08/07/openvpn-client-on-my-ubiquiti-er-x/
https://community.ubnt.com/t5/EdgeRouter/OpenVPN-Client-Config/td-p/1494796

Copy certificate files over to /config/auth using WinSCP or SFTP.

/config/auth/cacert.pem
/config/auth/client1.pem
/config/auth/client1.key
/config/auth/ta.key

Set the correct permissions for the certificate files

chmod 400 /config/auth/*.key
chmod 400 /config/auth/*.pem

Basic setup

set interfaces openvpn vtun0 description "OpenVPN Client"
set interfaces openvpn vtun0 remote-port 5173
set interfaces openvpn vtun0 protocol udp
set interfaces openvpn vtun0 remote-host xxx.xxx.xxx.xx
set interfaces openvpn vtun0 mode client
set interfaces openvpn vtun0 hash sha256
set interfaces openvpn vtun0 encryption aes256
set interfaces openvpn vtun0 openvpn-option "--comp-lzo"
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
set interfaces openvpn vtun0 tls cert-file /config/auth/client1.pem
set interfaces openvpn vtun0 tls key-file /config/auth/client1.key
set interfaces openvpn vtun0 openvpn-option "--tls-auth /config/auth/ta.key 1"

Add NAT Masquerade rule for OpenVPN vtun0. First list the current NAT rules so you know what to name the next:

show service nat rule

Add a rule for vtun0 using a higher # than that of the exising NAT rules

set service nat rule 5011 description 'masquerade for OpenVPN'
set service nat rule 5011 outbound-interface vtun0
set service nat rule 5011 type masquerade
set service nat rule 5011 protocol all

Optionally configure OSPF if you use it

set interfaces openvpn vtun0 ip ospf network point-to-point

Optionally disable routes from being pulled over OpenVPN connection, this means that you'll need to add your own static routes for accessing the remote IP/subnets over the VPN tunnel. You'd use this to control what goes over the VPN tunnel, for example for anything that is located on the the remote subnet would go through the tunnel and all other traffic would go out your local router or to your local network; otherwise everything will be tunneled through your VPN connection.

set interfaces openvpn vtun0 openvpn-option '--route-nopull'

If you used the '–route-nopull' option then you'll need to specify static routes to access the remote devices over the VPN tunnel. In the code below the subnet 192.168.21.0/24 is the remote network that we'll be accessing via OpenVPN.

set protocols static interface-route 192.168.21.0/24 next-hop-interface vtun0

Check status/options of OpenVPN tunnel

show openvpn status client
show interfaces openvpn vtun0

Restart OpenVPN connection

reset openvpn interface vtun0

To enable/disable

set interfaces openvpn vtun0 enable|disable

Check for errors

tail -f /var/log/messages